http://bugzilla.opensuse.org/show_bug.cgi?id=1020451 Bug ID: 1020451 Summary: VUL-0: CVE-2017-5498, CVE-2017-5499, CVE-2017-5500, CVE-2017-5501, CVE-2017-5502: jasper: multiple crashes with UBSAN Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: [1] http://seclists.org/oss-sec/2017/q1/101 ============================================== escription: jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard. With the undefined behavior sanitizer enabled, jasper crashes showing some left shift and some signed integer overflow. Affected version / Tested on: 1.900.17 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00017-jasper-leftshift-jas_math_... Relevant part of the stacktrace: # imginfo -f $FILE /tmp/portage/media- libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/include/jasper/jas_math.h:156:11: runtime error: left shift of negative value -185 ################################################# Affected version / Tested on: 1.900.17 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00018-jasper-signedintoverflow-j... Relevant part of the stacktrace: # imginfo -f $FILE /tmp/portage/media- libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1838:9: runtime error: signed integer overflow: -64356352 * 6359082673847140352 cannot be represented in type 'long' ################################################# Affected version / Tested on: 1.900.17 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00019-jasper-leftshift-jpc_dec_c Relevant part of the stacktrace: # imginfo -f $FILE /tmp/portage/media- libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1819:40: runtime error: shift exponent 117 is too large for 64-bit type 'jpc_fix_t' (aka 'long') ################################################# Affected version / Tested on: 1.900.17 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00022-jasper-signedintoverflow-j... Relevant part of the stacktrace: # imginfo -f $FILE /tmp/portage/media- libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_tsfb.c:233:35: runtime error: signed integer overflow: 2013306369 + 251691968 cannot be represented in type 'int' ################################################# Affected version / Tested on: 1.900.17 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00030-jasper-leftshift-jp2_dec_c Relevant part of the stacktrace: # imginfo -f $FILE /tmp/portage/media- libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:485:49: runtime error: left shift of negative value -26 Credit: These bugs were discovered by Agostino Sarubbo of Gentoo. Timeline: 2016-10-28: bug discovered and reported to upstream 2017-01-16: blog post about the issues Note: These bugs were found with American Fuzzy Lop. Permalink: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ -- Agostino ============================================== CVE assignment: [2] http://seclists.org/oss-sec/2017/q1/106 [3] https://software.opensuse.org/package/jasper Although here jasper ver. is 1.900.14, it can also be vulnerable. -- You are receiving this mail because: You are on the CC list for the bug.