Mageia Bugzilla – Attachment 10233 Details for
Bug 23139
jasper missing fix for security issue CVE-2016-9396 and new security issue CVE-2018-9055
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Testcases for several CVEs.
report.23139 (text/plain), 7.70 KB, created by
Len Lawrence
on 2018-06-09 23:18:41 CEST
(
hide
)
Description:
Testcases for several CVEs.
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2018-06-09 23:18:41 CEST
Size:
7.70 KB
patch
obsolete
>Mageia 6, x86_64 >======================================================================== >Before updating: > >CVE-2018-9055 >https://github.com/TeamSeri0us/pocs/blob/master/jasper/poc >https://bugzilla.suse.com/show_bug.cgi?id=1087020 >$ jasper --input poc --input-format jpc --output out.jp2 >jasper: jpc_math.c:113: jpc_firstone: Assertion `x >= 0' failed. >Aborted (core dumped) >--------------------------------------------------------------- >The following CVEs look quite old so it would not be surprising if fixes are already in place. Several of them were listed on the earlier bug https://bugs.mageia.org/show_bug.cgi?id=19605. > >CVE-2016-9387 >https://github.com/asarubbo/poc/blob/master/00003-jasper-assert-jas_matrix_t >$ imginfo -f 00003-jasper-assert-jas_matrix_t >warning: ignoring invalid option max_samples >YTOsiz not in permissible range >cannot get marker segment >error: cannot decode code stream >cannot load image >?? Looks like the problem is handled cleanly. >--------------------------------------------------------------- >CVE-2016-9388 >https://github.com/asarubbo/poc/blob/master/00005-jasper-assert-ras_getcmap >$ imginfo -f 00005-jasper-assert-ras_getcmap >warning: ignoring RAS decoder options >warning: palettized images not fully supported >cannot load image >--------------------------------------------------------------- >CVE-2016-9389 >https://github.com/asarubbo/poc/blob/master/00006-jasper-assert-jpc_irct >$ imginfo -f 00006-jasper-assert-jpc_irct >warning: ignoring invalid option max_samples >warning: forcing negative ROI shift to zero (bitstream is probably corrupt) >RCT requires all components have the same domain >cannot load image > >https://github.com/asarubbo/poc/blob/master/00008-jasper-assert-jpc_iict >$ imginfo -f 00008-jasper-assert-jpc_iict >warning: ignoring invalid option max_samples >warning: ignoring unknown marker segment (0xff76) >type = 0xff76 (UNKNOWN); len = 20;10 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RCT requires all components have the same domain >error: cannot decode code stream >cannot load image >--------------------------------------------------------------- >CVE-2016-9390 >https://github.com/asarubbo/poc/blob/master/00007-jasper-assert-jas_matrix_t >$ imginfo -f 00007-jasper-assert-jas_matrix_t >warning: ignoring invalid option max_samples >XTOsiz not in permissible range >cannot get marker segment >cannot load image >--------------------------------------------------------------- >CVE-2016-9391 >https://github.com/asarubbo/poc/blob/master/00014-jasper-assert-jpc_bitstream_getbits >$ imginfo -f 00014-jasper-assert-jpc_bitstream_getbits >warning: ignoring invalid option max_samples >XTOsiz not in permissible range >cannot get marker segment >error: cannot decode code stream >cannot load image >--------------------------------------------------------------- >CVE-2016-9392 >https://github.com/asarubbo/poc/blob/master/00012-jasper-assert-calcstepsizes >$ imginfo -f 00012-jasper-assert-calcstepsizes >warning: ignoring invalid option max_samples >XTOsiz not in permissible range >cannot get marker segment >error: cannot decode code stream >cannot load image >--------------------------------------------------------------- >CVE-2016-9393 >https://github.com/asarubbo/poc/blob/master/00013-jasper-assert-jpc_pi_nextrpcl >$ imginfo -f 00013-jasper-assert-jpc_pi_nextrpcl >warning: ignoring invalid option max_samples >XTOsiz not in permissible range >cannot get marker segment >error: cannot decode code stream >cannot load image >--------------------------------------------------------------- >CVE-2016-9394 >https://github.com/asarubbo/poc/blob/master/00016-jasper-assert-jas_matrix_t >$ imginfo -f 00016-jasper-assert-jas_matrix_t >warning: ignoring invalid option max_samples >YTOsiz not in permissible range >cannot get marker segment >error: cannot decode code stream >cannot load image >--------------------------------------------------------------- >CVE-2016-9395 >https://github.com/asarubbo/poc/blob/master/00043-jasper-assert-jas_matrix_t >$ imginfo -f 00043-jasper-assert-jas_matrix_t >warning: ignoring invalid option max_samples >warning: trailing garbage in marker segment (9 bytes) >warning: trailing garbage in marker segment (40 bytes) >warning: ignoring unknown marker segment (0xffee) >type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 ff 00 e4 00 10 00 00 4f warning: trailing garbage in marker segment (34 bytes) >cannot load image >--------------------------------------------------------------- >CVE-2016-9396 >https://github.com/asarubbo/poc/blob/master/00004-jasper-assert-JPC_NOMINALGAIN >https://bugzilla.redhat.com/show_bug.cgi?id=1485272 >$ imginfo -f POC1 >warning: ignoring invalid option max_samples >imginfo: jpc_t1cod.c:144: JPC_NOMINALGAIN: Assertion `qmfbid == 0x01' failed. >Aborted (core dumped) >--------------------------------------------------------------- >CVE-2016-9397 >https://github.com/asarubbo/poc/blob/master/00010-jasper-assert-jpc_dequantize >$ imginfo -f 00010-jasper-assert-jpc_dequantize >warning: ignoring invalid option max_samples >warning: ignoring unknown marker segment (0xff76) >type = 0xff76 (UNKNOWN); len = 20;00 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 imginfo: jpc_dec.c:1830: jpc_dequantize: Assertion `absstepsize >= 0' failed. >Aborted (core dumped) >--------------------------------------------------------------- >CVE-2016-9398 >https://github.com/asarubbo/poc/blob/master/00023-jasper-assert-jpc_floorlog2 >$ imginfo -f 00023-jasper-assert-jpc_floorlog2 >warning: ignoring invalid option max_samples >imginfo: jpc_math.c:94: jpc_floorlog2: Assertion `x > 0' failed. >Aborted (core dumped) >--------------------------------------------------------------- >CVE-2016-9399 >https://github.com/asarubbo/poc/blob/master/00044-jasper-assert-calcstepsizes >$ imginfo -f 00044-jasper-assert-calcstepsizes >warning: ignoring invalid option max_samples >warning: trailing garbage in marker segment (9 bytes) >warning: trailing garbage in marker segment (28 bytes) >warning: trailing garbage in marker segment (40 bytes) >warning: ignoring unknown marker segment (0xffee) >type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 40 e4 e4 00 10 00 00 4f warning: trailing garbage in marker segment (12 bytes) >imginfo: jpc_dec.c:1650: calcstepsizes: Assertion `!((expn + (numrlvls - 1) - (numrlvls - 1 - ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))' failed. >Aborted (core dumped) > >============================================================== >After updating: > >CVE-2018-9055 >$ jasper --input poc --input-format jpc --output out.jp2 >$ file out.jp2 >out.jp2: JPEG 2000 Part 1 (JP2) ><Not an image file - cannot be displayed> >This looks OK. >-------------------------------------------------------------- >CVE-2016-938{7,8} >Same output. >-------------------------------------------------------------- >CVE-2016-9389 >Same outputs. >-------------------------------------------------------------- >CVE-2016-939{0,1,2,3,4,5} >Same output. >-------------------------------------------------------------- >CVE-2016-9396 >warning: ignoring invalid option max_samples >cannot get marker segment >cannot load image ><No abort this time> >-------------------------------------------------------------- >CVE-2016-9397 >Same output. ><This aborts as before so it is a Fail> >-------------------------------------------------------------- >CVE-2016-9398 >Same output. ><This aborts as before so it is a Fail> >-------------------------------------------------------------- >CVE-2016-9399 >warning: ignoring invalid option max_samples >warning: trailing garbage in marker segment (9 bytes) >warning: trailing garbage in marker segment (28 bytes) >warning: trailing garbage in marker segment (40 bytes) >warning: ignoring unknown marker segment (0xffee) >type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 40 e4 e4 00 10 00 00 4f cannot get marker segment >cannot load image ><Abort before so this is a Pass> >
