Bug 1020353 (CVE-2017-5498)

Summary: VUL-1: CVE-2017-5498: jasper: left-shift undefined behaviour
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: IncidentsAssignee: Fridrich Strba <fstrba>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: junguo.wang, matthias.gerstner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/178723/
Whiteboard: CVSSv2:NVD:CVE-2017-5498:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2017-5498:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:RedHat:CVE-2017-5498:2.5:(AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:NVD:CVE-2017-5498:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1020456, 1020460    

Description Matthias Gerstner 2017-01-17 12:51:59 UTC 
CVE-2017-5498 found by Agostino Sarubbo

With the undefined behavior sanitizer enabled, jasper crashes showing some 
left shift [...] overflow.

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00017-jasper-leftshift-jas_math_h
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/include/jasper/jas_math.h:156:11: 
runtime error: left shift of negative value -185

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5498
http://seclists.org/oss-sec/2017/q1/106
Comment 1 Matthias Gerstner 2017-01-17 13:03:34 UTC 
This issue should only show if jasper was compiled with `-fsanitize=undefined`.

When I run the reproducer against our SLE-12:Update codestream then `imginfo`
runs into an assertion instead:

  jpc_dec.c:1829: jpc_dequantize: Assertion `absstepsize >= 0' failed.

I don't think this issue is very severe, since under most circumstances the
undefined left shifts do the expected thing.

I found various upstream commits that deal with this:

1) They disabled the undefind behaviour sanitizer via the preprocessor on this
specific spot:

https://github.com/mdadams/jasper/commit/b032fe7fedd0b856bbe5bd7186fc1d22c03ade9f

2) They added a runtime assertion that the undefined left shift does what they
expect from it:

https://github.com/mdadams/jasper/commit/dc129830baf8cfe104454d3a6e426f55af51b1d3

3) They replaced all bit shift operations by calls to their wrapper function:

https://github.com/mdadams/jasper/commit/b9be3d9f35fccb7811ff68bbd6a57156f0192427
Comment 2 Matthias Gerstner 2017-01-17 13:09:25 UTC 
Our codestreams are all affected in some way I guess.

- SLE-12:Update contains the wrapper in
jasper-1.900.14/src/libjasper/include/jasper/jas_math.h:150. The runtime check
for "defined" behaviour is not yet in place. Probably all the global
replacements of bitshift operations are also missing.

- SLE-11:Update contains the wrapper in
jasper-1.900.14/src/libjasper/include/jasper/jas_math.h:150. Pretty much the
same situation as for SLE-12.

- SLE-10-SP3:Update doesn't even contain the wrapper in
jasper-1.701.0/src/libjasper/include/jasper/jas_math.h.
Comment 3 Swamp Workflow Management 2017-01-17 23:00:15 UTC 
bugbot adjusting priority
Comment 4 Fridrich Strba 2017-03-17 08:23:56 UTC 
(In reply to Matthias Gerstner from comment #2)
> Our codestreams are all affected in some way I guess.
> 
> - SLE-12:Update contains the wrapper in
> jasper-1.900.14/src/libjasper/include/jasper/jas_math.h:150. The runtime
> check
> for "defined" behaviour is not yet in place. Probably all the global
> replacements of bitshift operations are also missing.

Since the replacements were there since 1.900.13 and our maintenance update has 1.900.14, we should have them all. I will submit a cumulated patch of the two others commits to put belts and braces around this CVE.
Comment 6 Swamp Workflow Management 2017-04-05 19:10:05 UTC 
SUSE-SU-2017:0946-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1010977,1010979,1011830,1012530,1015400,1015993,1018088,1020353,1021868,1029497
CVE References: CVE-2016-10251,CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9583,CVE-2016-9591,CVE-2016-9600,CVE-2017-5498,CVE-2017-6850
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    jasper-1.900.14-134.32.1
SUSE Linux Enterprise Server 11-SP4 (src):    jasper-1.900.14-134.32.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    jasper-1.900.14-134.32.1
Comment 7 Swamp Workflow Management 2017-04-06 16:10:56 UTC 
SUSE-SU-2017:0953-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015400,1018088,1020353,1021868,1029497
CVE References: CVE-2016-10251,CVE-2016-9583,CVE-2016-9600,CVE-2017-5498,CVE-2017-6850
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    jasper-1.900.14-194.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    jasper-1.900.14-194.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    jasper-1.900.14-194.1
SUSE Linux Enterprise Server 12-SP2 (src):    jasper-1.900.14-194.1
SUSE Linux Enterprise Server 12-SP1 (src):    jasper-1.900.14-194.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    jasper-1.900.14-194.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    jasper-1.900.14-194.1
Comment 8 Swamp Workflow Management 2017-04-18 10:13:11 UTC 
openSUSE-SU-2017:1034-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015400,1018088,1020353,1021868,1029497
CVE References: CVE-2016-10251,CVE-2016-9583,CVE-2016-9600,CVE-2017-5498,CVE-2017-6850
Sources used:
openSUSE Leap 42.2 (src):    jasper-1.900.14-175.3.1
openSUSE Leap 42.1 (src):    jasper-1.900.14-176.1
Comment 9 Marcus Meissner 2019-11-02 20:09:58 UTC 
released