Bugzilla – Bug 1020460
VUL-1: CVE-2017-5505: jasper: invalid memory read in jas_matrix_asl (jas_seq.c)
Last modified: 2020-10-21 09:19:06 UTC
Ref: http://seclists.org/oss-sec/2017/q1/104 ============================================= Description: jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard. Another round of fuzzing shows that a crafted image causes an invalid memory read. The complete ASan output: # imginfo -f $FILE ==26941==ERROR: AddressSanitizer: SEGV on unknown address 0x62c80000a400 (pc 0x7f28c74e48ee bp 0x7ffcececdb70 sp 0x7ffcececdaf0 T0) ==26941==The signal is caused by a READ memory access. #0 0x7f28c74e48ed in jas_matrix_asl /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_seq.c:376:11 #1 0x7f28c7545f0e in jpc_dec_tiledecode /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1107:6 #2 0x7f28c7536cdf in jpc_dec_process_sod /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:658:7 #3 0x7f28c75406b3 in jpc_dec_decode /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:425:10 #4 0x7f28c75406b3 in jpc_decode /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:262 #5 0x7f28c74a2b84 in jas_image_decode /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_image.c:444:16 #6 0x509eed in main /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/appl/imginfo.c:219:16 #7 0x7f28c65aa61f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #8 0x419978 in _init (/usr/bin/imginfo+0x419978) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/media- libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_seq.c:376:11 in jas_matrix_asl ==26941==ABORTING Affected version: 1.900.27 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00053-jasper-invalidread-jas_matrix_asl Timeline: 2016-11-20: bug discovered and reported upstream 2017-01-16: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jas_matrix_asl-jas_seq-c -- Agostino =============================================
bugbot adjusting priority
I cannot reproduce this in any of our codestreams. All exit programmatically like this: cannot get marker segment cannot load image Also valgrind shows no invalid reads. But the current upstream git version *does* segfault. Also an older upstream build with version 1.900.14 does segfault. I don't understand, why our codestreams react differently. Maybe some patches or something in the build environment...
I found out that only after this upstream commit, that fixes some integer overflow issues, the PoC from this issue triggers: https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a This commit is first found starting in version 1.900.25. So none of our codestreams is affected at the moment, but might become affected if we should patch other CVEs that target the integer overflows (like bug 1020353).
This issue is not yet fixed on the upstream master git branch. So there seems to be no fix available.
Fix https://github.com/jasper-software/jasper/commit/e2f2e5f4022baef2386eec25c57b63debfe4cb20 jasper-CVE-2017-5503-CVE-2017-5504-CVE-2017-5505.patch in home:mvetter:jasper-cves. Will submit once more issues are fixed.
https://build.suse.de/request/show/224666 SLE-15 / jasper https://build.suse.de/request/show/224667 SLE-12 / jasper https://build.suse.de/request/show/224668 SLE-11 / jasper
Last SRs hat a copy-paste error in the changelog not referencing this bug. SLE11: SR#225217 SLE12: SR#225218 SLE15: SR#225220 Fixes this.
SUSE-SU-2020:2690-1: An update that fixes 17 vulnerabilities is now available. Category: security (low) Bug References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): jasper-1.900.14-195.22.1 SUSE Linux Enterprise Server 12-SP5 (src): jasper-1.900.14-195.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2689-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): jasper-2.0.14-3.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixed in all supported code streams.
openSUSE-SU-2020:1517-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: openSUSE Leap 15.1 (src): jasper-2.0.14-lp151.4.9.1
openSUSE-SU-2020:1523-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: openSUSE Leap 15.2 (src): jasper-2.0.14-lp152.7.3.1