This repository was archived by the owner on Feb 7, 2024. It is now read-only.
This repository was archived by the owner on Feb 7, 2024. It is now read-only.
Roundup: [oss-security] Re: JasPer 2.0.12 NULL Pointer Dereference jp2_encode (jp2_enc.c) #101
Description
Here is a report from the oss-security mailing list for Vulnerability Roundup 27.
Instructions:
Identification
Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.
Example:
unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged
IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!
Patching
Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.
If you open a pull request, tag this issue and the master issue for the roundup.
If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:
fixed:
release-16.09: abc123
Upon Completion ...
- Update Graham's database
Info
Triage Indicator:
-needs-triage +roundup27 thread:0000000000004005
- File Search: https://search.nix.gsc.io/?q=jasper&i=fosho&repos=nixos-nixpkgs
- GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=jasper+in%3Apath&type=Code
Should the search term be changed from jasper? Suggest a new package search by commenting:
-suggested:jasper +suggested:correctPackageName thread:0000000000004005
Known CVEs:
Sun, 5 Mar 2017 21:16:22 -0500 Anthony Sasadeusz <sasadeu1-at-umbc.edu>, CAH468doehvXuMkgF3caMFmia4K+dXJp5=6JFRTrkNGkHFiNoow@mail.gmail.com
admin@ip-172-31-13-10:~/jasper/build-asan/src/appl$ ./jasper --input
../../../build-afl/src/appl/findings/crashes/id\:000000\,sig\:11\,src\:000002\,op\:havoc\,rep\:16
--output /dev/null --output-format jp2
ASAN:SIGSEGV
=================================================================
==16088==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x7f45f3104fe6 sp 0x7ffcd24052c0 bp 0x7ffcd24063d0 T0)
#0 0x7f45f3104fe5 in jp2_encode
/home/admin/jasper/src/libjasper/jp2/jp2_enc.c:119
#1 0x7f45f30de187 in jas_image_encode
/home/admin/jasper/src/libjasper/base/jas_image.c:471
#2 0x402494 in main /home/admin/jasper/src/appl/jasper.c:277
#3 0x7f45f2a1eb44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#4 0x401908 (/home/admin/jasper/build-asan/src/appl/jasper+0x401908)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/admin/jasper/src/libjasper/jp2/jp2_enc.c:119 jp2_encode
==16088==ABORTING
This also happens on the latest master branch.
The repo: https://github.com/mdadams/jasper
Crashing inputs found with afl:
https://github.com/nullsector/jasper-fuzz/tree/master/testcases/crashes
Mon, 6 Mar 2017 09:06:00 +0100 Emilio Pozuelo Monfort <pochu27-at-gmail.com>, 57f09f12-2cf9-a77b-86d9-1f981fc10930@gmail.com
On 06/03/17 03:16, Anthony Sasadeusz wrote:
> admin@ip-172-31-13-10:~/jasper/build-asan/src/appl$ ./jasper --input
> ../../../build-afl/src/appl/findings/crashes/id\:000000\,sig\:11\,src\:000002\,op\:havoc\,rep\:16
> --output /dev/null --output-format jp2
> ASAN:SIGSEGV
> =================================================================
> ==16088==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
> (pc 0x7f45f3104fe6 sp 0x7ffcd24052c0 bp 0x7ffcd24063d0 T0)
> #0 0x7f45f3104fe5 in jp2_encode
> /home/admin/jasper/src/libjasper/jp2/jp2_enc.c:119
> #1 0x7f45f30de187 in jas_image_encode
> /home/admin/jasper/src/libjasper/base/jas_image.c:471
> #2 0x402494 in main /home/admin/jasper/src/appl/jasper.c:277
> #3 0x7f45f2a1eb44 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
> #4 0x401908 (/home/admin/jasper/build-asan/src/appl/jasper+0x401908)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV
> /home/admin/jasper/src/libjasper/jp2/jp2_enc.c:119 jp2_encode
> ==16088==ABORTING
>
>
> This also happens on the latest master branch.
> The repo: https://github.com/mdadams/jasper
>
> Crashing inputs found with afl:
> https://github.com/nullsector/jasper-fuzz/tree/master/testcases/crashes
You should request CVEs at http://cveform.mitre.org/ these days.
Also it'd be good if you opened an upstream bug report about this.
Cheers,
Emilio
Mon, 6 Mar 2017 15:38:55 +0100 Tomas Hoger <thoger-at-redhat.com>, 20170306153855.7eb0672f@redhat.com
On Mon, 6 Mar 2017 09:06:00 +0100 Emilio Pozuelo Monfort wrote:
> > This also happens on the latest master branch.
> > The repo: https://github.com/mdadams/jasper
> >
> > Crashing inputs found with afl:
> > https://github.com/nullsector/jasper-fuzz/tree/master/testcases/crashes
>
> You should request CVEs at http://cveform.mitre.org/ these days.
>
> Also it'd be good if you opened an upstream bug report about this.
Looks like that was already done:
https://github.com/mdadams/jasper/issues/120
--
Tomas Hoger / Red Hat Product Security
Mon, 6 Mar 2017 17:28:21 -0500 Anthony Sasadeusz <sasadeu1-at-umbc.edu>, CAH468dos8V4PXioySSBW1hR0Nm5-Bd007HmrSLwE=yKakzOmbg@mail.gmail.com
Reference: http://www.openwall.com/lists/oss-security/2017/03/06/1
Fixed in the following commit:
https://github.com/mdadams/jasper/commit/58ba0365d911b9f9dd68e9abf826682c0b4f2293
Thanks,
Anthony