| Summary: | jasper missing fix for security issue CVE-2016-9396 and new security issue CVE-2018-9055 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, herman.viaene, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-32-OK MGA6-64-OK | ||
| Source RPM: | jasper-2.0.14-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
Brief description of PoC tests for various CVEs
Un piccolo divertimento Testcases for several CVEs. |
||
|
Description
David Walser
2018-06-07 22:38:44 CEST
openSUSE has issued an advisory on May 28: https://lists.opensuse.org/opensuse-updates/2018-05/msg00130.html It fixes one new issue. Mageia 5 and Mageia 6 are probably also affected. Summary:
jasper missing fix for security issue CVE-2016-9396 =>
jasper missing fix for security issue CVE-2016-9396 and new security issue CVE-2018-9055 Done for Cauldron, mga6 and also mga5! CC:
(none) =>
geiger.david68210 Thanks David! Advisory: ======================== Updated japser packages fix security vulnerabilities: An assertion failure was possible to trigger in JPC_NOMINALGAIN (CVE-2016-9396). Denial of service via a reachable assertion in the function jpc_firstone in libjasper/jpc/jpc_math.c could lead to denial of service (CVE-2018-9055). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9396 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9055 https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V63HVBFSQBPI6D3JW46NY32DKGCE2YB4/ https://lists.opensuse.org/opensuse-updates/2018-05/msg00130.html ======================== Updated packages in core/updates_testing: ======================== jasper-1.900.23-1.1.mga5 libjasper1-1.900.23-1.1.mga5 libjasper-devel-1.900.23-1.1.mga5 libjasper-static-devel-1.900.23-1.1.mga5 jasper-1.900.23-5.1.mga6 libjasper1-1.900.23-5.1.mga6 libjasper-devel-1.900.23-5.1.mga6 libjasper-static-devel-1.900.23-5.1.mga6 from SRPMS: jasper-1.900.23-1.1.mga5.src.rpm jasper-1.900.23-5.1.mga6.src.rpm CC:
(none) =>
nicolas.salguero Taking this on for Mageia 6, x86_64 Have accumulated a number of testcases discovered upstream using the American Fuzzy Lop technique. There is a chance that some of these might require testing in an ASAN framework. More later. CC:
(none) =>
tarazed25 MGA5-32 on Dell Latitude D600 Xfce No installation issues. Downloaded testfiles relax.jp2 and imagewithalpha.jp2 from bug 19605 Comment 23. Gimp cannot open any of the 2, which is in line with bug 19605 $ imginfo relax.jp2 just hangs for 20 min. now, no feedback at all. I wonder if this is dues to the laptop not being able to handle this??? CC:
(none) =>
herman.viaene @Herman In the middle of the PoC tests just now but shall see how 64-bits handles those files. This machine has lots of RAM as well. Created attachment 10231 [details]
Brief description of PoC tests for various CVEs
Some of the CVEs have been listed against jasper before which could explain why some of the tests run fine before and after the update (no change, and indications that the underlying issues are handled cleanly).
@Herman - comment 5. Try $ imginfo -f relax.jp2 ^ That one caught me too at the beginning. Created attachment 10232 [details]
Un piccolo divertimento
There were two failures in the PoC tests, for CVEs 2016-939{7,8}.
Referring back to Herman's tests and bug 19605 c3....
Downloaded ht2jk.jpg from https://jpeg.org/jpeg2000/htj2k.html.
$ file ht2jk.jpg
ht2jk.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=12, manufacturer=Canon, model=Canon PowerShot A540, orientation=upper-left, xresolution=186, yresolution=194, resolutionunit=2, datetime=2009:09:13 12:26:29], baseline, precision 8, 2816x558, frames 3
Looks like an ordinary JPEG.
