| Summary: | jasper new security issues CVE-2015-5203 and CVE-2015-5221 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, sysadmin-bugs, tarazed25, wilcal.int |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/655645/ | ||
| Whiteboard: | has_procedure MGA5-32-OK MGA5-64-OK advisory | ||
| Source RPM: | jasper-1.900.1-20.1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-01-25 18:11:00 CET
David Walser
2016-01-25 18:11:11 CET
Whiteboard:
(none) =>
MGA5TOO Another CVE was assigned for an issue reported today (January 28): http://openwall.com/lists/oss-security/2016/01/28/6 Summary:
jasper new security issue CVE-2015-5221 =>
jasper new security issue CVE-2015-5221 and CVE-2016-2089 Some security issues in jasper have been assigned CVE-2015-5203, and a patch is available that may fix some of them, but it does not completely apply cleanly: http://openwall.com/lists/oss-security/2015/08/21/4 We have a backported patch from Arch checked into SVN, but currently disabled, because tests in Bug 16629 showed that it was broken. Advisory bits related to this CVE, which I'm moving to this bug for now: A double-free issue in JasPer 1.900.1 in the jasper_image_stop_load() function can cause a denial of service if a specially crafted JPEG image is loaded (CVE-2015-5203). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5203 http://openwall.com/lists/oss-security/2015/08/21/4 URL:
(none) =>
http://lwn.net/Vulnerabilities/655645/ (In reply to David Walser from comment #1) > Another CVE was assigned for an issue reported today (January 28): > http://openwall.com/lists/oss-security/2016/01/28/6 OpenSuSE has issued an advisory for CVE-2016-2089 today (February 10): http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html from http://lwn.net/Vulnerabilities/675051/ Assigning to maintainer. Assignee:
bugsquad =>
mageia (In reply to David Walser from comment #3) > (In reply to David Walser from comment #1) > > Another CVE was assigned for an issue reported today (January 28): > > http://openwall.com/lists/oss-security/2016/01/28/6 > > OpenSuSE has issued an advisory for CVE-2016-2089 today (February 10): > http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html > > from http://lwn.net/Vulnerabilities/675051/ CVE-2016-2089 moved to Bug 17872. Summary:
jasper new security issues CVE-2015-5203, CVE-2015-5221, and CVE-2016-2089 =>
jasper new security issues CVE-2015-5203 and CVE-2015-5221 LWN reference for CVE-2015-5221: http://lwn.net/Vulnerabilities/697339/ Fedora has issued an advisory for this on August 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UNLVBZWDEXZCFWOBZ3YVEQINMRBRX5QV/ Fedora's patch for CVE-2015-5203 looks like it's functionally the same as the one we previously used in Bug 16629, so we may run into the same problem again. They have a patch for CVE-2015-5221, which is new. Patched packages uploaded for Mageia 5 and Cauldron. Testing procedure in: https://bugs.mageia.org/show_bug.cgi?id=14729 Advisory: ======================== Updated jasper packages fix security vulnerabilities: A double-free issue in JasPer 1.900.1 in the jasper_image_stop_load() function can cause a denial of service if a specially crafted JPEG image is loaded (CVE-2015-5203). A use-after-free which leads to double-free vulnerability was found in Jasper JPEG-2000 library, in src/libjasper/mif/mif_cod.c file (CVE-2015-5221). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5203 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5221 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UNLVBZWDEXZCFWOBZ3YVEQINMRBRX5QV/ ======================== Updated packages in core/updates_testing: ======================== jasper-1.900.1-20.5.mga5 libjasper1-1.900.1-20.5.mga5 libjasper-devel-1.900.1-20.5.mga5 libjasper-static-devel-1.900.1-20.5.mga5 from jasper-1.900.1-20.5.mga5.src.rpm Assignee:
mageia =>
qa-bugs Trying this on x86_64. ImageMagick functions work fine on a random JPEG image before update. Checking the references now for a PoC. CC:
(none) =>
