Bug 1115637 (CVE-2018-19139) - VUL-1: CVE-2018-19139: jasper: An issue has been found in JasPer 2.0.14. There is a memory leak in jas_malloc.c when called from jpc_unk_getparms in jpc_cs.c.
Summary: VUL-1: CVE-2018-19139: jasper: An issue has been found in JasPer 2.0.14. Ther...
Status: IN_PROGRESS
Alias: CVE-2018-19139
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Johannes Meixner
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/219011/
Whiteboard: CVSSv3:SUSE:CVE-2018-19139:3.3:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-12 15:13 UTC by Marcus Meissner
Modified: 2023-12-20 14:50 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2018-19139.jasper (492 bytes, image/jp2)
2018-11-12 15:21 UTC, Marcus Meissner
Details
this extra patch probably fixed this bug (15.25 KB, patch)
2020-09-16 10:34 UTC, jun wang
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-11-12 15:13:38 UTC
CVE-2018-19139

An issue has been found in JasPer 2.0.14. There is a memory leak in jas_malloc.c
when called from jpc_unk_getparms in jpc_cs.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19139
http://www.cvedetails.com/cve/CVE-2018-19139/
https://github.com/mdadams/jasper/issues/188
Comment 1 Marcus Meissner 2018-11-12 15:21:01 UTC
Created attachment 789403 [details]
CVE-2018-19139.jasper

QA REPRODUCER:

valgrind --leak-check=full jasper  --input CVE-2018-19139.jasper  --output foo.jpg

will show the leak:

==31128== 1,077 (16 direct, 1,061 indirect) bytes in 1 blocks are definitely lost in loss record 9 of 13
==31128==    at 0x4C2A110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31128==    by 0x4E4B7BA: jas_malloc (in /usr/lib64/libjasper.so.1.0.0)
==31128==    by 0x4E5840D: jpc_ppxstab_create (in /usr/lib64/libjasper.so.1.0.0)
Comment 2 Alexander Bergmann 2019-04-23 14:20:41 UTC
According to the github project this issue still exists. No upstream fix available.

Reference:
https://github.com/mdadams/jasper/issues/188
Comment 3 Michael Vetter 2020-08-17 11:26:29 UTC
Fix https://github.com/jasper-software/jasper/commit/708871879b86443c28bcb5505d3fd04e8384f8aa

jasper-CVE-2018-19139.patch in home:mvetter:jasper-cves.
Will submit once more issues are fixed.
Comment 11 jun wang 2020-09-16 10:34:05 UTC
Created attachment 841716 [details]
this extra patch probably fixed this bug

Hi Michael, I checked the upstream patch, and created this extra patch. and it probably fixes this bug. this is the output after applying this patch:

