security
security copied to clipboard
Published
20 hours ago •
NixOS
NixOS
Roundup: [oss-security] jasper: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c)
Here is a report from the oss-security mailing list for Vulnerability Roundup 27.
Skip to First Email
Instructions:
Identification
Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.
Example:
unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged
IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!
Patching
Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.
If you open a pull request, tag this issue and the master issue for the roundup.
If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:
fixed:
release-16.09: abc123
Skip to First Email
Upon Completion ...
- [ ] Update Graham's database
Info
Triage Indicator:
-needs-triage +roundup27 thread:00000000000037aa
- File Search: https://search.nix.gsc.io/?q=jasper&i=fosho&repos=nixos-nixpkgs
- GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=jasper+in%3Apath&type=Code
Should the search term be changed from jasper? Suggest a new package search by commenting:
-suggested:jasper +suggested:correctPackageName thread:00000000000037aa
Known CVEs: CVE-2017-6850
Skip to End
Wed, 25 Jan 2017 10:10:35 +0100 Agostino Sarubbo <ago-at-gentoo.org>, 4852597.N8d9Bx2SxP@blackgate
Description:
jasper is an open-source initiative to provide a free software-based reference
implementation of the codec specified in the JPEG-2000 Part-1 standard.
Another round of fuzzing shows that a crafted image causes a NULL pointer
access.
The complete ASan output:
# imginfo -f $FILE
cannot parse box data
ASAN:DEADLYSIGNAL
=================================================================
==6697==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000041da35 bp 0xbebebebebebebeae sp 0x7fff60ad6480 T0)
#0 0x41da34 in atomic_compare_exchange_strong /tmp/portage/sys-
devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81
#1 0x41da34 in
__asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*,
void*, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-
devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-
rt/lib/asan/asan_allocator.cc:468
#2 0x41da34 in __asan::Allocator::Deallocate(void*, unsigned long,
__sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-
devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-
rt/lib/asan/asan_allocator.cc:522
#3 0x41da34 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*,
__asan::AllocType) /tmp/portage/sys-
devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-
rt/lib/asan/asan_allocator.cc:725
#4 0x4d271c in free /tmp/portage/sys-
devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc:50
#5 0x7f86ef11c995 in jp2_cdef_destroy /tmp/portage/media-
libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:230:3
#6 0x7f86ef11e18e in jp2_box_destroy /tmp/portage/media-
libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:212:3
#7 0x7f86ef11e18e in jp2_box_get /tmp/portage/media-
libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:319
#8 0x7f86ef1219f6 in jp2_decode /tmp/portage/media-
libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_dec.c:159:16
#9 0x7f86ef0e4214 in jas_image_decode /tmp/portage/media-
libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_image.c:444:16
#10 0x50a3be in main /tmp/portage/media-
libs/jasper-2.0.10/work/jasper-2.0.10/src/appl/imginfo.c:238:16
#11 0x7f86ee1c478f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#12 0x419cd8 in _start (/usr/bin/imginfo+0x419cd8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-
devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in
atomic_compare_exchange_strong
==6697==ABORTING
Affected version:
2.0.10
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00124-jasper-nullptr-jp2_cdef_destroy
Timeline:
2017-01-18: bug discovered and reported upstream
2017-01-25: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2017/01/25/jasper-null-pointer-dereference-in-jp2_cdef_destroy-jp2_cod-c
--
Agostino Sarubbo
Gentoo Linux Developer
Skip to End
Wed, 25 Jan 2017 10:39:01 +0100 Salvatore Bonaccorso <carnil-at-debian.org>, [email protected]
Hi Agostino
On Wed, Jan 25, 2017 at 10:10:35AM +0100, Agostino Sarubbo wrote:
> Description:
> jasper is an open-source initiative to provide a free software-based reference
> implementation of the codec specified in the JPEG-2000 Part-1 standard.
>
> Another round of fuzzing shows that a crafted image causes a NULL pointer
> access.