tarazed25 Of course we are not testing ImageMagick. Using it here only as a cross-check. Referring to David's disclaimer about CVE-2015-5203 in comment #6 I recovered the PoC file used in earlier tests and ran jasper before the updates. $ jasper --input poc.jp2 --output-format jpg --output test.jpg write component failed error: cannot decode code stream error: cannot load image data $ gimp poc.jp2 Opening '/home/lcl/qa/jasper/poc.jp2' failed: Couldn't decode '/home/lcl/qa/jasper/poc.jp2'. $ jasper -f poc.jp2 -F temp.bmp -t jp2 -T bmp write component failed error: cannot decode code stream error: cannot load image data # Tried an existing JPEG2000 file: $ jasper -f piuva.jp2 -F temp.bmp -t jp2 -T bmp $ ls -l temp.bmp -rw-r--r-- 1 lcl wireshark 326454 Aug 30 20:05 temp.bmp # The temporary bitmap file displays perfectly using ImageMagick. # gimp displays the piuva.jp2 file if the user agrees to conversion of the built-in # colour profile to sRGB space. # Checking with ImageMagick: $ display poc.jp2 display: Invalid number of tiles : 1 x 101946 (maximum fixed by jpeg2000 norm is 65535 tiles) `OpenJP2' @ error/jp2.c/JP2ErrorHandler/193. display: Marker handler function failed to read the marker segment `OpenJP2' @ error/jp2.c/JP2ErrorHandler/193. display: unable to decode image file `poc.jp2' @ error/jp2.c/ReadJP2Image/349. Obtained the PoC file for CVE-2015-5221 and fed it to jasper: $ jasper -f jasper.poc -F temp.bmp -t jp2 -T bmp warning: trailing garbage in marker segment (6 bytes) # This is in accord with the readme.txt supplied with the image file. $ display temp.bmp # This showed a tiny narrow rectangle at [0,0] on the screen, possibly 6 pixels high. Installed the updates and ran the PoC tests. CVE-2015-5221: $ jasper -f jasper.poc -F temp.bmp -t jp2 -T bmp warning: trailing garbage in marker segment (6 bytes) CVE-2015-5203: $ jasper -f poc.jp2 -F temp.bmp -t jp2 -T bmp write component failed error: cannot decode code stream error: cannot load image data # Note no segfaults or stack dumps, which might indicate that the patches are working. However, jasper continues to convert supported image file format conversions: $ jasper -f Badlands.jpg -F badlands.pnm -t jpg -T pnm $ jasper -f piuva.jp2 -F temp.jpg -t jp2 -T jpg $ jasper -f Badlands.jpg -F badlands.jp2 -t jpg -T jp2 $ jasper -f badlands.jp2 -F badlands.jpc -t jp2 -T jpc $ jasper -f Badlands.jpg -F badlands.bmp -t jpg -T bmp $ jasper -f Badlands.jpg -F badlands.ras -t jpg -T ras Leaving this as it is to allow for comments. s/format conversions/formats correctly/ In VirtualBox, M5, KDE, 32-bit imagemagick & imagemagick-desktop uses jasper Package(s) under test: jasper imagemagick imagemagick-desktop use imagemagick with the ImageMagick-desktop icon default install of jasper imagemagick & imagemagick-desktop [root@localhost wilcal]# urpmi jasper Package jasper-1.900.1-20.4.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.5.2-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.5.2-1.mga5.i586 is already installed I can open, and edit, a jpg image with the ImageMagick-desktop icon install jasper from updates_testing [root@localhost wilcal]# urpmi jasper Package jasper-1.900.1-20.5.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.5.2-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.5.2-1.mga5.i586 is already installed ( there are no updates to the imagemagick packages ) I can open and view the image previously created with ImageMagick-desktop I can open, and edit, a 2nd jpg image with the ImageMagick-desktop icon CC:
(none) =>
wilcal.int In VirtualBox, M5, KDE, 64-bit imagemagick & imagemagick-desktop uses jasper Package(s) under test: jasper imagemagick imagemagick-desktop use imagemagick with the ImageMagick-desktop icon default install of jasper imagemagick & imagemagick-desktop [root@localhost wilcal]# urpmi jasper Package jasper-1.900.1-20.4.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.5.2-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.5.2-1.mga5.x86_64 is already installed I can open, and edit, a jpg image with the ImageMagick-desktop icon install jasper from updates_testing [root@localhost wilcal]# urpmi jasper Package jasper-1.900.1-20.5.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.5.2-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.5.2-1.mga5.x86_64 is already installed I can open and view the image previously created with ImageMagick-desktop I can open, and edit, a 2nd jpg image with the ImageMagick-desktop icon This is a minor security update therefore if there are any functional problems they should be on a seperate bug. IMO this bug is good to go and I'll validate it in 24-hours unless there is objections. This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks Whiteboard:
has_procedure =>
has_procedure MGA5-32-OK MGA5-64-OK
Dave Hodgins
2016-09-06 20:43:12 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0298.html Resolution:
(none) =>
FIXED |