[Bug 1021870] New: VUL-0: jasper: invalid memory read in jas_matrix_bindsub (jas_seq.c)
http://bugzilla.opensuse.org/show_bug.cgi?id=1021870 Bug ID: 1021870 Summary: VUL-0: jasper: invalid memory read in jas_matrix_bindsub (jas_seq.c) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/192 ================================================ Description: jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard. Another round of fuzzing shows that a crafted image causes an invalid memory read. The complete ASan output: # imginfo -f $FILE warning: ignoring unknown marker segment (0xff59) type = 0xff59 (UNKNOWN); len = 20;00 40 40 00 00 00 00 69 00 00 00 00 00 00 00 00 00 00 warning: ignoring unknown marker segment (0xff46) type = 0xff46 (UNKNOWN); len = 20;01 40 40 00 00 00 00 00 00 00 00 00 00 00 12 00 94 7f ASAN:DEADLYSIGNAL ================================================================= ==22653==ERROR: AddressSanitizer: SEGV on unknown address 0x60180000ec30 (pc 0x7f410df421b7 bp 0x7ffdc80abaf0 sp 0x7ffdc80aba60 T0) ==22653==The signal is caused by a READ memory access. #0 0x7f410df421b6 in jas_matrix_bindsub /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_seq.c:254:18 #1 0x7f410df951a1 in jpc_dec_tileinit /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jpc/jpc_dec.c:835:5 #2 0x7f410df951a1 in jpc_dec_process_sod /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jpc/jpc_dec.c:594 #3 0x7f410dfa1853 in jpc_dec_decode /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jpc/jpc_dec.c:425:10 #4 0x7f410dfa1853 in jpc_decode /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jpc/jpc_dec.c:262 #5 0x7f410df71231 in jp2_decode /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_dec.c:218:21 #6 0x7f410df33214 in jas_image_decode /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_image.c:444:16 #7 0x50a3be in main /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/appl/imginfo.c:238:16 #8 0x7f410d01378f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23- r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #9 0x419cd8 in _start (/usr/bin/imginfo+0x419cd8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_seq.c:254:18 in jas_matrix_bindsub ==22653==ABORTING Affected version: 2.0.10 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00125-jasper-invalidread-jas_mat... Timeline: 2017-01-21: bug discovered and reported upstream 2017-01-25: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/25/jasper-invalid-memory-read-in-jas_ma... This one should be https://github.com/mdadams/jasper/issues/113 (from http://seclists.org/oss-sec/2017/q1/195) ================================================ Tested on jasper-1.900.14-170.1.x86_64 (https://software.opensuse.org/package/jasper), which is in openSUSE official repo: ================================================= k_mikhail@linux-mk500:~> imginfo -f 00125-jasper-invalidread-jas_matrix_bindsub error: cannot decode code stream cannot load image k_mikhail@linux-mk500:~> imginfo --version 1.900.14 ================================================= So, jasper-1.900.14 seems to be not vuln on 42.2, but, please, re-check for other versions. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1021870
http://bugzilla.opensuse.org/show_bug.cgi?id=1021870#c1
--- Comment #1 from Mikhail Kasimov
participants (1)
-
bugzilla_noreply@novell.com