Bugzilla – Bug 1117507
VUL-1: CVE-2018-19541: jasper: heap-based buffer over-read of size 8 in the function jas_image_depalettize in libjasper/base/jas_image.c
Last modified: 2020-07-10 13:29:53 UTC
CVE-2018-19541 An issue was discovered in JasPer 2.0.14. There is a heap-based buffer over-read of size 8 in the function jas_image_depalettize in libjasper/base/jas_image.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19541 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19541.html
https://github.com/mdadams/jasper/issues/182
Created attachment 791027 [details] jasper_bug_1.jp2 QA REPRODUCER: valgrind jasper --input jasper_bug_1.jp2 --output foo.jpg should not report ==2291== Invalid read of size 8 ==2291== at 0x4E46ACF: jas_image_depalettize (in /usr/lib64/libjasper.so.1.0.0) ==2291== by 0x4E51FFB: jp2_decode (in /usr/lib64/libjasper.so.1.0.0) ==2291== by 0x4E4657C: jas_image_decode (in /usr/lib64/libjasper.so.1.0.0)
SLE-10-SP3-Update (SR#194233) SLE-11-Update (SR#194234) SLE-12-Update (SR#194235) SLE-15-Update (SR#194236) Factory: SR#708034
This is an autogenerated message for OBS integration: This bug (1117507) was mentioned in https://build.opensuse.org/request/show/708034 Factory / jasper
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2019-07-04. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64295
While testing this fix in: SUSE:Maintenance:11505:194728 SUSE:Maintenance:10811:194522 SUSE:Maintenance:10810:196067 ...I'm getting segmentation fault after the update. Also, it seems like the original problem did not go away. Tried this on: baldr.qam.suse.de (sled 15 x86_64) teradata2.qam.suse.de (sles 11-SP3 x86_64) hobbit.qam.suse.de (sled 12-SP4 x86_64) Output from baldr, SLED 15: > # valgrind jasper --input /tmp/SUSE:Maintenance:11505:194728/jasper_bug_1.jp2 --output foo.jpg > ==11406== Memcheck, a memory error detector > ==11406== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. > ==11406== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info > ==11406== Command: jasper --input /tmp/SUSE:Maintenance:11505:194728/jasper_bug_1.jp2 --output foo.jpg > ==11406== > warning: number of components mismatch > ==11406== Invalid read of size 8 > ==11406== at 0x4E55934: jp2_decode (in /usr/lib64/libjasper.so.4.0.0) > ==11406== by 0x4E4DA9C: jas_image_decode (in /usr/lib64/libjasper.so.4.0.0) > ==11406== by 0x109B35: main (in /usr/bin/jasper) > ==11406== Address 0x5a0cc78 is 0 bytes after a block of size 24 alloc'd > ==11406== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) > ==11406== by 0x4E4CEF6: jas_image_create (in /usr/lib64/libjasper.so.4.0.0) > ==11406== by 0x4E5CCCE: ??? (in /usr/lib64/libjasper.so.4.0.0) > ==11406== by 0x4E5B8E4: jpc_decode (in /usr/lib64/libjasper.so.4.0.0) > ==11406== by 0x4E55322: jp2_decode (in /usr/lib64/libjasper.so.4.0.0) > ==11406== by 0x4E4DA9C: jas_image_decode (in /usr/lib64/libjasper.so.4.0.0) > ==11406== by 0x109B35: main (in /usr/bin/jasper) > ==11406== > ==11406== Invalid write of size 8 > ==11406== at 0x4E55938: jp2_decode (in /usr/lib64/libjasper.so.4.0.0) > ==11406== by 0x4E4DA9C: jas_image_decode (in /usr/lib64/libjasper.so.4.0.0) > ==11406== by 0x109B35: main (in /usr/bin/jasper) > ==11406== Address 0x48 is not stack'd, malloc'd or (recently) free'd > ==11406== > ==11406== > ==11406== Process terminating with default action of signal 11 (SIGSEGV): dumping core > ==11406== Access not within mapped region at address 0x48 > ==11406== at 0x4E55938: jp2_decode (in /usr/lib64/libjasper.so.4.0.0) > ==11406== by 0x4E4DA9C: jas_image_decode (in /usr/lib64/libjasper.so.4.0.0) > ==11406== by 0x109B35: main (in /usr/bin/jasper) > ==11406== If you believe this happened as a result of a stack > ==11406== overflow in your program's main thread (unlikely but > ==11406== possible), you can try to increase the size of the > ==11406== main thread stack using the --main-stacksize= flag. > ==11406== The main thread stack size used in this run was 8388608. > ==11406== > ==11406== HEAP SUMMARY: > ==11406== in use at exit: 974,022 bytes in 63 blocks > ==11406== total heap usage: 4,108 allocs, 4,045 frees, 19,994,771 bytes allocated > ==11406== > ==11406== LEAK SUMMARY: > ==11406== definitely lost: 72 bytes in 1 blocks > ==11406== indirectly lost: 948,591 bytes in 25 blocks > ==11406== possibly lost: 0 bytes in 0 blocks > ==11406== still reachable: 25,359 bytes in 37 blocks > ==11406== suppressed: 0 bytes in 0 blocks > ==11406== Rerun with --leak-check=full to see details of leaked memory > ==11406== > ==11406== For counts of detected and suppressed errors, rerun with: -v > ==11406== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) > Segmentation fault
