Bugzilla – Bug 906364
VUL-0: CVE-2014-9029: jasper: Heap overflows in libjasper
Last modified: 2016-02-05 07:00:21 UTC
Currently no CVE and no patch. CRD will be probably be 2014-12-03 but that's also not decided. Will update the bug once more information is available. This is only relevant for SLE 10 SP3 (TD), but jasper is also on openSUSE and apparently it's used in ImageMagick, although I couldn't reproduce it using the PoCs. From: Jose Duart, Google Security Team We found two heap overflows in libjasper, affecting the source distribution (libjasper 1.900.1) as well as the version bundled in Ubuntu Trusty ( http://packages.ubuntu.com/trusty/libjasper1) and Debian Sid ( https://packages.debian.org/sid/libjasper-runtime). We checked with Ubuntu and Debian since they use to come with all available security patches, so we think any other distribution might be affected. The reported bugs can be reproduced using the jasper utility that comes with the library, that can be used to convert JPEG2000 images to other formats: $ ./jasper -f PoC.jp2 -T bmp -O /dev/null It???s also possible to test it using ImageMagick (display, convert, etc.) since it???s using libjasper for JPEG2000 files. Heap overflow in jpc_dec_cp_setfromcox Address sanitizer report: ==25272==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x618000010005 at pc 0x000000507eb0 bp 0x7fff389a9190 sp 0x7fff389a9188 WRITE of size 1 at 0x618000010005 thread T0 #0 0x507eaf in jpc_dec_cp_setfromcox /libjasper/jpc/jpc_dec.c:1657:3 #1 0x507eaf in jpc_dec_cp_setfromcoc /libjasper/jpc/jpc_dec.c:1644 #2 0x507eaf in jpc_dec_process_coc /libjasper/jpc/jpc_dec.c:1289 #3 0x509c92 in jpc_dec_decode /libjasper/jpc/jpc_dec.c:390:10 #4 0x509c92 in jpc_decode /libjasper/jpc/jpc_dec.c:254 #5 0x4ef836 in jp2_decode /libjasper/jp2/jp2_dec.c:215:21 #6 0x4cf126 in jas_image_decode /libjasper/base/jas_image.c:372:16 #7 0x4a97e5 in main /libjasper/jasper.c:229:16 Valgrind: ==2386== Invalid read of size 4 ==2386== at 0x40D733: jpc_dec_cp_setfromcox.isra.0 (/libjasper/jpc/jpc_dec.c:1656) ==2386== by 0x40D908: jpc_dec_process_coc (/libjasper/jpc/jpc_dec.c:1644) ==2386== by 0x40E20C: jpc_decode (/libjasper/jpc/jpc_dec.c:390) ==2386== by 0x40B8D6: jp2_decode (/libjasper/jp2/jp2_dec.c:215) ==2386== by 0x403BE8: jas_image_decode (/libjasper/base/jas_image.c:372) ==2386== by 0x401BC0: main (/appl/jasper.c:229) ==2386== Address 0x535dff0 is 0 bytes after a block of size 896 alloc'd ==2386== at 0x40307C4: malloc (valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270) ==2386== by 0x40C1A1: jpc_dec_cp_create (/libjasper/jpc/jpc_dec.c:1492) ==2386== by 0x40C292: jpc_dec_process_siz (/libjasper/jpc/jpc_dec.c:1180) ==2386== by 0x40E20C: jpc_decode (/libjasper/jpc/jpc_dec.c:390) ==2386== by 0x40B8D6: jp2_decode (/libjasper/jp2/jp2_dec.c:215) ==2386== by 0x403BE8: jas_image_decode (/libjasper/base/jas_image.c:372) ==2386== by 0x401BC0: main (/appl/jasper.c:229) ==2386== ==2386== Invalid write of size 1 ==2386== at 0x40D745: jpc_dec_cp_setfromcox.isra.0 (/libjasper/jpc/jpc_dec.c:1657) ==2386== by 0x40D908: jpc_dec_process_coc (/libjasper/jpc/jpc_dec.c:1644) ==2386== by 0x40E20C: jpc_decode (/libjasper/jpc/jpc_dec.c:390) ==2386== by 0x40B8D6: jp2_decode (/libjasper/jp2/jp2_dec.c:215) ==2386== by 0x403BE8: jas_image_decode (/libjasper/base/jas_image.c:372) ==2386== by 0x401BC0: main (/appl/jasper.c:229) ==2386== Address 0x535dff5 is 5 bytes after a block of size 896 alloc'd ==2386== at 0x40307C4: malloc (valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270) ==2386== by 0x40C1A1: jpc_dec_cp_create (/libjasper/jpc/jpc_dec.c:1492) ==2386== by 