# valgrind -v --tool=memcheck --leak-check=full jasper --input /root/Desktop/jasper/CVE-2018-19139.jasper --output test.bmp --output-format bmp
==28983== Memcheck, a memory error detector
==28983== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==28983== Using Valgrind-3.15.0-608cb11914-20190413 and LibVEX; rerun with -h for copyright info
==28983== Command: jasper --input /root/Desktop/jasper/CVE-2018-19139.jasper --output test.bmp --output-format bmp
==28983==
--28983-- Valgrind options:
--28983--    -v
--28983--    --tool=memcheck
--28983--    --leak-check=full
--28983-- Contents of /proc/version:
--28983--   Linux version 5.3.18-22-default (geeko@buildhost) (gcc version 7.5.0 (SUSE Linux)) #1 SMP Wed Jun 3 12:16:43 UTC 2020 (720aeba)
--28983--
--28983-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-ssse3-avx-avx2-rdrand
--28983-- Page sizes: currently 4096, max supported 4096
--28983-- Valgrind library directory: /usr/lib64/valgrind
--28983-- Reading syms from /usr/bin/jasper
--28983--   Considering /usr/lib/debug/.build-id/b6/e0b2a89ce503e50571aaa1b35e82e678901e60.debug ..
--28983--   .. build-id is valid
--28983-- Reading syms from /lib64/ld-2.26.so
--28983--   Considering /usr/lib/debug/.build-id/04/3ede58def1b1c623c39d4c61e2033cc8997c17.debug ..
--28983--   .. build-id is valid
--28983-- Reading syms from /usr/lib64/valgrind/memcheck-amd64-linux
--28983--    object doesn't have a symbol table
--28983--    object doesn't have a dynamic symbol table
--28983-- Scheduler: using generic scheduler lock implementation.
--28983-- Reading suppressions file: /usr/lib64/valgrind/default.supp
==28983== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-28983-by-root-on-ldap-s
==28983==
==28983== TO CONTROL THIS PROCESS USING vgdb (which you probably
==28983== don't want to do, unless you know exactly what you're doing,
==28983== or are doing some strange experiment):
==28983==   /usr/lib64/valgrind/../../bin/vgdb --pid=28983 ...command...
==28983==
==28983== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==28983==   /path/to/gdb jasper
==28983== and then give GDB the following command
==28983==   target remote | /usr/lib64/valgrind/../../bin/vgdb --pid=28983
==28983== --pid is optional if only one valgrind process is running
==28983==
--28983-- REDIR: 0x401d420 (ld-linux-x86-64.so.2:strlen) redirected to 0x581dc99e (???)
--28983-- REDIR: 0x401d200 (ld-linux-x86-64.so.2:index) redirected to 0x581dc9b8 (???)
--28983-- Reading syms from /usr/lib64/valgrind/vgpreload_core-amd64-linux.so
--28983--    object doesn't have a symbol table
--28983-- Reading syms from /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so
--28983--    object doesn't have a symbol table
==28983== WARNING: new redirection conflicts with existing -- ignoring it
--28983--     old: 0x0401d420 (strlen              ) R-> (0000.0) 0x581dc99e ???
--28983--     new: 0x0401d420 (strlen              ) R-> (2007.0) 0x04c31960 strlen
--28983-- REDIR: 0x401b490 (ld-linux-x86-64.so.2:strcmp) redirected to 0x4c32a90 (strcmp)
--28983-- REDIR: 0x401d960 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x4c367c0 (mempcpy)
--28983-- Reading syms from /usr/lib64/libasan.so.4.0.0
--28983--   Considering /usr/lib/debug/.build-id/8c/c4575d2beb37fd03033998853e1def50c57ccb.debug ..
--28983--   .. build-id is valid
--28983-- Warning: cross-CU LIMITATION: some inlined fn names
--28983-- might be shown as UnknownInlinedFun
--28983-- Reading syms from /usr/lib64/libjasper.so.4.0.0
--28983--   Considering /usr/lib/debug/.build-id/6a/ec7f83a29ecf7497bfb45c8af4a04bdc826837.debug ..
--28983--   .. build-id is valid
--28983-- Reading syms from /lib64/libc-2.26.so
--28983--   Considering /usr/lib/debug/.build-id/3b/e1cc2fdd9db99aca2e5b2c93bc5780211799b0.debug ..
--28983--   .. build-id is valid
--28983-- Reading syms from /lib64/libdl-2.26.so
--28983--   Considering /usr/lib/debug/.build-id/76/378f66e20aa2fa7fa82e1e6ee4ca0d7ab6f614.debug ..
--28983--   .. build-id is valid
--28983-- Reading syms from /lib64/librt-2.26.so
