security
security copied to clipboard
Published
20 hours ago •
NixOS
NixOS
Roundup: [oss-security] jasper: use of uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c)
Here is a report from the oss-security mailing list for Vulnerability Roundup 27.
Skip to First Email
Instructions:
Identification
Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.
Example:
unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged
IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!
Patching
Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.
If you open a pull request, tag this issue and the master issue for the roundup.
If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:
fixed:
release-16.09: abc123
Skip to First Email
Upon Completion ...
- [ ] Update Graham's database
Info
Triage Indicator:
-needs-triage +roundup27 thread:0000000000002a22
- File Search: https://search.nix.gsc.io/?q=jasper&i=fosho&repos=nixos-nixpkgs
- GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=jasper+in%3Apath&type=Code
Should the search term be changed from jasper? Suggest a new package search by commenting:
-suggested:jasper +suggested:correctPackageName thread:0000000000002a22
Known CVEs: CVE-2016-10251
Skip to End
Fri, 04 Nov 2016 15:43:31 +0100 Agostino Sarubbo <ago-at-gentoo.org>, 6451341.vFYbS6xerg@blackgate
If suitable for a CVE please assign one. Thanks.
Description:
jasper is an open-source initiative to provide a free software-based reference
implementation of the codec specified in the JPEG-2000 Part-1 standard.
I decided to try another round of fuzzing with the Memory Sanitizer enabled,
and I discovered that there is an use-of-uninitialized-value in
jpc_pi_nextcprl
The complete MSan output:
# imginfo -f $FILE
warning: trailing garbage in marker segment (14 bytes)
warning: trailing garbage in marker segment (14 bytes)
warning: ignoring unknown marker segment
type = 0xff41 (UNKNOWN); len = 20;01 87 01 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 warning: trailing garbage in marker segment (14 bytes)
==7937==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x7fc562323907 in jpc_pi_nextcprl /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_t2cod.c:482:12
#1 0x7fc562323907 in jpc_pi_next /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_t2cod.c:125
#2 0x7fc56232aadc in jpc_dec_decodepkts /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_t2dec.c:441:14
#3 0x7fc5621fa9f1 in jpc_dec_process_sod /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:594:6
#4 0x7fc56220c574 in jpc_dec_decode /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:391:10
#5 0x7fc56220c574 in jpc_decode /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:255
#6 0x7fc5621ac5a4 in jp2_decode /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:215:21
#7 0x7fc5620d69d1 in jas_image_decode /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:396:16
#8 0x557bb7618831 in main /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/appl/imginfo.c:203:16
#9 0x7fc5611e961f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#10 0x557bb7599a28 in _init (/usr/bin/imginfo+0x1aa28)
Uninitialized value was created by a heap allocation
#0 0x557bb75bf639 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/msan/msan_interceptors.cc:1002
#1 0x7fc5621507d4 in jas_malloc /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_malloc.c:148:13
#2 0x7fc562152520 in jas_alloc2 /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_malloc.c:275:9
#3 0x7fc56233360c in jpc_dec_pi_create /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_t2dec.c:506:30
#4 0x7fc5621f2c71 in jpc_dec_tileinit /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:911:19
#5 0x7fc5621f2c71 in jpc_dec_process_sod /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:560
#6 0x7fc56220c574 in jpc_dec_decode /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:391:10
#7 0x7fc56220c574 in jpc_decode /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:255
#8 0x7fc5621ac5a4 in jp2_decode /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:215:21
#9 0x7fc5620d69d1 in jas_image_decode /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:396:16
#10 0x557bb7618831 in main /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/appl/imginfo.c:203:16
#11 0x7fc5611e961f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
SUMMARY: MemorySanitizer: use-of-uninitialized-value /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_t2cod.c:482:12
in jpc_pi_nextcprl
Exiting
Affected version:
1.900.17
Fixed version:
1.900.20
Commit fix:
https://github.com/mdadams/jasper/commit/1f0dfe5a42911b6880a1445f13f6d615ddb55387
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00029-jasper-uninitvalue-jpc_pi_nextcprl
Timeline:
2016-11-03: bug discovered and reported to upstream
2016-11-04: upstream released a patch
2016-11-04: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2016/11/04/jasper-use-of-uninitialized-value-in-jpc_pi_nextcprl-jpc_t2cod-c
Skip to End
Mon, 13 Mar 2017 11:40:07 +0100 Agostino Sarubbo <ago-at-gentoo.org>, 26134027.ubZr3Z7UH6@blackgate
On Friday 04 November 2016 15:43:31 Agostino Sarubbo
wrote:
> Permalink:
> https://blogs.gentoo.org/ago/2016/11/04/jasper-use-of-uninitialized-value-in
> -jpc_pi_nextcprl-jpc_t2cod-c
This is CVE-2016-10251
--
Agostino Sarubbo
Gentoo Linux Developer
Skip to End
