Bugzilla – Bug 1092115
VUL-1: CVE-2018-9154: jasper: Reachable abort in the function jpc_dec_process_sot in libjasper/jpc/jpc_dec.c that will lead to denial of service
Last modified: 2020-10-27 15:27:26 UTC
Created attachment 769189 [details] Reproducer CVE-2018-9154 There is a reachable abort in the function jpc_dec_process_sot in libjasper/jpc/jpc_dec.c of JasPer 2.0.14 that will lead to a remote denial of service attack. Content of the drive folder: Triggered by: ./jasper --input jasper_POC --output-format jp2 Description of problem: There is a reachable abort in function jpc_dec_process_sot of JasPer that will lead to remote denial of service attack. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./jasper --input jasper_POC --output-format jp2 The output information is as follows: ./jasper --input jasper_POC --output-format jp2 warning: trailing garbage in marker segment (1 bytes) warning: trailing garbage in marker segment (23 bytes) Aborted (core dumped) The gdb debugging information: (gdb) set args --input jasper_POC --output-format jp2 (gdb) r Starting program: /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/appl/jasper --input jasper_POC --output-format jp2 warning: trailing garbage in marker segment (1 bytes) warning: trailing garbage in marker segment (23 bytes) (gdb) bt #0 0x00007ffff7674428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff767602a in __GI_abort () at abort.c:89 #2 0x00007ffff7af5299 in jpc_dec_process_sot (dec=dec@entry=0x60d6b0, ms=ms@entry=0x60d780) at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/jpc/jpc_dec.c:488 #3 0x00007ffff7aeb8e9 in jpc_dec_decode (dec=0x60d6b0) at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/jpc/jpc_dec.c:424 #4 jpc_decode (in=<optimized out>, optstr=<optimized out>) at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/jpc/jpc_dec.c:261 #5 0x00007ffff7a785a4 in jas_image_decode (in=in@entry=0x6094c0, fmt=<optimized out>, optstr=0x0) at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/base/jas_image.c:442 #6 0x0000000000401c35 in main (argc=5, argv=<optimized out>) at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/appl/jasper.c:236 Program received signal SIGABRT, Aborted. 0x00007ffff7674428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. jpc_dec_process_sot in jpc_dec.c if (dec->ppmstab) { /* Convert the PPM marker segment data into a collection of streams (one stream per tile-part). */ if (!(dec->pkthdrstreams = jpc_ppmstabtostreams(dec->ppmstab))) { abort(); } jpc_ppxstab_destroy(dec->ppmstab); dec->ppmstab = 0; } Reproducer: jasper --input jasper_POC --output-format jp2 aborts Affected: All codestreams References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9154 http://www.cvedetails.com/cve/CVE-2018-9154/ https://drive.google.com/drive/u/2/folders/1YuxdfbZrw79kfzoQz0PpxIutZ7pkf_kW
Created attachment 775260 [details] A possible fix I don't know why these two need to be aborts, if the function has a return value to return if something goes wrong. So, I replaced it with the return -1 and it seems to do the right thing.
Is there an upstream bug for this?
nope, but https://github.com/mdadams/jasper/issues/166 looks similar, especially regarding the return value
SR#214173 to SLE-15 SR#214174 to SLE-12 SR#214176 to SLE-11 SR#214177 to SLE-10-SP3 Upstream PR: https://github.com/mdadams/jasper/pull/216
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2020-04-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64427
SUSE-SU-2020:1420-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1092115 CVE References: CVE-2018-9154 Sources used: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): jasper-2.0.14-3.11.8 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): jasper-2.0.14-3.11.8 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0734-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1092115 CVE References: CVE-2018-9154 Sources used: openSUSE Leap 15.1 (src): jasper-2.0.14-lp151.4.6.1
SUSE-SU-2020:1420-2: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1092115 CVE References: CVE-2018-9154 Sources used: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src): jasper-2.0.14-3.11.8 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): jasper-2.0.14-3.11.8 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): jasper-2.0.14-3.11.8 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2690-1: An update that fixes 17 vulnerabilities is now available. Category: security (low) Bug References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): jasper-1.900.14-195.22.1 SUSE Linux Enterprise Server 12-SP5 (src): jasper-1.900.14-195.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
DONE