--28983--   Considering /usr/lib/debug/.build-id/c0/a277ea5dcfbe7fb7abc6b46d96fad29770fedf.debug ..
--28983--   .. build-id is valid
--28983-- Reading syms from /lib64/libpthread-2.26.so
--28983--   Considering /usr/lib/debug/.build-id/4d/6fe10266d768c8c0a6605c436c11a0d4a2ac8a.debug ..
--28983--   .. build-id is valid
--28983-- Reading syms from /usr/lib64/libstdc++.so.6.0.28
--28983--   Considering /usr/lib/debug/.build-id/79/03643c121e93a90d071803678e2c9d2e076afc.debug ..
--28983--   .. build-id is valid
--28983-- Reading syms from /lib64/libm-2.26.so
--28983--   Considering /usr/lib/debug/.build-id/63/fbf6278552f3325e30b8df2b5a6fc725b0b34e.debug ..
--28983--   .. build-id is valid
--28983-- Reading syms from /lib64/libgcc_s.so.1
--28983--   Considering /usr/lib/debug/.build-id/38/d69d1b315873ae72416a41dfcf0825091babad.debug ..
--28983--   .. build-id is valid
--28983-- Reading syms from /usr/lib64/libjpeg.so.62.2.0
--28983--   Considering /usr/lib/debug/.build-id/9d/116cd07118d8d7b40fb6a7c7ea3f3fd76b4f36.debug ..
--28983--   .. build-id is valid
--28983-- REDIR: 0x614d8a0 (libc.so.6:memmove) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614cad0 (libc.so.6:strncpy) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614db80 (libc.so.6:strcasecmp) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614c520 (libc.so.6:strcat) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614cb00 (libc.so.6:rindex) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614f150 (libc.so.6:rawmemchr) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x6168700 (libc.so.6:wmemchr) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614da10 (libc.so.6:mempcpy) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614d840 (libc.so.6:bcmp) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614ca90 (libc.so.6:strncmp) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614c590 (libc.so.6:strcmp) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614d970 (libc.so.6:memset) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x6167400 (libc.so.6:wcschr) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614ca30 (libc.so.6:strnlen) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614c600 (libc.so.6:strcspn) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614dbd0 (libc.so.6:strncasecmp) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614c5d0 (libc.so.6:strcpy) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614dd10 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x6169960 (libc.so.6:wcsnlen) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614cb30 (libc.so.6:strpbrk) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614c550 (libc.so.6:index) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614ca00 (libc.so.6:strlen) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x6153a50 (libc.so.6:memrchr) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
-28983-- REDIR: 0x614dc20 (libc.so.6:strcasecmp_l) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614d810 (libc.so.6:memchr) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x61681c0 (libc.so.6:wcslen) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614cde0 (libc.so.6:strspn) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614db50 (libc.so.6:stpncpy) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614db20 (libc.so.6:stpcpy) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614f180 (libc.so.6:strchrnul) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
--28983-- REDIR: 0x614dc70 (libc.so.6:strncasecmp_l) redirected to 0x4a286b0 (_vgnU_ifunc_wrapper)
==28983==ASan runtime does not come first in initial library list; you should either link runtime to your application or manually preload it with LD_PRELOAD.
--28983-- REDIR: 0x4f17100 (libasan.so.4:free) redirected to 0x4c2f4a0 (free)
==28983==
==28983== HEAP SUMMARY:
==28983==     in use at exit: 0 bytes in 0 blocks
==28983==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==28983==
==28983== All heap blocks were freed -- no leaks are possible
==28983==
==28983== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

