Bug 1020451 (CVE-2017-5499) - VUL-1: CVE-2017-5499,CVE-2017-5500,CVE-2017-5501,CVE-2017-5502: jasper: multiple crashes with UBSAN
Summary: VUL-1: CVE-2017-5499,CVE-2017-5500,CVE-2017-5501,CVE-2017-5502: jasper: multi...
Status: RESOLVED FIXED
Alias: CVE-2017-5499
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: unspecified
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/178724
Whiteboard: CVSSv2:SUSE:CVE-2017-5499:4.3:(AV:N/...
Keywords:
Depends on:
Blocks: CVE-2017-5503 CVE-2017-5505
  Show dependency treegraph
 
Reported: 2017-01-17 17:31 UTC by Mikhail Kasimov
Modified: 2020-12-22 08:46 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-17 17:31:59 UTC
Ref: [1] http://seclists.org/oss-sec/2017/q1/101
==============================================
escription:
jasper is an open-source initiative to provide a free software-based reference 
implementation of the codec specified in the JPEG-2000 Part-1 standard.

With the undefined behavior sanitizer enabled, jasper crashes showing some 
left shift and some signed integer overflow.

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00017-jasper-leftshift-jas_math_h
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/include/jasper/jas_math.h:156:11: 
runtime error: left shift of negative value -185

#################################################

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00018-jasper-signedintoverflow-jpc_dec_c
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1838:9: 
runtime error: signed integer overflow: -64356352 * 6359082673847140352 cannot 
be represented in type 'long'

#################################################

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00019-jasper-leftshift-jpc_dec_c
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1819:40: 
runtime error: shift exponent 117 is too large for 64-bit type 'jpc_fix_t' 
(aka 'long')

#################################################

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00022-jasper-signedintoverflow-jpc_tsfb_c
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_tsfb.c:233:35: 
runtime error: signed integer overflow: 2013306369 + 251691968 cannot be 
represented in type 'int'

#################################################

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00030-jasper-leftshift-jp2_dec_c
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:485:49: 
runtime error: left shift of negative value -26
Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-10-28: bug discovered and reported to upstream
2017-01-16: blog post about the issues

Note:
These bugs were found with American Fuzzy Lop.

Permalink:
http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/

--
Agostino
==============================================

CVE assignment: [2] http://seclists.org/oss-sec/2017/q1/106

[3] https://software.opensuse.org/package/jasper

Although here jasper ver. is 1.900.14, it can also be vulnerable.
Comment 1 Swamp Workflow Management 2017-01-17 23:02:43 UTC
bugbot adjusting priority
Comment 2 Matthias Gerstner 2017-01-18 10:28:57 UTC
CVE-CVE-2017-5498 is already handled in #1020353
Comment 3 Matthias Gerstner 2017-01-18 10:38:03 UTC
Regarding

  libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_tsfb.c:233

The issue can only be reproduced if jasper is compiled with
'-fsanitize=undefined'. In all of our codestreams the reproducer causes the
following assertion:

  imginfo: jpc_t1cod.c:144: JPC_NOMINALGAIN: Assertion `qmfbid == 0x01' failed.

So this can be seen as a possible denial of service. In the current upstream
release of jasper the reproducer terminates programmatical error instead:

  maximum number of samples exceeded (11223956736 > 67108864)
  error: cannot decode code stream
  cannot load image

The related upstream commit might be this one:

  https://github.com/mdadams/jasper/commit/5185cb13

But there have been multiple similar commits for different decoders.
Comment 4 Matthias Gerstner 2017-01-18 10:57:41 UTC
Regarding

  libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1819

The issue can only be reproduced if jasper is compiled with
'-fsanitize=undefined'. In all of our codestreams the reproducer causes the
following assertion:

  imginfo: jpc_dec.c:1829: jpc_dequantize: Assertion `absstepsize >= 0' failed.

So this can be seen as a possible denial of service. In the current upstream
release of jasper the reproducer terminates with a programmatical error
instead:

  warning: component data type mismatch
  error: no COLR box
  cannot load image

I couldn't find a related upstream commit for this. I think the function where
this is happening is `jpc_calcabsstepsize()` and nothing was changed there.

As this is also a bit shifting issues my findings from bug 1020353 may also be
valid.
Comment 5 Matthias Gerstner 2017-01-18 11:12:36 UTC
Regarding

  libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:485

The issue can only be reproduced if jasper is compiled with
'-fsanitize=undefined'. In all of our codestreams the reproducer causes a
SIGABRT with no output.

So this can be seen as a possible denial of service. However, the current
upstream code of jasper also simply aborts in this case. It seems nothing was
fixed yet.

The related code seems to be in function jp2_validate() which hasn't been
changed upstream since the issue being reported.
Comment 6 Matthias Gerstner 2017-01-18 11:24:46 UTC
Regarding

  libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1838

The issue can only be reproduced if jasper is compiled with
'-fsanitize=undefined'. In all of our codestreams the reproducer causes the
following assertion:

  imginfo: jpc_dec.c:1829: jpc_dequantize: Assertion `absstepsize >= 0' failed.

So this can be seen as a possible denial of service. In the current upstream
release of jasper the reproducer terminates with a programmatical error
instead:

  error: missing IHDR box
  cannot load image

Teh related upstream commit might be this one:

  https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a

My findings from bug 1020353 regarding the bit shifting operations probably
apply here, too.
Comment 9 Michael Vetter 2020-08-13 12:52:53 UTC
Fix https://github.com/jasper-software/jasper/commit/8c4e99592e7da53a9de2934bc7781535d0e0595d

jasper-CVE-2017-5499.patch in home:mvetter:jasper-cves.
Will submit once more issues are fixed.
Comment 12 Swamp Workflow Management 2020-09-21 13:15:28 UTC
SUSE-SU-2020:2690-1: An update that fixes 17 vulnerabilities is now available.

Category: security (low)
Bug References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    jasper-1.900.14-195.22.1
SUSE Linux Enterprise Server 12-SP5 (src):    jasper-1.900.14-195.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-09-21 13:22:41 UTC
SUSE-SU-2020:2689-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    jasper-2.0.14-3.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Wolfgang Frisch 2020-09-24 13:48:19 UTC
Fixed in all supported code streams.
Comment 15 Swamp Workflow Management 2020-09-24 16:18:18 UTC
openSUSE-SU-2020:1517-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    jasper-2.0.14-lp151.4.9.1
Comment 16 Swamp Workflow Management 2020-09-25 10:18:18 UTC
openSUSE-SU-2020:1523-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    jasper-2.0.14-lp152.7.3.1