Roundup: [oss-security] jasper: NULL pointer dereference in jpc_tsfb_synthesize (jpc_tsfb.c)

[grahamc]

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

• [ ] Update Graham's database

Info

Triage Indicator:

-needs-triage +roundup27 thread:000000000000262e

• File Search: https://search.nix.gsc.io/?q=jasper&i=fosho&repos=nixos-nixpkgs
• GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=jasper+in%3Apath&type=Code

Should the search term be changed from jasper? Suggest a new package search by commenting:

-suggested:jasper +suggested:correctPackageName thread:000000000000262e

Known CVEs: CVE-2016-10248

---

Skip to End

Thu, 20 Oct 2016 09:43:40 +0200 Agostino Sarubbo <ago-at-gentoo.org>, 5184269.v1vKSl7Lqd@blackgate

Description:
jasper is an open-source initiative to provide a free software-based reference 
implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing on an updated version (1.900.5) revealed another NULL 
pointer access

The complete ASan output:

# imginfo -f $FILE
warning: trailing garbage in marker segment (14 bytes)
warning: not enough tile data (15 bytes)
warning: bad segmentation symbol
warning: bad segmentation symbol
ASAN:DEADLYSIGNAL
=================================================================
==7144==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x7f6d3c37d0b0 bp 0x7ffdc7407a90 sp 0x7ffdc7407a30 T0)
    #0 0x7f6d3c37d0af in jpc_tsfb_synthesize /tmp/portage/media-
libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_tsfb.c:152:4
    #1 0x7f6d3c2f5140 in jpc_dec_tiledecode /tmp/portage/media-
libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:1068:3
    #2 0x7f6d3c2e5c40 in jpc_dec_process_sod /tmp/portage/media-
libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:623:7
    #3 0x7f6d3c2ef294 in jpc_dec_decode /tmp/portage/media-
libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:390:10
    #4 0x7f6d3c2ef294 in jpc_decode /tmp/portage/media-
libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:254
    #5 0x7f6d3c2bd061 in jp2_decode /tmp/portage/media-
libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_dec.c:215:21
    #6 0x7f6d3c24df39 in jas_image_decode /tmp/portage/media-
libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #7 0x4f1686 in main /tmp/portage/media-
libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #8 0x7f6d3b35c61f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        
    #9 0x418e68 in _init (/usr/bin/imginfo+0x418e68)                                                                                                                                                                                                                           

AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-
libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_tsfb.c:152:4 in 
jpc_tsfb_synthesize                                                                                                                           
==7144==ABORTING

Affected version:
1.900.5

Fixed version:
1.900.9

Commit fix:
https://github.com/mdadams/jasper/commit/2e82fa00466ae525339754bb3ab0a0474a31d4bd

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-10-19: bug discovered
2016-10-19: bug reported to upstream
2016-10-20: upstream released the patch and 1.900.9
2016-10-20: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/10/20/jasper-null-pointer-dereference-in-jpc_tsfb_synthesize-jpc_tsfb-c/

Skip to End

---

Mon, 13 Mar 2017 11:31:33 +0100 Agostino Sarubbo <ago-at-gentoo.org>, 2036100.Yz5vC6aIUd@blackgate

On Thursday 20 October 2016 09:43:40 Agostino Sarubbo wrote:
> Permalink:
> https://blogs.gentoo.org/ago/2016/10/20/jasper-null-pointer-dereference-in-j
> pc_tsfb_synthesize-jpc_tsfb-c/

This is CVE-2016-10248

-- 
Agostino Sarubbo
Gentoo Linux Developer

Skip to End

---

[ndowens]

Master: unaffected 16.09: unaffected As both has version 2.0.12, which is after this CVE

[Mic92]

we have jasper-2.0.10 not jasper-2.0.12

[grahamc]

fwiw I've merged the .12 update, because they're usually worth updating to. This issue is still one.

The patches I madee are:

master: 6c17ad677c4970c87e8562574ea7e6fbf12b0813 release-16.09: 4368adb6ac631b3bdbb071e96dfc545c1f8f92e1 release-17.03: beab3073c9caec3e6b67558efc6111bb68c7a2ab