Bug 961886 - (CVE-2016-1867) VUL-1: CVE-2016-1867: jasper: Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function
(CVE-2016-1867)
VUL-1: CVE-2016-1867: jasper: Out-of-bounds Read in the JasPer's jpc_pi_nextc...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/160664/
CVSSv2:RedHat:CVE-2016-1867:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-14 10:08 UTC by Johannes Segitz
Modified: 2016-11-17 19:10 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
poc (1.12 KB, application/zip)
2016-01-14 10:08 UTC, Johannes Segitz
Details
Proposed patch to fix pi->picomps going out of bounds (573 bytes, patch)
2016-01-14 13:48 UTC, Fridrich Strba
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-01-14 10:08:41 UTC
Created attachment 661743 [details]
poc

CVE-2016-1867
Qihoo 360 Codesafe Team reports:

We find a vulnerability in the way JasPer's jpc_pi_nextcprl() function parsed certain JPEG 2000 image files.
I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src.
The gdb info was:
Starting program: ./jasper-1.900.1-31.fc23.src/jasper-1.900.1/src/appl/jasper -f ./jasper_poc/poc.jp2 -F temp.bmp -t 
jp2 -T bmp
warning: trailing garbage in marker segment (6 bytes)

Program received signal SIGSEGV, Segmentation fault.
jpc_pi_nextcprl (pi=0x80a4ab0) at jpc_t2cod.c:435
435                     pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
(gdb) bt
#0  jpc_pi_nextcprl (pi=0x80a4ab0) at jpc_t2cod.c:435
#1  jpc_pi_next (pi=pi@entry=0x80a4ab0) at jpc_t2cod.c:125
#2  0x08062d85 in jpc_dec_decodepkts (dec=dec@entry=0x809a5b8, 
    pkthdrstream=0x8096308, in=0x8096308) at jpc_t2dec.c:441
#3  0x0806202a in jpc_dec_process_sod (dec=0x809a5b8, ms=0x0) at jpc_dec.c:591
#4  0x0806158d in jpc_dec_decode (dec=0x809a5b8) at jpc_dec.c:390
#5  jpc_decode (in=in@entry=0x8096308, optstr=optstr@entry=0x0)
    at jpc_dec.c:254
#6  0x08056627 in jp2_decode (in=0x8096308, optstr=0x0) at jp2_dec.c:215
#7  0x08051a28 in jas_image_decode (in=in@entry=0x8096308, 
    fmt=<optimized out>, optstr=0x0) at jas_image.c:379
#8  0x08048f19 in main (argc=9, argv=0xbffff094) at jasper.c:229

Reproducer attached, worked on SLE 12. Vulnerable code in SLE starting from SLE 10 SP3 all the way up.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1867
http://seclists.org/oss-sec/2016/q1/88
Comment 1 Vladimir Nadvornik 2016-01-14 12:24:08 UTC
Fridrich, this is for you...
Comment 2 Fridrich Strba 2016-01-14 13:48:10 UTC
Created attachment 661763 [details]
Proposed patch to fix pi->picomps going out of bounds