$ imginfo -f ht2jk.jpg
jpg 3 2816 558 8 4713984
$ jasper --input ht2jk.jpg --output-format jp2 --output riverpan.jp2
$ imginfo -f riverpan.jp2
warning: ignoring invalid option max_samples
jp2 3 2816 558 8 4713984
$ diff riverpan.jp2 ht2jk.jpg
Binary files riverpan.jp2 and ht2jk.jpg differ
$ od -a ht2jk.jpg | head -2
0000000 del X del ` nul dle J F I F nul soh soh soh nul `
0000020 nul ` nul nul del a nak ` E x i f nul nul M M
$ od -a riverpan.jp2 | head -2
0000000 nul nul nul ff j P sp sp cr nl bel nl nul nul nul dc4
0000020 f t y p j p 2 sp nul nul nul nul j p 2 sp
Comparing the tailends also indicates a difference in encoding so the file has been converted, not just renamed.
Downloaded these sample files from github - relax.jp2, sail.j2k, world.jp2.
$ imginfo -f relax.jp2
warning: ignoring invalid option max_samples
ICC Profile CS 52474220
error: failed to create jas_cmprof_t
cannot load image
This is not a regression because the same image copied to another system with pre-update jasper loaded gives the same message. ImageMagick has no problem displaying it.
$ imginfo -f sail.j2k
warning: ignoring invalid option max_samples
jpc 3 640 480 8 921600
$ imginfo -f world.jp2
warning: ignoring invalid option max_samples
jp2 3 800 400 8 960000
These display fine also.
$ jasper -t pnm -f glenshiel.pnm -T jp2 -F greyvale.jp2
$ display greyvale.jp2
$ imginfo -f greyvale.jp2
warning: ignoring invalid option max_samples
jp2 1 2304 1728 8 3981312
$ jasper -f sail.j2k -F sail.bmp -T bmp
$ display sail.bmp
$ imginfo -f sail.bmp
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
bmp 3 640 480 8 921600
No regression there. The image displays fine.
$ jasper -f sail.j2k -t jp2 -F sail.pnm -T pnm
error: expecting signature box
error: cannot load image data
This produced an empty output file.
$ convert sail.j2k sail.bmp
$ display sail.bmp
$ jasper -f sail.bmp -t bmp -F sail.pnm -T pnm
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
cannot get info
error: cannot load image data
$ display sail.pnm
display: improper image header `sail.pnm' @ error/pnm.c/ReadPNMImage/287.
jasper is still a work in progress by the looks of it. None of these failures should be regarded as regressions. We have seen them before, but the failed PoCs need looking into.
The conversions work in the main, so if the failures can be signalled back upstream this is probably good to go, but shall await advice.
Had to replace the PoC report. I seem to have picked up a fragment of my initial report somehow. Also, it should have been emphasized that the tests show that the two issues which are the essential point of this update do appear to have been addressed effectively. Re Comment 8 : tx Len, but $ imginfo -f relax.jp2 warning: ignoring invalid option max_samples ICC Profile CS 52474220 error: failed to create jas_cmprof_t cannot load image and $ imginfo -f imagewithalpha.jp2 warning: ignoring invalid option max_samples cannot get header error: failed to parse ICC profile cannot load image Comfirm Len's results. $ imginfo -f 1973-024.jpg jpg 3 2904 4208 8 36660096 $ jasper --input 1973-024.jpg --output-format jp2 --output 1973-024.jp2 $ imginfo -f 1973-024.jp2 warning: ignoring invalid option max_samples jp2 3 2904 4208 8 36660096 Looks OK in gimp. The whole thing seriously overloads this little machine, abandoning further tests. As for me, it might be OK'ed. Whiteboard:
MGA5TOO =>
MGA5TOO MGA5-32-OK Thanks for your tests Herman. Ready to OK this because the failed PoC tests are for CVEs which are not directly mentioned in the advisory. Whiteboard:
MGA5TOO MGA5-32-OK =>
MGA5TOO MGA5-32-OK MGA6-64-OK David, are there additional patches for the CVEs mentioned in Comment 10? (In reply to David Walser from comment #15) > David, are there additional patches for the CVEs mentioned in Comment 10? I can't find any patches for this two CVEs :( https://github.com/mdadams/jasper/issues/56 https://github.com/mdadams/jasper/issues/71 Thanks David and David, looks like we have done as much as we can. Validating this. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0281.html Resolution:
(none) =>
FIXED |