0x40C292: jpc_dec_process_siz (/libjasper/jpc/jpc_dec.c:1180) ==2386== by 0x40E20C: jpc_decode (/libjasper/jpc/jpc_dec.c:390) ==2386== by 0x40B8D6: jp2_decode (/libjasper/jp2/jp2_dec.c:215) ==2386== by 0x403BE8: jas_image_decode (/libjasper/base/jas_image.c:372) ==2386== by 0x401BC0: main (/appl/jasper.c:229) Heap overflow in jpc_dec_cp_setfromrgn Address sanitizer report: ==25279==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c0000102b9 at pc 0x0000005083c5 bp 0x7fff810fa750 sp 0x7fff810fa748 WRITE of size 1 at 0x61c0000102b9 thread T0 #0 0x5083c4 in jpc_dec_cp_setfromrgn /libjasper/jpc/jpc_dec.c:1717:2 #1 0x5083c4 in jpc_dec_process_rgn /libjasper/jpc/jpc_dec.c:1315 #2 0x509c92 in jpc_dec_decode /libjasper/jpc/jpc_dec.c:390:10 #3 0x509c92 in jpc_decode /libjasper/jpc/jpc_dec.c:254 #4 0x4cf126 in jas_image_decode /libjasper/base/jas_image.c:372:16 #5 0x4a97e5 in main /libjasper/jasper.c:229:16 Valgrind: ==4133== Invalid write of size 1 ==4133== at 0x40C0D8: jpc_dec_process_rgn (/libjasper/jpc/jpc_dec.c:1717) ==4133== by 0x40E20C: jpc_decode (/libjasper/jpc/jpc_dec.c:390) ==4133== by 0x403BE8: jas_image_decode (/libjasper/base/jas_image.c:372) ==4133== by 0x401BC0: main (/appl/jasper.c:229) ==4133== Address 0x53514a9 is 71 bytes before a block of size 128 alloc'd ==4133== at 0x40307C4: malloc (valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270) ==4133== by 0x40C4AB: jpc_dec_process_siz (/libjasper/jpc/jpc_dec.c:1231) ==4133== by 0x40E20C: jpc_decode (/libjasper/jpc/jpc_dec.c:390) ==4133== by 0x403BE8: jas_image_decode (/libjasper/base/jas_image.c:372) ==4133== by 0x401BC0: main (/appl/jasper.c:229)
Created attachment 614380 [details] PoC file 1
Created attachment 614381 [details] PoC file 2
bugbot adjusting priority
Created attachment 615431 [details] Proposed fix from Tomas Hoger.
Yes, we need this for the following code streams: SLE10-SP3-TD SLE11-SP1-TD SLE11-SP3 SLE12 + openSUSE 12.3, 13.1 and 13.2
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-12-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59884
SLE packages are submitted, sr 47025, 47027, 47028. For openSUSE I am waiting for CRD.
public
openSUSE packages are submitted.
This is an autogenerated message for OBS integration: This bug (906364) was mentioned in https://build.opensuse.org/request/show/264119 12.3 / jasper https://build.opensuse.org/request/show/264120 13.2 / jasper https://build.opensuse.org/request/show/264121 13.1 / jasper
openSUSE-SU-2014:1644-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 906364 CVE References: CVE-2014-9029 Sources used: openSUSE 13.2 (src): jasper-1.900.1-163.5.1 openSUSE 13.1 (src): jasper-1.900.1-160.5.1 openSUSE 12.3 (src): jasper-1.900.1-156.5.1
This is an autogenerated message for OBS integration: This bug (906364) was mentioned in https://build.opensuse.org/request/show/265905 Factory / jasper
SUSE-SU-2015:0016-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 906364,909474,909475 CVE References: CVE-2014-8137,CVE-2014-9029 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): jasper-1.900.1-166.1 SUSE Linux Enterprise Server 12 (src): jasper-1.900.1-166.1 SUSE Linux Enterprise Desktop 12 (src): jasper-1.900.1-166.1
SUSE-SU-2015:0207-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 906364 CVE References: CVE-2014-9029 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): jasper-1.900.1-134.13.1 SUSE Linux Enterprise Server 11 SP3 (src): jasper-1.900.1-134.13.1 SUSE Linux Enterprise Desktop 11 SP3 (src): jasper-1.900.1-134.13.1
released
Guys, have we also fixed this for SLES 11SP1?