Bugzilla – Bug 963983
VUL-1: CVE-2016-2089: jasper: invalid read in the JasPer's jas_matrix_clip() function
Last modified: 2016-11-17 19:10:19 UTC
Created attachment 663597 [details] Reproducer http://seclists.org/oss-sec/2016/q1/233 Qihoo 360 Codesafe Team reported: We find another vulnerability in the way JasPer's jas_matrix_clip() function parsed certain JPEG 2000 image files. I was successful in reproducing this issuel in the jasper-1.900.1-31.fc23.src. The gdb info was: Starting program: ./jasper-1.900.1-31.fc23.src/jasper-1.900.1/src/appl/jasper -f ./jasper_poc/poc.jp2 -F temp.out -t jp2 -T bmp Program received signal SIGSEGV, Segmentation fault. 0x0805604b in jas_matrix_clip (matrix=0x8bc42f0, minval=0, maxval=255) at jas_seq.c:286 286 for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, (gdb) bt #0 0x0805604b in jas_matrix_clip (matrix=0x8bc42f0, minval=0, maxval=255) at jas_seq.c:286 #1 0x08066af5 in jpc_dec_tiledecode (dec=0x81a05b8, tile=0xb785c008) at jpc_dec.c:1117 #2 0x08064e7f in jpc_dec_process_sod (dec=0x81a05b8, ms=0x81a0628) at jpc_dec.c:621 #3 0x080647f4 in jpc_dec_decode (dec=0x81a05b8) at jpc_dec.c:390 #4 0x0806450f in jpc_decode (in=0x819c308, optstr=0x0) at jpc_dec.c:254 #5 0x08058e5e in jp2_decode (in=0x819c308, optstr=0x0) at jp2_dec.c:215 #6 0x08052ba9 in jas_image_decode (in=0x819c308, fmt=4, optstr=0x0) at jas_image.c:379 #7 0x08049158 in main (argc=9, argv=0xbffff094) at jasper.c:229 References: https://bugzilla.redhat.com/show_bug.cgi?id=1302636 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2089 http://seclists.org/oss-sec/2016/q1/235
Created attachment 663609 [details] Proposed patch to fix unchecked pointer dereferencing and reading of first elements of empty arrays I tried to put belts and braces to prevent reading of first elements of empty arrays. I also tried to check some of the null pointer dereferencing. The reproducer does not crash anymore, but it is possible that similar issues are still there :(
This is an autogenerated message for OBS integration: This bug (963983) was mentioned in https://build.opensuse.org/request/show/356558 Factory / jasper https://build.opensuse.org/request/show/356560 13.2 / jasper https://build.opensuse.org/request/show/356561 13.1 / jasper
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (963983) was mentioned in https://build.opensuse.org/request/show/357299 Factory / jasper
This is an autogenerated message for OBS integration: This bug (963983) was mentioned in https://build.opensuse.org/request/show/357303 Factory / jasper https://build.opensuse.org/request/show/357304 13.1 / jasper https://build.opensuse.org/request/show/357305 13.2 / jasper
openSUSE-SU-2016:0408-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 963983 CVE References: CVE-2016-2089 Sources used: openSUSE 13.2 (src): jasper-1.900.1-163.21.1
openSUSE-SU-2016:0413-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 963983 CVE References: CVE-2016-2089 Sources used: openSUSE 13.1 (src): jasper-1.900.1-160.19.1
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2016-03-30. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62520
released
SUSE-SU-2016:2775-1: An update that fixes 20 vulnerabilities is now available. Category: security (moderate) Bug References: 1005084,1005090,1005242,1006591,1006593,1006597,1006598,1006599,1006836,1006839,1007009,392410,941919,942553,961886,963983,968373 CVE References: CVE-2008-3522,CVE-2014-8158,CVE-2015-5203,CVE-2015-5221,CVE-2016-1577,CVE-2016-1867,CVE-2016-2089,CVE-2016-2116,CVE-2016-8690,CVE-2016-8691,CVE-2016-8692,CVE-2016-8693,CVE-2016-8880,CVE-2016-8881,CVE-2016-8882,CVE-2016-8883,CVE-2016-8884,CVE-2016-8885,CVE-2016-8886,CVE-2016-8887 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): jasper-1.900.14-181.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): jasper-1.900.14-181.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): jasper-1.900.14-181.1 SUSE Linux Enterprise Server 12-SP2 (src): jasper-1.900.14-181.1 SUSE Linux Enterprise Server 12-SP1 (src): jasper-1.900.14-181.1 SUSE Linux Enterprise Desktop 12-SP2 (src): jasper-1.900.14-181.1 SUSE Linux Enterprise Desktop 12-SP1 (src): jasper-1.900.14-181.1
SUSE-SU-2016:2776-1: An update that fixes 19 vulnerabilities is now available. Category: security (moderate) Bug References: 1005084,1005090,1005242,1006591,1006593,1006597,1006598,1006599,1006836,1006839,1007009,392410,941919,942553,961886,963983,968373 CVE References: CVE-2008-3522,CVE-2015-5203,CVE-2015-5221,CVE-2016-1577,CVE-2016-1867,CVE-2016-2089,CVE-2016-2116,CVE-2016-8690,CVE-2016-8691,CVE-2016-8692,CVE-2016-8693,CVE-2016-8880,CVE-2016-8881,CVE-2016-8882,CVE-2016-8883,CVE-2016-8884,CVE-2016-8885,CVE-2016-8886,CVE-2016-8887 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): jasper-1.900.14-134.25.1 SUSE Linux Enterprise Server 11-SP4 (src): jasper-1.900.14-134.25.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): jasper-1.900.14-134.25.1
openSUSE-SU-2016:2833-1: An update that fixes 20 vulnerabilities is now available. Category: security (moderate) Bug References: 1005084,1005090,1005242,1006591,1006593,1006597,1006598,1006599,1006836,1006839,1007009,392410,941919,942553,961886,963983,968373 CVE References: CVE-2008-3522,CVE-2014-8158,CVE-2015-5203,CVE-2015-5221,CVE-2016-1577,CVE-2016-1867,CVE-2016-2089,CVE-2016-2116,CVE-2016-8690,CVE-2016-8691,CVE-2016-8692,CVE-2016-8693,CVE-2016-8880,CVE-2016-8881,CVE-2016-8882,CVE-2016-8883,CVE-2016-8884,CVE-2016-8885,CVE-2016-8886,CVE-2016-8887 Sources used: openSUSE Leap 42.2 (src): jasper-1.900.14-167.1 openSUSE Leap 42.1 (src): jasper-1.900.14-166.1