Mageia 6, x86_64 ======================================================================== Before updating: CVE-2018-9055 https://github.com/TeamSeri0us/pocs/blob/master/jasper/poc https://bugzilla.suse.com/show_bug.cgi?id=1087020 $ jasper --input poc --input-format jpc --output out.jp2 jasper: jpc_math.c:113: jpc_firstone: Assertion `x >= 0' failed. Aborted (core dumped) --------------------------------------------------------------- The following CVEs look quite old so it would not be surprising if fixes are already in place. Several of them were listed on the earlier bug https://bugs.mageia.org/show_bug.cgi?id=19605. CVE-2016-9387 https://github.com/asarubbo/poc/blob/master/00003-jasper-assert-jas_matrix_t $ imginfo -f 00003-jasper-assert-jas_matrix_t warning: ignoring invalid option max_samples YTOsiz not in permissible range cannot get marker segment error: cannot decode code stream cannot load image ?? Looks like the problem is handled cleanly. --------------------------------------------------------------- CVE-2016-9388 https://github.com/asarubbo/poc/blob/master/00005-jasper-assert-ras_getcmap $ imginfo -f 00005-jasper-assert-ras_getcmap warning: ignoring RAS decoder options warning: palettized images not fully supported cannot load image --------------------------------------------------------------- CVE-2016-9389 https://github.com/asarubbo/poc/blob/master/00006-jasper-assert-jpc_irct $ imginfo -f 00006-jasper-assert-jpc_irct warning: ignoring invalid option max_samples warning: forcing negative ROI shift to zero (bitstream is probably corrupt) RCT requires all components have the same domain cannot load image https://github.com/asarubbo/poc/blob/master/00008-jasper-assert-jpc_iict $ imginfo -f 00008-jasper-assert-jpc_iict warning: ignoring invalid option max_samples warning: ignoring unknown marker segment (0xff76) type = 0xff76 (UNKNOWN); len = 20;10 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RCT requires all components have the same domain error: cannot decode code stream cannot load image --------------------------------------------------------------- CVE-2016-9390 https://github.com/asarubbo/poc/blob/master/00007-jasper-assert-jas_matrix_t $ imginfo -f 00007-jasper-assert-jas_matrix_t warning: ignoring invalid option max_samples XTOsiz not in permissible range cannot get marker segment cannot load image --------------------------------------------------------------- CVE-2016-9391 https://github.com/asarubbo/poc/blob/master/00014-jasper-assert-jpc_bitstream_getbits $ imginfo -f 00014-jasper-assert-jpc_bitstream_getbits warning: ignoring invalid option max_samples XTOsiz not in permissible range cannot get marker segment error: cannot decode code stream cannot load image --------------------------------------------------------------- CVE-2016-9392 https://github.com/asarubbo/poc/blob/master/00012-jasper-assert-calcstepsizes $ imginfo -f 00012-jasper-assert-calcstepsizes warning: ignoring invalid option max_samples XTOsiz not in permissible range cannot get marker segment error: cannot decode code stream cannot load image --------------------------------------------------------------- CVE-2016-9393 https://github.com/asarubbo/poc/blob/master/00013-jasper-assert-jpc_pi_nextrpcl $ imginfo -f 00013-jasper-assert-jpc_pi_nextrpcl warning: ignoring invalid option max_samples XTOsiz not in permissible range cannot get marker segment error: cannot decode code stream cannot load image --------------------------------------------------------------- CVE-2016-9394 https://github.com/asarubbo/poc/blob/master/00016-jasper-assert-jas_matrix_t $ imginfo -f 00016-jasper-assert-jas_matrix_t warning: ignoring invalid option max_samples YTOsiz not in permissible range cannot get marker segment error: cannot decode code stream cannot load image --------------------------------------------------------------- CVE-2016-9395 https://github.com/asarubbo/poc/blob/master/00043-jasper-assert-jas_matrix_t $ imginfo -f 00043-jasper-assert-jas_matrix_t warning: ignoring invalid option max_samples warning: trailing garbage in marker segment (9 bytes) warning: trailing garbage in marker segment (40 bytes) warning: ignoring unknown marker segment (0xffee) type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 ff 00 e4 00 10 00 00 4f warning: trailing garbage in marker segment (34 bytes) cannot load image --------------------------------------------------------------- CVE-2016-9396 https://github.com/asarubbo/poc/blob/master/00004-jasper-assert-JPC_NOMINALGAIN https://bugzilla.redhat.com/show_bug.cgi?id=1485272 $ imginfo -f POC1 warning: ignoring invalid option max_samples imginfo: jpc_t1cod.c:144: JPC_NOMINALGAIN: Assertion `qmfbid == 0x01' failed. Aborted (core dumped) --------------------------------------------------------------- CVE-2016-9397 https://github.com/asarubbo/poc/blob/master/00010-jasper-assert-jpc_dequantize $ imginfo -f 00010-jasper-assert-jpc_dequantize warning: ignoring invalid option max_samples warning: ignoring unknown marker segment (0xff76) type = 0xff76 (UNKNOWN); len = 20;00 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 imginfo: jpc_dec.c:1830: jpc_dequantize: Assertion `absstepsize >= 0' failed. Aborted (core dumped) --------------------------------------------------------------- CVE-2016-9398 https://github.com/asarubbo/poc/blob/master/00023-jasper-assert-jpc_floorlog2 $ imginfo -f 00023-jasper-assert-jpc_floorlog2 warning: ignoring invalid option max_samples imginfo: jpc_math.c:94: jpc_floorlog2: Assertion `x > 0' failed. Aborted (core dumped) --------------------------------------------------------------- CVE-2016-9399 https://github.com/asarubbo/poc/blob/master/00044-jasper-assert-calcstepsizes $ imginfo -f 00044-jasper-assert-calcstepsizes warning: ignoring invalid option max_samples warning: trailing garbage in marker segment (9 bytes) warning: trailing garbage in marker segment (28 bytes) warning: trailing garbage in marker segment (40 bytes) warning: ignoring unknown marker segment (0xffee) type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 40 e4 e4 00 10 00 00 4f warning: trailing garbage in marker segment (12 bytes) imginfo: jpc_dec.c:1650: calcstepsizes: Assertion `!((expn + (numrlvls - 1) - (numrlvls - 1 - ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))' failed. Aborted (core dumped) ============================================================== After updating: CVE-2018-9055 $ jasper --input poc --input-format jpc --output out.jp2 $ file out.jp2 out.jp2: JPEG 2000 Part 1 (JP2) <Not an image file - cannot be displayed> This looks OK. -------------------------------------------------------------- CVE-2016-938{7,8} Same output. -------------------------------------------------------------- CVE-2016-9389 Same outputs. -------------------------------------------------------------- CVE-2016-939{0,1,2,3,4,5} Same output. -------------------------------------------------------------- CVE-2016-9396 warning: ignoring invalid option max_samples cannot get marker segment cannot load image <No abort this time> -------------------------------------------------------------- CVE-2016-9397 Same output. <This aborts as before so it is a Fail> -------------------------------------------------------------- CVE-2016-9398 Same output. <This aborts as before so it is a Fail> -------------------------------------------------------------- CVE-2016-9399 warning: ignoring invalid option max_samples warning: trailing garbage in marker segment (9 bytes) warning: trailing garbage in marker segment (28 bytes) warning: trailing garbage in marker segment (40 bytes) warning: ignoring unknown marker segment (0xffee) type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 40 e4 e4 00 10 00 00 4f cannot get marker segment cannot load image <Abort before so this is a Pass>
View Attachment As Raw
Actions:
View
Attachments on
bug 23139
:
10231
|
10232
| 10233