Bug 1020353 (CVE-2017-5498) - VUL-1: CVE-2017-5498: jasper: left-shift undefined behaviour
Summary: VUL-1: CVE-2017-5498: jasper: left-shift undefined behaviour
Status: RESOLVED FIXED
Alias: CVE-2017-5498
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Fridrich Strba
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/178723/
Whiteboard: CVSSv2:NVD:CVE-2017-5498:4.3:(AV:N/AC...
Keywords:
Depends on:
Blocks: CVE-2017-5503 CVE-2017-5505
  Show dependency treegraph
 
Reported: 2017-01-17 12:51 UTC by Matthias Gerstner
Modified: 2019-12-03 23:36 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2017-01-17 12:51:59 UTC 
CVE-2017-5498 found by Agostino Sarubbo

With the undefined behavior sanitizer enabled, jasper crashes showing some 
left shift [...] overflow.

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00017-jasper-leftshift-jas_math_h
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/include/jasper/jas_math.h:156:11: 
runtime error: left shift of negative value -185

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5498
http://seclists.org/oss-sec/2017/q1/106
Comment 1 Matthias Gerstner 2017-01-17 13:03:34 UTC 
This issue should only show if jasper was compiled with `-fsanitize=undefined`.

When I run the reproducer against our SLE-12:Update codestream then `imginfo`
runs into an assertion instead:

  jpc_dec.c:1829: jpc_dequantize: Assertion `absstepsize >= 0' failed.

I don't think this issue is very severe, since under most circumstances the
undefined left shifts do the expected thing.

I found various upstream commits that deal with this:

1) They disabled the undefind behaviour sanitizer via the preprocessor on this
specific spot:

https://github.com/mdadams/jasper/commit/b032fe7fedd0b856bbe5bd7186fc1d22c03ade9f

2) They added a runtime assertion that the undefined left shift does what they
expect from it:

https://github.com/mdadams/jasper/commit/dc129830baf8cfe104454d3a6e426f55af51b1d3

3) They replaced all bit shift operations by calls to their wrapper function:

https://github.com/mdadams/jasper/commit/b9be3d9f35fccb7811ff68bbd6a57156f0192427
Comment 2 Matthias Gerstner 2017-01-17 13:09:25 UTC 
Our codestreams are all affected in some way I guess.

- SLE-12:Update contains the wrapper in
jasper-1.900.14/src/libjasper/include/jasper/jas_math.h:150. The runtime check
for "defined" behaviour is not yet in place. Probably all the global
replacements of bitshift operations are also missing.

- SLE-11:Update contains the wrapper in
jasper-1.900.14/src/libjasper/include/jasper/jas_math.h:150. Pretty much the
same situation as for SLE-12.

- SLE-10-SP3:Update doesn't even contain the wrapper in
jasper-1.701.0/src/libjasper/include/jasper/jas_math.h.
Comment 3 Swamp Workflow Management 2017-01-17 23:00:15 UTC 
bugbot adjusting priority
Comment 4 Fridrich Strba 2017-03-17 08:23:56 UTC 
(In reply to Matthias Gerstner from comment #2)
> Our codestreams are all affected in some way I guess.
> 
> - SLE-12:Update contains the wrapper in
> jasper-1.900.14/src/libjasper/include/jasper/jas_math.h:150. The runtime
> check
> for "defined" behaviour is not yet in place. Probably all the global
> replacements of bitshift operations are also missing.

Since the replacements were there since 1.900.13 and our maintenance update has 1.900.14, we should have them all. I will submit a cumulated patch of the two others commits to put belts and braces around this CVE.
Comment 6 Swamp Workflow Management 2017-04-05 19:10:05 UTC 
SUSE-SU-2017:0946-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1010977,1010979,1011830,1012530,1015400,1015993,1018088,1020353,1021868,1029497
CVE References: CVE-2016-10251,CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9583,CVE-2016-9591,CVE-2016-9600,CVE-2017-5498,CVE-2017-6850
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    jasper-1.900.14-134.32.1
SUSE Linux Enterprise Server 11-SP4 (src):    jasper-1.900.14-134.32.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    jasper-1.900.14-134.32.1
Comment 7 Swamp Workflow Management 2017-04-06 16:10:56 UTC 
SUSE-SU-2017:0953-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015400,1018088,1020353,1021868,1029497
CVE References: CVE-2016-10251,CVE-2016-9583,CVE-2016-9600,CVE-2017-5498,CVE-2017-6850
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    jasper-1.900.14-194.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    jasper-1.900.14-194.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    jasper-1.900.14-194.1
SUSE Linux Enterprise Server 12-SP2 (src):    jasper-1.900.14-194.1
SUSE Linux Enterprise Server 12-SP1 (src):    jasper-1.900.14-194.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    jasper-1.900.14-194.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    jasper-1.900.14-194.1
Comment 8 Swamp Workflow Management 2017-04-18 10:13:11 UTC 
openSUSE-SU-2017:1034-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015400,1018088,1020353,1021868,1029497
CVE References: CVE-2016-10251,CVE-2016-9583,CVE-2016-9600,CVE-2017-5498,CVE-2017-6850
Sources used:
openSUSE Leap 42.2 (src):    jasper-1.900.14-175.3.1
openSUSE Leap 42.1 (src):    jasper-1.900.14-176.1
Comment 9 Marcus Meissner 2019-11-02 20:09:58 UTC 
released