Bug 17872

Summary: jasper new security issues CVE-2016-1577, CVE-2016-2089, and CVE-2016-2116
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/675051/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: jasper-1.900.1-20.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-03 16:09:52 CET 
OpenSuSE has issued an advisory for CVE-2016-2089 on February 10:
http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html

CVE request and assignment for that from January 28:
http://seclists.org/oss-sec/2016/q1/84
http://openwall.com/lists/oss-security/2016/01/28/6

PoC attached to the CVE request above.

Ubuntu has announced CVE-2016-1577 and CVE-2016-2116 today (March 3):
http://openwall.com/lists/oss-security/2016/03/03/12

PoC for CVE-2016-1577 is attached to the Ubuntu bug:
https://launchpad.net/bugs/1547865

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory to come later.

Updated packages in core/updates_testing:
========================
jasper-1.900.1-20.4.mga5
libjasper1-1.900.1-20.4.mga5
libjasper-devel-1.900.1-20.4.mga5
libjasper-static-devel-1.900.1-20.4.mga5

from jasper-1.900.1-20.4.mga5.src.rpm
Comment 1 David Walser 2016-03-03 16:10:16 CET 
Testing procedure in:
https://bugs.mageia.org/show_bug.cgi?id=14729

Whiteboard: (none) => has_procedure

David Walser 2016-03-03 16:12:10 CET

URL: (none) => http://lwn.net/Vulnerabilities/675051/

Comment 2 David Walser 2016-03-03 16:16:14 CET 
Advisory:
========================

Updated jasper packages fix security vulnerabilities:

The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote
attackers to cause a denial of service (invalid read and application crash)
via a crafted JPEG 2000 image (CVE-2016-2089).

Jacob Baines discovered that a double free vulnerability in the
jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote
attackers to cause a denial of service (crash) or possibly execute arbitrary
code via a crafted ICC color profile in a JPEG 2000 image file (CVE-2016-1577).

Tyler Hicks discovered that a memory leak in the jas_iccprof_createfrombuf
function in JasPer 1.900.1 and earlier allows remote attackers to cause a
denial of service (memory consumption) via a crafted ICC color profile in a
JPEG 2000 image file (CVE-2016-2116).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2116
http://openwall.com/lists/oss-security/2016/03/03/12
http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html
Comment 3 David Walser 2016-03-03 16:51:13 CET 
Ubuntu has issued an advisory for their 2 CVEs today (March 3):
http://www.ubuntu.com/usn/usn-2919-1/

Advisory:
========================

Updated jasper packages fix security vulnerabilities:

The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote
attackers to cause a denial of service (invalid read and application crash)
via a crafted JPEG 2000 image (CVE-2016-2089).

Jacob Baines discovered that a double free vulnerability in the
jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote
attackers to cause a denial of service (crash) or possibly execute arbitrary
code via a crafted ICC color profile in a JPEG 2000 image file (CVE-2016-1577).

Tyler Hicks discovered that a memory leak in the jas_iccprof_createfrombuf
function in JasPer 1.900.1 and earlier allows remote attackers to cause a
denial of service (memory consumption) via a crafted ICC color profile in a
JPEG 2000 image file (CVE-2016-2116).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2116
http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html
http://www.ubuntu.com/usn/usn-2919-1/
Comment 4 William Kenney 2016-03-04 16:19:55 CET 
In VirtualBox, M5, KDE, 32-bit

imagemagick & imagemagick-desktop uses jasper

Package(s) under test:
jasper imagemagick imagemagick-desktop
use imagemagick with the ImageMagick-desktop icon

default install of jasper imagemagick & imagemagick-desktop

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-20.3.mga5.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.9.9-4.2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.8.9.9-4.2.mga5.i586 is already installed

I can open, and edit, a jpg image with the ImageMagick-desktop icon

install jasper from updates_testing

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-20.4.mga5.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.9.9-4.2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.8.9.9-4.2.mga5.i586 is already installed
( there are no updates to the imagemagick packages )

I can open, and edit, a jpg image with the ImageMagick-desktop icon

CC: (none) => wilcal.int

Comment 5 William Kenney 2016-03-04 16:36:43 CET 
In VirtualBox, M5, KDE, 64-bit

imagemagick & imagemagick-desktop uses jasper

Package(s) under test:
jasper imagemagick imagemagick-desktop
use imagemagick with the ImageMagick-desktop icon

default install of jasper imagemagick & imagemagick-desktop

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-20.3.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.9.9-4.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.8.9.9-4.2.mga5.x86_64 is already installed

I can open, and edit, a jpg image with the ImageMagick-desktop icon

install jasper from updates_testing

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-20.4.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.9.9-4.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.8.9.9-4.2.mga5.x86_64 is already installed
( there are no updates to the imagemagick packages )

I can open, and edit, a jpg image with the ImageMagick-desktop icon
Comment 6 William Kenney 2016-03-04 16:37:47 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 7 David Walser 2016-03-04 18:38:45 CET 
LWN reference for CVE-2016-1577 and CVE-2016-2116:
http://lwn.net/Vulnerabilities/678818/
Comment 8 Lewis Smith 2016-03-07 13:31:00 CET 
Advisory uploaded.

CC: (none) => lewyssmith
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 9 Mageia Robot 2016-03-07 19:04:36 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0100.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED