Bug 23168

Assigning to the registered maintainer, CC'ing two committers.

Assignee: bugsquad => mageia
CC: (none) => geiger.david68210, marja11, nicolas.salguero

CVE-2016-9398 fixed in Bug 24760.

Summary: jasper missing fixes for security issues CVEs 2016-939[78] => jasper missing fixes for security issues CVE-2016-9397

This security issue is still not fixed upstream and surely never will be:

https://github.com/mdadams/jasper/issues/56

And redhat closed their bug as WONTFIX:

https://bugzilla.redhat.com/show_bug.cgi?id=1485276

I don't see anything upstream that indicates it won't be fixed.  The correct RedHat bug is still open:
https://bugzilla.redhat.com/show_bug.cgi?id=1396979

Yes surely nothing indicates that upstream will not fix this issue but after more than 4 years...

They didn't say they don't intend to fix it, they said it's difficult to reproduce and they are a small volunteer effort like many open source projects.  When you get dozens of reported vulnerabilities through fuzzing, it can be difficult to fix them all quickly.  Just be patient.

I saw that Debian and Ubuntu dropped jasper, presumably due to security concerns.  Can we drop it too?  Can things be built against openjpeg/openjpeg2 instead?

Someone posted upstream and claimed again that 1.900.26 fixed it in 2016.

I believe our QA team previously tested 1.900.23 when it was determined to not be fixed, so this second commit referenced on the upstream issue might have actually fixed it.  I sent a message to the qa-discuss list asking to test the PoC again.

Status comment: No fix available as of May 2020 => Need to test the PoC again, might already be fixed

(In reply to David Walser from comment #7)
> I saw that Debian and Ubuntu dropped jasper, presumably due to security
> concerns.  Can we drop it too?  Can things be built against
> openjpeg/openjpeg2 instead?

We should also determine an answer to this question.

Does this clear it up?

https://bugs.mageia.org/show_bug.cgi?id=23139
Quoting from https://bugs.mageia.org/attachment.cgi?id=10233
date = 2018-06-09
jasper-1.900.23-5.1.mga6
---------------------
CVE-2016-9397
https://github.com/asarubbo/poc/blob/master/00010-jasper-assert-jpc_dequantize
$ imginfo -f 00010-jasper-assert-jpc_dequantize
warning: ignoring invalid option max_samples
warning: ignoring unknown marker segment (0xff76)
type = 0xff76 (UNKNOWN); len = 20;00 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 imginfo: jpc_dec.c:1830: jpc_dequantize: Assertion `absstepsize >= 0' failed.
Aborted (core dumped)
---------------------------------------------------------------
CVE-2016-9398
https://github.com/asarubbo/poc/blob/master/00023-jasper-assert-jpc_floorlog2
$ imginfo -f 00023-jasper-assert-jpc_floorlog2
warning: ignoring invalid option max_samples
imginfo: jpc_math.c:94: jpc_floorlog2: Assertion `x > 0' failed.
Aborted (core dumped)

***************************************************************

Testing again against current jasper-2.0.23-1.mga7

CVE-2016-9397
$ imginfo -f 00010-jasper-assert-jpc_dequantize
invalid component bit depth 114
cannot get marker segment
error: cannot decode code stream
cannot load image
<and using the tweaked PoC>
$ file POC3
POC3: JPEG 2000 Part 1 (JP2)
$ imginfo -f POC3
error: no code stream found
cannot load image


CVE-2016-9398
$ imginfo -f 00023-jasper-assert-jpc_floorlog2
invalid component bit depth 128
cannot get marker segment
error: cannot decode code stream
cannot load image

These look like good results so I would say that the issue is fixed.
Have not changed the whiteboard.

CC: (none) => tarazed25

Thank you Len!

Status comment: Need to test the PoC again, might already be fixed, also this maybe could be dropped => (none)
Status: NEW => RESOLVED
Resolution: (none) => FIXED
Version: Cauldron => 7
Whiteboard: MGA8TOO, MGA7TOO => (none)