My analysis is that it crashes as pi->picomps is going out of bounds. The pi->numcomps should hold the number of components, pi->compno should be pointing to the current component. This proposed patch simply exits the loop as soon as pi->compno is not smaller then pi->numcompos. It seems to fix the crash and the generated bmp is showing the same image as the original jp2.
In the current case the pchg->compnoend is around 90 (don't remember exactly what I saw in the debugger, but it was either 97 or 87). So, with pi-compno being 3, the crash happens.
Comment 3 Swamp Workflow Management 2016-01-14 23:00:13 UTC
bugbot adjusting priority
Comment 4 Bernhard Wiedemann 2016-01-15 08:00:28 UTC
This is an autogenerated message for OBS integration:
This bug (961886) was mentioned in
https://build.opensuse.org/request/show/353784 Factory / jasper
Comment 5 Bernhard Wiedemann 2016-01-15 09:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (961886) was mentioned in
https://build.opensuse.org/request/show/353788 Factory / jasper
https://build.opensuse.org/request/show/353795 13.2 / jasper
https://build.opensuse.org/request/show/353796 13.1 / jasper
Comment 8 Swamp Workflow Management 2016-01-24 14:11:58 UTC
openSUSE-SU-2016:0211-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 961886
CVE References: CVE-2016-1867
Sources used:
openSUSE 13.2 (src):    jasper-1.900.1-163.16.1
Comment 9 Swamp Workflow Management 2016-01-24 18:13:21 UTC
openSUSE-SU-2016:0217-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 725758,830803,881716,961886
CVE References: CVE-2014-8138,CVE-2016-1867
Sources used:
openSUSE 13.1 (src):    jasper-1.900.1-160.16.1
Comment 10 Johannes Segitz 2016-10-18 09:58:58 UTC
released
Comment 11 Swamp Workflow Management 2016-11-10 20:09:55 UTC
SUSE-SU-2016:2775-1: An update that fixes 20 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1005084,1005090,1005242,1006591,1006593,1006597,1006598,1006599,1006836,1006839,1007009,392410,941919,942553,961886,963983,968373
CVE References: CVE-2008-3522,CVE-2014-8158,CVE-2015-5203,CVE-2015-5221,CVE-2016-1577,CVE-2016-1867,CVE-2016-2089,CVE-2016-2116,CVE-2016-8690,CVE-2016-8691,CVE-2016-8692,CVE-2016-8693,CVE-2016-8880,CVE-2016-8881,CVE-2016-8882,CVE-2016-8883,CVE-2016-8884,CVE-2016-8885,CVE-2016-8886,CVE-2016-8887
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    jasper-1.900.14-181.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    jasper-1.900.14-181.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    jasper-1.900.14-181.1
SUSE Linux Enterprise Server 12-SP2 (src):    jasper-1.900.14-181.1
SUSE Linux Enterprise Server 12-SP1 (src):    jasper-1.900.14-181.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    jasper-1.900.14-181.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    jasper-1.900.14-181.1
Comment 12 Swamp Workflow Management 2016-11-10 20:12:32 UTC
SUSE-SU-2016:2776-1: An update that fixes 19 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1005084,1005090,1005242,1006591,1006593,1006597,1006598,1006599,1006836,1006839,1007009,392410,941919,942553,961886,963983,968373
CVE References: CVE-2008-3522,CVE-2015-5203,CVE-2015-5221,CVE-2016-1577,CVE-2016-1867,CVE-2016-2089,CVE-2016-2116,CVE-2016-8690,CVE-2016-8691,CVE-2016-8692,CVE-2016-8693,CVE-2016-8880,CVE-2016-8881,CVE-2016-8882,CVE-2016-8883,CVE-2016-8884,CVE-2016-8885,CVE-2016-8886,CVE-2016-8887
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    jasper-1.900.14-134.25.1
SUSE Linux Enterprise Server 11-SP4 (src):    jasper-1.900.14-134.25.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    jasper-1.900.14-134.25.1
Comment 13 Swamp Workflow Management 2016-11-17 19:10:08 UTC
openSUSE-SU-2016:2833-1: An update that fixes 20 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1005084,1005090,1005242,1006591,1006593,1006597,1006598,1006599,1006836,1006839,1007009,392410,941919,942553,961886,963983,968373
CVE References: CVE-2008-3522,CVE-2014-8158,CVE-2015-5203,CVE-2015-5221,CVE-2016-1577,CVE-2016-1867,CVE-2016-2089,CVE-2016-2116,CVE-2016-8690,CVE-2016-8691,CVE-2016-8692,CVE-2016-8693,CVE-2016-8880,CVE-2016-8881,CVE-2016-8882,CVE-2016-8883,CVE-2016-8884,CVE-2016-8885,CVE-2016-8886,CVE-2016-8887
Sources used:
openSUSE Leap 42.2 (src):    jasper-1.900.14-167.1
openSUSE Leap 42.1 (src):    jasper-1.900.14-166.1