>
> The complete ASan output:
>
> # imginfo -f $FILE
> cannot parse box data
> ASAN:DEADLYSIGNAL
> =================================================================
> ==6697==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
> 0x00000041da35 bp 0xbebebebebebebeae sp 0x7fff60ad6480 T0)
> #0 0x41da34 in atomic_compare_exchange_strong /tmp/portage/sys-
> devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-
> rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81
> #1 0x41da34 in
> __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*,
> void*, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-
> devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-
> rt/lib/asan/asan_allocator.cc:468
> #2 0x41da34 in __asan::Allocator::Deallocate(void*, unsigned long,
> __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-
> devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-
> rt/lib/asan/asan_allocator.cc:522
> #3 0x41da34 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*,
> __asan::AllocType) /tmp/portage/sys-
> devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-
> rt/lib/asan/asan_allocator.cc:725
> #4 0x4d271c in free /tmp/portage/sys-
> devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-
> rt/lib/asan/asan_malloc_linux.cc:50
> #5 0x7f86ef11c995 in jp2_cdef_destroy /tmp/portage/media-
> libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:230:3
> #6 0x7f86ef11e18e in jp2_box_destroy /tmp/portage/media-
> libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:212:3
> #7 0x7f86ef11e18e in jp2_box_get /tmp/portage/media-
> libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:319
> #8 0x7f86ef1219f6 in jp2_decode /tmp/portage/media-
> libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_dec.c:159:16
> #9 0x7f86ef0e4214 in jas_image_decode /tmp/portage/media-
> libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_image.c:444:16
> #10 0x50a3be in main /tmp/portage/media-
> libs/jasper-2.0.10/work/jasper-2.0.10/src/appl/imginfo.c:238:16
> #11 0x7f86ee1c478f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
> r3/work/glibc-2.23/csu/../csu/libc-start.c:289
> #12 0x419cd8 in _start (/usr/bin/imginfo+0x419cd8)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-
> devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-
> rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in
> atomic_compare_exchange_strong
> ==6697==ABORTING
>
> Affected version:
> 2.0.10
>
> Fixed version:
> N/A
>
> Commit fix:
> N/A
>
> Credit:
> This bug was discovered by Agostino Sarubbo of Gentoo.
>
> CVE:
> N/A
>
> Reproducer:
> https://github.com/asarubbo/poc/blob/master/00124-jasper-nullptr-jp2_cdef_destroy
>
> Timeline:
> 2017-01-18: bug discovered and reported upstream
This should be: https://github.com/mdadams/jasper/issues/112
Could you please reference as well the upstream issues, if they are
reported in an upstream issue tracker? That would help much in
tracking the issues.
Regards,
Salvatore
Skip to End
Mon, 06 Mar 2017 09:48:12 +0100 Agostino Sarubbo <ago-at-gentoo.org>, 1769785.C3oWb3WdBS@blackgate
On Wednesday 25 January 2017 10:10:35 Agostino Sarubbo
wrote:
> https://blogs.gentoo.org/ago/2017/01/25/jasper-null-pointer-dereference-in-j
> p2_cdef_destroy-jp2_cod-c
This is fixed in the following commit:
https://github.com/mdadams/jasper/commit/e96fc4fdd525fa
0ede28074a7e2b1caf94b58b0d
--
Agostino Sarubbo
Gentoo Linux Developer
Skip to End
Mon, 13 Mar 2017 12:06:58 +0100 Agostino Sarubbo <ago-at-gentoo.org>, 6058659.ly9LUa4Ua5@blackgate
On Wednesday 25 January 2017 10:10:35 Agostino Sarubbo wrote:
> Permalink:
> https://blogs.gentoo.org/ago/2017/01/25/jasper-null-pointer-dereference-in-j
> p2_cdef_destroy-jp2_cod-c
This is CVE-2017-6850
--
Agostino Sarubbo
Gentoo Linux Developer
Skip to End