I know jasper less, I don't know this patch is OK, it is just a reference.
Comment 12 Michael Vetter 2020-09-16 13:04:19 UTC
Hi Jun!
Does it also solve the other bug were you mentioned a memleak?

Can you tell me the commit id?
Comment 13 jun wang 2020-09-17 01:23:04 UTC
(In reply to Michael Vetter from comment #12)
> Hi Jun!
> Does it also solve the other bug were you mentioned a memleak?
> 
> Can you tell me the commit id?

this patch is from https://github.com/jasper-maint/jasper/pull/38/files, the part of code has been introduced in our jasper, so the patch from comment#11 has been appropriately modified.

I debug jasper with ASAN, I don't get memleak for most of bugs with this patch except this reproducer from bug 1020451:

# LSAN_OPTIONS=verbosity=1:log_threads=1 imginfo -f jasper/00030-jasper-leftshift-jp2_dec_c
...
==3176==Installed the sigaction for signal 11
==3176==Installed the sigaction for signal 7
==3176==Installed the sigaction for signal 8
==3176==T0: stack [0x7ffc899db000,0x7ffc8a1db000) size 0x800000; local=0x7ffc8a1d942c
==3176==LeakSanitizer: Dynamic linker not found. TLS will not be handled correctly.
==3176==AddressSanitizer Init done
cannot load image
==3177==Processing thread 3176.
==3177==Stack at 0x7ffc899db000-0x7ffc8a1db000 (SP = 0x7ffc8a1d9048).
==3177==TLS at 0x7f20f5337000-0x7f20f53380c0.

=================================================================
==3176==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48576 byte(s) in 253 object(s) allocated from:
    #0 0x7f20f4260500 in malloc (/usr/lib64/libasan.so.4+0xdc500)
    #1 0x7f20f3efe989  (/usr/lib64/libjasper.so.4+0x4d989)

SUMMARY: AddressSanitizer: 48576 byte(s) leaked in 253 allocation(s).


I know jasper less, I am not sure if the patch(comment#11) is reliable, if you need more information, please let me know.
Comment 14 Michael Vetter 2020-09-17 08:11:31 UTC
Great work Jun, thanks!

Some clarifications:
The repo you are looking at is https://github.com/jasper-maint/jasper which was our fork of jasper. All the work has by now been merged into https://github.com/jasper-software/jasper which is the official upstream location.

You are right https://github.com/jasper-maint/jasper/pull/38 fixes this. But this is the pull request containing 35 commits. So what we need is the actual commits.

They seem to be:

fix memory leak in jpc_qcx_getcompparms():
https://github.com/jasper-software/jasper/commit/a0039ac982c8351e04847ea9bac5a9584e9d72ee

fix memory leak in jas_iccattrtab_copy():
https://github.com/jasper-software/jasper/commit/02078df77bd1e0e521f8c8b965effbcf96e4174e

fix various memory leaks in jpc_dec_decodepkt():
https://github.com/jasper-software/jasper/commit/aa8516b28344aa1263ee538bb7366c4679a0e1a5
This one we have as jasper-CVE-2018-20622.patch since it also fixes an CVE.

fix memory leaks in jas_cmprof_createsycc():
https://github.com/jasper-software/jasper/commit/d55b8b74d711d28d2ada3656e58ff171f8f040aa

I think these memleaks have been present in JasPer even before my backporting of the CVE fixes.

@Security: Does that mean I'll need a new bug so that I can reference a new bugnr in the changes file/patch?
Comment 15 Michael Vetter 2020-09-18 09:34:02 UTC
@Security Jun just tested jasper before my update and confirms that the memleaks have been there before this update.

So I think the update can go through and in case you want those memleaks fixed we should open a separate bug and I'll apply the patches mentioned in my last comment.
Comment 16 Swamp Workflow Management 2020-09-21 13:16:32 UTC
SUSE-SU-2020:2690-1: An update that fixes 17 vulnerabilities is now available.

Category: security (low)
Bug References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    jasper-1.900.14-195.22.1
SUSE Linux Enterprise Server 12-SP5 (src):    jasper-1.900.14-195.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-09-21 13:23:32 UTC
SUSE-SU-2020:2689-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    jasper-2.0.14-3.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-09-24 16:19:13 UTC
openSUSE-SU-2020:1517-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    jasper-2.0.14-lp151.4.9.1
Comment 19 Swamp Workflow Management 2020-09-25 10:19:15 UTC
openSUSE-SU-2020:1523-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    jasper-2.0.14-lp152.7.3.1
Comment 23 OBSbugzilla Bot 2023-10-30 19:35:15 UTC
This is an autogenerated message for OBS integration:
This bug (1115637) was mentioned in
https://build.opensuse.org/request/show/1121278 Factory / jasper