Bugzilla – Bug 909474
VUL-0: CVE-2014-8137: libjasper: double-free in jas_iccattrval_destroy()
Last modified: 2016-10-18 10:20:47 UTC
via distros: CRD: 2014-12-18, 15:00 CET two more issues on libjasper have been reported by Jose Duart (Google Security Team), affecting the original source as well as any major distribution (tested on Ubuntu Trusty and Debian Sid). The reported bugs can be reproduced using the jasper utility that comes with the library, that can be used to convert JPEG2000 images to other formats: $ ./jasper -f PoC.jp2 -T bmp -O /dev/null Double-free in jas_iccattrval_destroy() In jas_icctxt_input() if there???s an error (in PoC the cnt value is bigger than the stream???s size), there???s a call to jas_free(txt->string) which is freeing attrval->data.txt, but later on jas_iccattrval_destroy it tries to call free on it again.
bugbot adjusting priority
ok, I am looking into it.
Created attachment 617542 [details] jasper.patch This patch fixes the double free. It probably needs more work because now it exits at assert(iccprof) at jp2_dec.c:294 so for the library there is still a DOS attack possible.
Are there any patches from other distros? I am not 100% sure that my patch is correct.
public
submitted for SLE and opensuse
This is an autogenerated message for OBS integration: This bug (909474) was mentioned in https://build.opensuse.org/request/show/265905 Factory / jasper
This is an autogenerated message for OBS integration: This bug (909474) was mentioned in https://build.opensuse.org/request/show/266163 13.1 / jasper https://build.opensuse.org/request/show/266164 13.2 / jasper https://build.opensuse.org/request/show/266165 12.3 / jasper
SUSE-SU-2015:0016-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 906364,909474,909475 CVE References: CVE-2014-8137,CVE-2014-9029 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): jasper-1.900.1-166.1 SUSE Linux Enterprise Server 12 (src): jasper-1.900.1-166.1 SUSE Linux Enterprise Desktop 12 (src): jasper-1.900.1-166.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-01-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60167
openSUSE-SU-2015:0038-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 909474,909475 CVE References: CVE-2014-8137 Sources used: openSUSE 13.2 (src): jasper-1.900.1-163.9.1
openSUSE-SU-2015:0039-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 909474,909475 CVE References: CVE-2014-8137 Sources used: openSUSE 12.3 (src): jasper-1.900.1-156.9.1
openSUSE-SU-2015:0042-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 909474,909475 CVE References: CVE-2014-8137 Sources used: openSUSE 13.1 (src): jasper-1.900.1-160.9.1
SUSE-SU-2015:0258-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 909474,909475,911837 CVE References: CVE-2014-8137,CVE-2014-8138 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): jasper-1.900.1-134.17.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): jasper-1.900.1-134.17.1 SUSE Linux Enterprise Server 11 SP3 (src): jasper-1.900.1-134.17.1 SUSE Linux Enterprise Desktop 11 SP3 (src): jasper-1.900.1-134.17.1
released