Bug 1117507 (CVE-2018-19541) - VUL-1: CVE-2018-19541: jasper: heap-based buffer over-read of size 8 in the function jas_image_depalettize in libjasper/base/jas_image.c
Summary: VUL-1: CVE-2018-19541: jasper: heap-based buffer over-read of size 8 in the f...
Status: RESOLVED FIXED
Alias: CVE-2018-19541
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Deadline: 2019-10-29
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/219637/
Whiteboard: CVSSv3:SUSE:CVE-2018-19541:5.1:(AV:L/...
Keywords:
Depends on:
Blocks: 1119411
  Show dependency treegraph
 
Reported: 2018-11-27 16:00 UTC by Marcus Meissner
Modified: 2020-07-10 13:29 UTC (History)
12 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
jasper_bug_1.jp2 (442.17 KB, image/jp2)
2018-11-27 16:03 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-11-27 16:00:38 UTC
CVE-2018-19541

An issue was discovered in JasPer 2.0.14. There is a heap-based buffer over-read
of size 8 in the function jas_image_depalettize in libjasper/base/jas_image.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19541
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19541.html
Comment 1 Marcus Meissner 2018-11-27 16:01:30 UTC
https://github.com/mdadams/jasper/issues/182
Comment 2 Marcus Meissner 2018-11-27 16:03:08 UTC
Created attachment 791027 [details]
jasper_bug_1.jp2

QA REPRODUCER:

valgrind jasper --input jasper_bug_1.jp2 --output foo.jpg

should not report

==2291== Invalid read of size 8
==2291==    at 0x4E46ACF: jas_image_depalettize (in /usr/lib64/libjasper.so.1.0.0)
==2291==    by 0x4E51FFB: jp2_decode (in /usr/lib64/libjasper.so.1.0.0)
==2291==    by 0x4E4657C: jas_image_decode (in /usr/lib64/libjasper.so.1.0.0)
Comment 7 Michael Vetter 2019-06-06 08:21:16 UTC
SLE-10-SP3-Update (SR#194233)
SLE-11-Update (SR#194234)
SLE-12-Update (SR#194235)
SLE-15-Update (SR#194236)
Factory: SR#708034
Comment 8 Swamp Workflow Management 2019-06-06 08:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1117507) was mentioned in
https://build.opensuse.org/request/show/708034 Factory / jasper
Comment 10 Swamp Workflow Management 2019-06-06 16:20:13 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2019-07-04.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64295
Comment 11 Juraj Hura 2019-07-08 10:10:43 UTC
While testing this fix in:
SUSE:Maintenance:11505:194728
SUSE:Maintenance:10811:194522
SUSE:Maintenance:10810:196067
...I'm getting segmentation fault after the update. Also, it seems like the original problem did not go away. 

Tried this on:
baldr.qam.suse.de (sled 15 x86_64)
teradata2.qam.suse.de (sles 11-SP3 x86_64)
hobbit.qam.suse.de (sled 12-SP4 x86_64)

Output from baldr, SLED 15:
> # valgrind jasper --input /tmp/SUSE:Maintenance:11505:194728/jasper_bug_1.jp2 --output foo.jpg
> ==11406== Memcheck, a memory error detector
> ==11406== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> ==11406== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
> ==11406== Command: jasper --input /tmp/SUSE:Maintenance:11505:194728/jasper_bug_1.jp2 --output foo.jpg
> ==11406== 
> warning: number of components mismatch
> ==11406== Invalid read of size 8
> ==11406==    at 0x4E55934: jp2_decode (in /usr/lib64/libjasper.so.4.0.0)
> ==11406==    by 0x4E4DA9C: jas_image_decode (in /usr/lib64/libjasper.so.4.0.0)
> ==11406==    by 0x109B35: main (in /usr/bin/jasper)
> ==11406==  Address 0x5a0cc78 is 0 bytes after a block of size 24 alloc'd
> ==11406==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==11406==    by 0x4E4CEF6: jas_image_create (in /usr/lib64/libjasper.so.4.0.0)
> ==11406==    by 0x4E5CCCE: ??? (in /usr/lib64/libjasper.so.4.0.0)
> ==11406==    by 0x4E5B8E4: jpc_decode (in /usr/lib64/libjasper.so.4.0.0)
> ==11406==    by 0x4E55322: jp2_decode (in /usr/lib64/libjasper.so.4.0.0)
> ==11406==    by 0x4E4DA9C: jas_image_decode (in /usr/lib64/libjasper.so.4.0.0)
> ==11406==    by 0x109B35: main (in /usr/bin/jasper)
> ==11406== 
> ==11406== Invalid write of size 8
> ==11406==    at 0x4E55938: jp2_decode (in /usr/lib64/libjasper.so.4.0.0)
> ==11406==    by 0x4E4DA9C: jas_image_decode (in /usr/lib64/libjasper.so.4.0.0)
> ==11406==    by 0x109B35: main (in /usr/bin/jasper)
> ==11406==  Address 0x48 is not stack'd, malloc'd or (recently) free'd
> ==11406== 
> ==11406== 
> ==11406== Process terminating with default action of signal 11 (SIGSEGV): dumping core
> ==11406==  Access not within mapped region at address 0x48
> ==11406==    at 0x4E55938: jp2_decode (in /usr/lib64/libjasper.so.4.0.0)
> ==11406==    by 0x4E4DA9C: jas_image_decode (in /usr/lib64/libjasper.so.4.0.0)
> ==11406==    by 0x109B35: main (in /usr/bin/jasper)
> ==11406==  If you believe this happened as a result of a stack
> ==11406==  overflow in your program's main thread (unlikely but
> ==11406==  possible), you can try to increase the size of the
> ==11406==  main thread stack using the --main-stacksize= flag.
> ==11406==  The main thread stack size used in this run was 8388608.
> ==11406== 
> ==11406== HEAP SUMMARY:
> ==11406==     in use at exit: 974,022 bytes in 63 blocks
> ==11406==   total heap usage: 4,108 allocs, 4,045 frees, 19,994,771 bytes allocated
> ==11406== 
> ==11406== LEAK SUMMARY:
> ==11406==    definitely lost: 72 bytes in 1 blocks
> ==11406==    indirectly lost: 948,591 bytes in 25 blocks
> ==11406==      possibly lost: 0 bytes in 0 blocks
> ==11406==    still reachable: 25,359 bytes in 37 blocks
> ==11406==         suppressed: 0 bytes in 0 blocks
> ==11406== Rerun with --leak-check=full to see details of leaked memory
> ==11406== 
> ==11406== For counts of detected and suppressed errors, rerun with: -v
> ==11406== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
> Segmentation fault
Comment 12 Jaroslav Jindrak 2019-07-08 11:03:48 UTC
(In reply to Juraj Hura from comment #11)
> Also, it seems like the original problem did not go away. 
> > ==11406== Invalid read of size 8
> > ==11406==    at 0x4E55934: jp2_decode (in /usr/lib64/libjasper.so.4.0.0)
> > ==11406==    by 0x4E4DA9C: jas_image_decode (in /usr/lib64/libjasper.so.4.0.0)