(In reply to Juraj Hura from comment #11) > Also, it seems like the original problem did not go away. > > ==11406== Invalid read of size 8 > > ==11406== at 0x4E55934: jp2_decode (in /usr/lib64/libjasper.so.4.0.0) > > ==11406== by 0x4E4DA9C: jas_image_decode (in /usr/lib64/libjasper.so.4.0.0) The original issue (CVE-2018-19541) was an invalid read in jas_image_depalettize, so I doubt that is the problem here. The original upstream issue (182) also mentions invalid read directly in jp2_decode (CVE-2018-19543), so I'd say that is that issue manifesting. > > ==11406== Process terminating with default action of signal 11 (SIGSEGV): dumping core > > ==11406== Access not within mapped region at address 0x48 > > ==11406== at 0x4E55938: jp2_decode (in /usr/lib64/libjasper.so.4.0.0) > > ==11406== by 0x4E4DA9C: jas_image_decode (in /usr/lib64/libjasper.so.4.0.0) > > ==11406== by 0x109B35: main (in /usr/bin/jasper) Could this be CVE-2018-19542?
Already checking whats going on here. I also suspect that this is CVE-2018-19542.
Okay, with jasper-CVE-2018-19541.patch commented out the segfault does not happen. Not sure what's going on here.
(In reply to Michael Vetter from comment #14) > Okay, with jasper-CVE-2018-19541.patch commented out the segfault does not > happen. Not sure what's going on here. I have tested the CVE-2018-19541 on SLES10SP4 personally, so I'd say that this is either caused by combination of patches (I only tested the patch alone) or the (unfortunately fairly large) version difference between SLES10SP4 and SLES15SP0.
(In reply to Jaroslav Jindrak from comment #15) > I have tested the CVE-2018-19541 on SLES10SP4 personally, so I'd say that > this is either caused by combination of patches (I only tested the patch > alone) or the (unfortunately fairly large) version difference between > SLES10SP4 and SLES15SP0. I only want to point out that I got segfault also on 11-SP3 and 12-SP4
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2019-10-29. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64378
SUSE-SU-2019:14184-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1010783,1087020,1117505,1117507,1117508,1117511 CVE References: CVE-2016-9396,CVE-2018-19539,CVE-2018-19540,CVE-2018-19541,CVE-2018-19542,CVE-2018-9055 Sources used: SUSE Linux Enterprise Debuginfo 11-SP4 (src): jasper-1.900.14-134.33.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2512-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1117507,1117508 CVE References: CVE-2018-19540,CVE-2018-19541 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): jasper-2.0.14-3.8.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): jasper-2.0.14-3.8.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): jasper-2.0.14-3.8.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): jasper-2.0.14-3.8.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): jasper-2.0.14-3.8.1 SUSE Linux Enterprise Module for Basesystem 15 (src): jasper-2.0.14-3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2282-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1117507,1117508 CVE References: CVE-2018-19540,CVE-2018-19541 Sources used: openSUSE Leap 15.1 (src): jasper-2.0.14-lp151.4.3.1
openSUSE-SU-2019:2279-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1117507,1117508 CVE References: CVE-2018-19540,CVE-2018-19541 Sources used: openSUSE Leap 15.0 (src): jasper-2.0.14-lp150.2.6.1
In comment#25 we see that debuginfo packages have been released for SLE11 SP4. Will normal update packages also appear in the standard SLES 11 SP4 LTSS channel?
This was released to the 11-sp4 channels by mistake. The issue does not meet LTSS criteria at this time.
This is an autogenerated message for OBS integration: This bug (1117507) was mentioned in https://build.opensuse.org/request/show/745234 Factory / jasper
Done