Bug 1011829 (CVE-2016-9557) - VUL-0: CVE-2016-9557: jasper: signed integer overflow in jas_image.c
Summary: VUL-0: CVE-2016-9557: jasper: signed integer overflow in jas_image.c
Status: RESOLVED FIXED
Alias: CVE-2016-9557
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: unspecified
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/176702
Whiteboard: CVSSv2:SUSE:CVE-2016-9557:4.3:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-23 10:39 UTC by Mikhail Kasimov
Modified: 2022-06-10 13:09 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-11-23 10:39:48 UTC 
Reference: http://seclists.org/oss-sec/2016/q4/470
====================================================
Description:
jasper is an open-source initiative to provide a free software-based reference 
implementation of the codec specified in the JPEG-2000 Part-1 standard.

The undefined behavior sanitizer shows a signed integer overflow in 
jas_image.c
As you can see, the commit which fixes the issue is not a fix itself for the 
signed integer overflow, but changed a bit how, in jasper, the things work.

The complete UBSan output:

# imginfo -f $FILE
/tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:162:49: 
runtime error: signed integer overflow: 8543608947741818625 * 15 cannot be 
represented in type 'long'

Affected version:
1.900.17

Fixed version:
1.900.25

Commit fix:
https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00020-jasper-signedintoverflow-jas_image_c

Timeline:
2016-10-29: bug discovered and reported to upstream
2016-11-12: upstream released a patch and 1.900.25
2016-11-19: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c

-- 
Agostino Sarubbo
Gentoo Linux Developer
====================================================
Comment 1 Swamp Workflow Management 2016-11-23 23:00:48 UTC 
bugbot adjusting priority
Comment 6 Michael Vetter 2020-08-17 13:32:33 UTC 
Same fix as https://bugzilla.suse.com/show_bug.cgi?id=1010786#c6

jasper-CVE-2016-9397-CVE-2016-9557.patch in home:mvetter:jasper-cves.
Will submit once more issues are fixed.
Comment 9 Swamp Workflow Management 2020-09-21 13:15:19 UTC 
SUSE-SU-2020:2690-1: An update that fixes 17 vulnerabilities is now available.

Category: security (low)
Bug References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    jasper-1.900.14-195.22.1
SUSE Linux Enterprise Server 12-SP5 (src):    jasper-1.900.14-195.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Carlos López 2022-06-10 13:09:20 UTC 
Done, closing.