Bugzilla – Bug 1020458
VUL-1: CVE-2017-5504: jasper: invalid memory read in jpc_undo_roi (jpc_dec.c)
Last modified: 2021-01-09 08:19:42 UTC
Ref: http://seclists.org/oss-sec/2017/q1/103 ============================================= Description: jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard. Another round of fuzzing shows that a crafted image causes an invalid memory read. The complete ASan output: # imginfo -f $FILE ==22872==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8a4a950800 (pc 0x7f8e4a543b93 bp 0x7ffe29bfdcd0 sp 0x7ffe29bfdb80 T0) ==22872==The signal is caused by a READ memory access. #0 0x7f8e4a543b92 in jpc_undo_roi /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1925:10 #1 0x7f8e4a543b92 in jpc_dec_tiledecode /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1104 #2 0x7f8e4a534cdf in jpc_dec_process_sod /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:658:7 #3 0x7f8e4a53e6b3 in jpc_dec_decode /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:425:10 #4 0x7f8e4a53e6b3 in jpc_decode /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:262 #5 0x7f8e4a4a0b84 in jas_image_decode /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_image.c:444:16 #6 0x509eed in main /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/appl/imginfo.c:219:16 #7 0x7f8e495a861f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #8 0x419978 in _init (/usr/bin/imginfo+0x419978) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1925:10 in jpc_undo_roi ==22872==ABORTING Affected version: 1.900.27 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00054-jasper-invalidread-jpc_undo_roi Timeline: 2016-11-20: bug discovered and reported upstream 2017-01-16: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jpc_undo_roi-jpc_dec-c -- Agostino =============================================
bugbot adjusting priority
All codestreams are affected: SLE-11:Update and SLE-12:Update segfault like described in the advisory in `jpc_undo_roi()`. SLE-10-SP3:Update runs into an assertion: imginfo: jpc_qmfb.c:1091: jpc_qmfb1d_getbands: Assertion `bands[1].locend == end' failed.
So far there seems to be no upstream fix available.
Fix https://github.com/jasper-software/jasper/commit/e2f2e5f4022baef2386eec25c57b63debfe4cb20 jasper-CVE-2017-5503-CVE-2017-5504-CVE-2017-5505.patch in home:mvetter:jasper-cves. Will submit once more issues are fixed.
SUSE-SU-2020:2690-1: An update that fixes 17 vulnerabilities is now available. Category: security (low) Bug References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): jasper-1.900.14-195.22.1 SUSE Linux Enterprise Server 12-SP5 (src): jasper-1.900.14-195.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2689-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): jasper-2.0.14-3.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1517-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: openSUSE Leap 15.1 (src): jasper-2.0.14-lp151.4.9.1
openSUSE-SU-2020:1523-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: openSUSE Leap 15.2 (src): jasper-2.0.14-lp152.7.3.1
released now