Bug 961886 – VUL-1: CVE-2016-1867: jasper: Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function

Bug 961886 - (CVE-2016-1867) VUL-1: CVE-2016-1867: jasper: Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function

(CVE-2016-1867)
Summary:	VUL-1: CVE-2016-1867: jasper: Out-of-bounds Read in the JasPer's jpc_pi_nextc...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/160664/
Whiteboard:	CVSSv2:RedHat:CVE-2016-1867:4.3:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-01-14 10:08 UTC by Johannes Segitz
Modified:	2016-11-17 19:10 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
poc (1.12 KB, application/zip) 2016-01-14 10:08 UTC, Johannes Segitz	Details
Proposed patch to fix pi->picomps going out of bounds (573 bytes, patch) 2016-01-14 13:48 UTC, Fridrich Strba	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-01-14 10:08:41 UTC

Created attachment 661743 [details]
poc

CVE-2016-1867
Qihoo 360 Codesafe Team reports:

We find a vulnerability in the way JasPer's jpc_pi_nextcprl() function parsed certain JPEG 2000 image files.
I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src.
The gdb info was:
Starting program: ./jasper-1.900.1-31.fc23.src/jasper-1.900.1/src/appl/jasper -f ./jasper_poc/poc.jp2 -F temp.bmp -t 
jp2 -T bmp
warning: trailing garbage in marker segment (6 bytes)

Program received signal SIGSEGV, Segmentation fault.
jpc_pi_nextcprl (pi=0x80a4ab0) at jpc_t2cod.c:435
435                     pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
(gdb) bt
#0  jpc_pi_nextcprl (pi=0x80a4ab0) at jpc_t2cod.c:435
#1  jpc_pi_next (pi=pi@entry=0x80a4ab0) at jpc_t2cod.c:125
#2  0x08062d85 in jpc_dec_decodepkts (dec=dec@entry=0x809a5b8, 
    pkthdrstream=0x8096308, in=0x8096308) at jpc_t2dec.c:441
#3  0x0806202a in jpc_dec_process_sod (dec=0x809a5b8, ms=0x0) at jpc_dec.c:591
#4  0x0806158d in jpc_dec_decode (dec=0x809a5b8) at jpc_dec.c:390
#5  jpc_decode (in=in@entry=0x8096308, optstr=optstr@entry=0x0)
    at jpc_dec.c:254
#6  0x08056627 in jp2_decode (in=0x8096308, optstr=0x0) at jp2_dec.c:215
#7  0x08051a28 in jas_image_decode (in=in@entry=0x8096308, 
    fmt=<optimized out>, optstr=0x0) at jas_image.c:379
#8  0x08048f19 in main (argc=9, argv=0xbffff094) at jasper.c:229

Reproducer attached, worked on SLE 12. Vulnerable code in SLE starting from SLE 10 SP3 all the way up.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1867
http://seclists.org/oss-sec/2016/q1/88

Comment 1 Vladimir Nadvornik 2016-01-14 12:24:08 UTC

Fridrich, this is for you...

Comment 2 Fridrich Strba 2016-01-14 13:48:10 UTC

Created attachment 661763 [details]
Proposed patch to fix pi->picomps going out of bounds

My analysis is that it crashes as pi->picomps is going out of bounds. The pi->numcomps should hold the number of components, pi->compno should be pointing to the current component. This proposed patch simply exits the loop as soon as pi->compno is not smaller then pi->numcompos. It seems to fix the crash and the generated bmp is showing the same image as the original jp2.
In the current case the pchg->compnoend is around 90 (don't remember exactly what I saw in the debugger, but it was either 97 or 87). So, with pi-compno being 3, the crash happens.

