Bug 1092115 (CVE-2018-9154) - VUL-1: CVE-2018-9154: jasper: Reachable abort in the function jpc_dec_process_sot in libjasper/jpc/jpc_dec.c that will lead to denial of service
Summary: VUL-1: CVE-2018-9154: jasper: Reachable abort in the function jpc_dec_process...
Status: RESOLVED FIXED
Alias: CVE-2018-9154
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Deadline: 2020-04-16
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/205307/
Whiteboard: CVSSv3:SUSE:CVE-2018-9154:4.0:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-07 09:38 UTC by Johannes Segitz
Modified: 2020-10-27 15:27 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Reproducer (204 bytes, image/jp2)
2018-05-07 09:38 UTC, Johannes Segitz
Details
A possible fix (850 bytes, patch)
2018-06-26 07:26 UTC, Fridrich Strba
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2018-05-07 09:38:42 UTC
Created attachment 769189 [details]
Reproducer

CVE-2018-9154

There is a reachable abort in the function jpc_dec_process_sot in
libjasper/jpc/jpc_dec.c of JasPer 2.0.14 that will lead to a remote denial of
service attack.

Content of the drive folder:
Triggered by: ./jasper --input jasper_POC --output-format jp2

Description of problem:
There is a reachable abort in function jpc_dec_process_sot of JasPer that will lead to remote denial of service attack.

Version-Release number of selected component (if applicable):
<= latest version

How reproducible:
./jasper --input jasper_POC --output-format jp2

The output information is as follows:

./jasper --input jasper_POC --output-format jp2
warning: trailing garbage in marker segment (1 bytes)
warning: trailing garbage in marker segment (23 bytes)
Aborted (core dumped)

The gdb debugging information:

(gdb) set args --input jasper_POC --output-format jp2
(gdb) r

Starting program: /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/appl/jasper --input jasper_POC --output-format jp2
warning: trailing garbage in marker segment (1 bytes)
warning: trailing garbage in marker segment (23 bytes)

(gdb) bt
#0  0x00007ffff7674428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff767602a in __GI_abort () at abort.c:89
#2  0x00007ffff7af5299 in jpc_dec_process_sot (dec=dec@entry=0x60d6b0, ms=ms@entry=0x60d780)
    at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/jpc/jpc_dec.c:488
#3  0x00007ffff7aeb8e9 in jpc_dec_decode (dec=0x60d6b0)
    at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/jpc/jpc_dec.c:424
#4  jpc_decode (in=<optimized out>, optstr=<optimized out>)
    at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/jpc/jpc_dec.c:261
#5  0x00007ffff7a785a4 in jas_image_decode (in=in@entry=0x6094c0, fmt=<optimized out>, optstr=0x0)
    at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/base/jas_image.c:442
#6  0x0000000000401c35 in main (argc=5, argv=<optimized out>)
    at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/appl/jasper.c:236

Program received signal SIGABRT, Aborted.
0x00007ffff7674428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54    ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

jpc_dec_process_sot in jpc_dec.c

if (dec->ppmstab) {
/* Convert the PPM marker segment data into a collection of streams
(one stream per tile-part). */
if (!(dec->pkthdrstreams = jpc_ppmstabtostreams(dec->ppmstab))) {
abort();
}
jpc_ppxstab_destroy(dec->ppmstab);
dec->ppmstab = 0;
}   

Reproducer:
jasper --input jasper_POC --output-format jp2
aborts

Affected: All codestreams

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9154
http://www.cvedetails.com/cve/CVE-2018-9154/
https://drive.google.com/drive/u/2/folders/1YuxdfbZrw79kfzoQz0PpxIutZ7pkf_kW
Comment 1 Fridrich Strba 2018-06-26 07:26:47 UTC
Created attachment 775260 [details]
A possible fix

I don't know why these two need to be aborts, if the function has a return value to return if something goes wrong. So, I replaced it with the return -1 and it seems to do the right thing.
Comment 2 Fridrich Strba 2018-06-26 07:27:07 UTC
Is there an upstream bug for this?
Comment 3 Johannes Segitz 2018-06-26 08:35:40 UTC
nope, but https://github.com/mdadams/jasper/issues/166 looks similar, especially regarding the return value
Comment 5 Michael Vetter 2020-03-18 13:40:02 UTC
SR#214173 to SLE-15
SR#214174 to SLE-12
SR#214176 to SLE-11
SR#214177 to SLE-10-SP3

Upstream PR: https://github.com/mdadams/jasper/pull/216
Comment 7 Swamp Workflow Management 2020-03-19 15:04:53 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2020-04-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64427
Comment 8 Swamp Workflow Management 2020-05-26 13:28:22 UTC
SUSE-SU-2020:1420-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1092115
CVE References: CVE-2018-9154
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    jasper-2.0.14-3.11.8
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    jasper-2.0.14-3.11.8

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-05-29 19:24:17 UTC
openSUSE-SU-2020:0734-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1092115
CVE References: CVE-2018-9154
Sources used:
openSUSE Leap 15.1 (src):    jasper-2.0.14-lp151.4.6.1
Comment 10 Swamp Workflow Management 2020-07-15 13:23:17 UTC
SUSE-SU-2020:1420-2: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1092115
CVE References: CVE-2018-9154
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    jasper-2.0.14-3.11.8
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    jasper-2.0.14-3.11.8
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    jasper-2.0.14-3.11.8

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-09-21 13:16:19 UTC
SUSE-SU-2020:2690-1: An update that fixes 17 vulnerabilities is now available.

Category: security (low)
Bug References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    jasper-1.900.14-195.22.1
SUSE Linux Enterprise Server 12-SP5 (src):    jasper-1.900.14-195.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Alexandros Toptsoglou 2020-10-27 15:27:26 UTC
DONE