The original issue (CVE-2018-19541) was an invalid read in jas_image_depalettize, so I doubt that is the problem here.

The original upstream issue (182) also mentions invalid read directly in jp2_decode (CVE-2018-19543), so I'd say that is that issue manifesting.

> > ==11406== Process terminating with default action of signal 11 (SIGSEGV): dumping core
> > ==11406==  Access not within mapped region at address 0x48
> > ==11406==    at 0x4E55938: jp2_decode (in /usr/lib64/libjasper.so.4.0.0)
> > ==11406==    by 0x4E4DA9C: jas_image_decode (in /usr/lib64/libjasper.so.4.0.0)
> > ==11406==    by 0x109B35: main (in /usr/bin/jasper)

Could this be CVE-2018-19542?
Comment 13 Michael Vetter 2019-07-08 11:11:41 UTC
Already checking whats going on here. I also suspect that this is CVE-2018-19542.
Comment 14 Michael Vetter 2019-07-08 11:19:11 UTC
Okay, with jasper-CVE-2018-19541.patch commented out the segfault does not happen. Not sure what's going on here.
Comment 15 Jaroslav Jindrak 2019-07-08 12:26:15 UTC
(In reply to Michael Vetter from comment #14)
> Okay, with jasper-CVE-2018-19541.patch commented out the segfault does not
> happen. Not sure what's going on here.

I have tested the CVE-2018-19541 on SLES10SP4 personally, so I'd say that this is either caused by combination of patches (I only tested the patch alone) or the (unfortunately fairly large) version difference between SLES10SP4 and SLES15SP0.
Comment 16 Juraj Hura 2019-07-08 14:16:07 UTC
(In reply to Jaroslav Jindrak from comment #15)
> I have tested the CVE-2018-19541 on SLES10SP4 personally, so I'd say that
> this is either caused by combination of patches (I only tested the patch
> alone) or the (unfortunately fairly large) version difference between
> SLES10SP4 and SLES15SP0.

I only want to point out that I got segfault also on 11-SP3 and 12-SP4
Comment 23 Swamp Workflow Management 2019-10-01 15:37:58 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2019-10-29.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64378
Comment 25 Swamp Workflow Management 2019-10-01 16:14:20 UTC
SUSE-SU-2019:14184-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010783,1087020,1117505,1117507,1117508,1117511
CVE References: CVE-2016-9396,CVE-2018-19539,CVE-2018-19540,CVE-2018-19541,CVE-2018-19542,CVE-2018-9055
Sources used:
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    jasper-1.900.14-134.33.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2019-10-02 16:26:39 UTC
SUSE-SU-2019:2512-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1117507,1117508
CVE References: CVE-2018-19540,CVE-2018-19541
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    jasper-2.0.14-3.8.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    jasper-2.0.14-3.8.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    jasper-2.0.14-3.8.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    jasper-2.0.14-3.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    jasper-2.0.14-3.8.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    jasper-2.0.14-3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2019-10-07 19:12:14 UTC
openSUSE-SU-2019:2282-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1117507,1117508
CVE References: CVE-2018-19540,CVE-2018-19541
Sources used:
openSUSE Leap 15.1 (src):    jasper-2.0.14-lp151.4.3.1
Comment 28 Swamp Workflow Management 2019-10-07 19:14:40 UTC
openSUSE-SU-2019:2279-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1117507,1117508
CVE References: CVE-2018-19540,CVE-2018-19541
Sources used:
openSUSE Leap 15.0 (src):    jasper-2.0.14-lp150.2.6.1
Comment 29 Roger Whittaker 2019-10-11 09:08:09 UTC
In comment#25 we see that debuginfo packages have been released for SLE11 SP4. 

Will normal update packages also appear in the standard SLES 11 SP4 LTSS channel?
Comment 30 Marcus Meissner 2019-10-11 09:58:58 UTC
This was released to the 11-sp4 channels by mistake.

The issue does not meet LTSS criteria at this time.
Comment 31 Swamp Workflow Management 2019-11-04 17:50:08 UTC
This is an autogenerated message for OBS integration:
This bug (1117507) was mentioned in
https://build.opensuse.org/request/show/745234 Factory / jasper
Comment 32 Alexandros Toptsoglou 2020-07-10 13:29:53 UTC
Done