Comment 3 Swamp Workflow Management 2016-01-14 23:00:13 UTC

bugbot adjusting priority

Comment 4 Bernhard Wiedemann 2016-01-15 08:00:28 UTC

This is an autogenerated message for OBS integration:
This bug (961886) was mentioned in
https://build.opensuse.org/request/show/353784 Factory / jasper

Comment 5 Bernhard Wiedemann 2016-01-15 09:00:08 UTC

This is an autogenerated message for OBS integration:
This bug (961886) was mentioned in
https://build.opensuse.org/request/show/353788 Factory / jasper
https://build.opensuse.org/request/show/353795 13.2 / jasper
https://build.opensuse.org/request/show/353796 13.1 / jasper

Comment 8 Swamp Workflow Management 2016-01-24 14:11:58 UTC

openSUSE-SU-2016:0211-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 961886
CVE References: CVE-2016-1867
Sources used:
openSUSE 13.2 (src):    jasper-1.900.1-163.16.1

Comment 9 Swamp Workflow Management 2016-01-24 18:13:21 UTC

openSUSE-SU-2016:0217-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 725758,830803,881716,961886
CVE References: CVE-2014-8138,CVE-2016-1867
Sources used:
openSUSE 13.1 (src):    jasper-1.900.1-160.16.1

Comment 10 Johannes Segitz 2016-10-18 09:58:58 UTC

released

Comment 11 Swamp Workflow Management 2016-11-10 20:09:55 UTC

SUSE-SU-2016:2775-1: An update that fixes 20 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1005084,1005090,1005242,1006591,1006593,1006597,1006598,1006599,1006836,1006839,1007009,392410,941919,942553,961886,963983,968373
CVE References: CVE-2008-3522,CVE-2014-8158,CVE-2015-5203,CVE-2015-5221,CVE-2016-1577,CVE-2016-1867,CVE-2016-2089,CVE-2016-2116,CVE-2016-8690,CVE-2016-8691,CVE-2016-8692,CVE-2016-8693,CVE-2016-8880,CVE-2016-8881,CVE-2016-8882,CVE-2016-8883,CVE-2016-8884,CVE-2016-8885,CVE-2016-8886,CVE-2016-8887
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    jasper-1.900.14-181.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    jasper-1.900.14-181.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    jasper-1.900.14-181.1
SUSE Linux Enterprise Server 12-SP2 (src):    jasper-1.900.14-181.1
SUSE Linux Enterprise Server 12-SP1 (src):    jasper-1.900.14-181.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    jasper-1.900.14-181.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    jasper-1.900.14-181.1

Comment 12 Swamp Workflow Management 2016-11-10 20:12:32 UTC

SUSE-SU-2016:2776-1: An update that fixes 19 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1005084,1005090,1005242,1006591,1006593,1006597,1006598,1006599,1006836,1006839,1007009,392410,941919,942553,961886,963983,968373
CVE References: CVE-2008-3522,CVE-2015-5203,CVE-2015-5221,CVE-2016-1577,CVE-2016-1867,CVE-2016-2089,CVE-2016-2116,CVE-2016-8690,CVE-2016-8691,CVE-2016-8692,CVE-2016-8693,CVE-2016-8880,CVE-2016-8881,CVE-2016-8882,CVE-2016-8883,CVE-2016-8884,CVE-2016-8885,CVE-2016-8886,CVE-2016-8887
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    jasper-1.900.14-134.25.1
SUSE Linux Enterprise Server 11-SP4 (src):    jasper-1.900.14-134.25.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    jasper-1.900.14-134.25.1

Comment 13 Swamp Workflow Management 2016-11-17 19:10:08 UTC

openSUSE-SU-2016:2833-1: An update that fixes 20 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1005084,1005090,1005242,1006591,1006593,1006597,1006598,1006599,1006836,1006839,1007009,392410,941919,942553,961886,963983,968373
CVE References: CVE-2008-3522,CVE-2014-8158,CVE-2015-5203,CVE-2015-5221,CVE-2016-1577,CVE-2016-1867,CVE-2016-2089,CVE-2016-2116,CVE-2016-8690,CVE-2016-8691,CVE-2016-8692,CVE-2016-8693,CVE-2016-8880,CVE-2016-8881,CVE-2016-8882,CVE-2016-8883,CVE-2016-8884,CVE-2016-8885,CVE-2016-8886,CVE-2016-8887
Sources used:
openSUSE Leap 42.2 (src):    jasper-1.900.14-167.1
openSUSE Leap 42.1 (src):    jasper-1.900.14-166.1