Bug 24760

Summary: jasper new security issues CVE-2018-19539 and CVE-2018-19542
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, mageia, marja11, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: jasper-2.0.14-3.mga7.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 23168    

Description David Walser 2019-05-03 20:54:24 CEST 
openSUSE has issued an advisory on May 3:
https://lists.opensuse.org/opensuse-updates/2019-05/msg00017.html

Mageia 6 is also affected.
David Walser 2019-05-03 20:54:37 CEST

Blocks: (none) => 23168
Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-05-03 21:32:01 CEST 
Assigning to our registered jasper maintainer.

Assignee: bugsquad => mageia
CC: (none) => marja11

Comment 2 David GEIGER 2019-05-04 06:00:49 CEST 
Fixed both mga6 and Cauldron!

Also added the fix for CVE-2016-9398!

CC: (none) => geiger.david68210

Comment 3 David Walser 2019-05-04 23:13:34 CEST 
Advisory:
========================

Updated jasper packages fix security vulnerabilities:

The jpc_floorlog2 function in jpc_math.c in JasPer before 1.900.17 allows
remote attackers to cause a denial of service (assertion failure) via
unspecified vectors (CVE-2016-9398).

A denial of service in jp2_decode (CVE-2018-19542).

A denial of service in jas_image_readcmpt (CVE-2018-19539).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9398
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19542
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19539
https://lists.opensuse.org/opensuse-updates/2019-05/msg00017.html
========================

Updated packages in core/updates_testing:
========================
jasper-1.900.23-5.2.mga6
libjasper1-1.900.23-5.2.mga6
libjasper-devel-1.900.23-5.2.mga6
libjasper-static-devel-1.900.23-5.2.mga6

from jasper-1.900.23-5.2.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
CC: (none) => mageia
Assignee: mageia => qa-bugs

Comment 4 Herman Viaene 2019-05-08 15:01:45 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref bug 23139 Comment 13 for test, starting jpg file created by exporting tif from Gimp.
At CLI:
$ imginfo -f 1973-024.jpg 
jpg 3 2904 4208 8 36660096
$ jasper --input 1973-024.jpg --output-format jp2 --output 1973-024.jp2
$ imginfo -f 1973-024.jp2
warning: ignoring invalid option max_samples
jp2 3 2904 4208 8 36660096
Resulting jp2 file looks OK in Gimp.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 5 Len Lawrence 2019-05-08 16:35:00 CEST 
mga6, x86_64

POC tests:

*before update*
CVE-2016-9398
https://bugzilla.suse.com/show_bug.cgi?id=1010979&_ga=2.208433362.1398527329.1557324314-55335118.1500933662
$ jasper --input CVE-2016-9398.jasper --output foo.bmp
jasper: jpc_math.c:94: jpc_floorlog2: Assertion `x > 0' failed.
Aborted (core dumped)

CVE-2018-19452
https://bugzilla.suse.com/show_bug.cgi?id=1117505&_ga=2.8860917.1398527329.1557324314-55335118.1500933662
$ jasper --input jasper_bug_4.jp2 --output foo.jpg
warning: trailing garbage in marker segment (3 bytes)
warning: trailing garbage in marker segment (32 bytes)
warning: not enough tile data (109 bytes)
warning: number of components mismatch
warning: component data type mismatch
Segmentation fault (core dumped)

CVE-2018-19539
https://bugzilla.suse.com/show_bug.cgi?id=1117511&_ga=2.121011016.1398527329.1557324314-55335118.1500933662
$ jasper --input jasper_bug_2.jp2 --output foo.bmp
warning: number of components mismatch
Segmentation fault (core dumped)

*after update*
CVE-2016-9398
$ jasper --input CVE-2016-9398.jasper --output foo.bmp
alignment failed
jpc_dec_decodepkts failed
error: cannot decode code stream
error: cannot load image data

CVE-2018-19452
$ jasper --input jasper_bug_4.jp2 --output foo.jpg
warning: trailing garbage in marker segment (3 bytes)
warning: trailing garbage in marker segment (32 bytes)
warning: not enough tile data (109 bytes)
warning: number of components mismatch
warning: component data type mismatch
error: invalid MTYP in CMAP box
error: cannot load image data

CVE-2018-19539
$ jasper --input jasper_bug_2.jp2 --output foo.bmp
warning: number of components mismatch
error: cannot encode image

All three results are tidier.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2019-05-08 17:08:14 CEST 
Follow on from comment 5:

$ jasper --input ht2jk.jpg --output-format jp2 --output riverpan.jp2
Displays OK.
$ imginfo -f riverpan.jp2
warning: ignoring invalid option max_samples
jp2 3 2816 558 8 4713984
$ diff riverpan.jp2 ht2jk.jpg
Binary files riverpan.jp2 and ht2jk.jpg differ
$ jasper -f sail.j2k -F sail.bmp -T bmp
$ display sail.bmp
<OK>
$ imginfo -f sail.bmp
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
bmp 3 640 480 8 921600
<Nothing new here>

$ convert sail.bmp  sail.ppm
$ imginfo -f sail.ppm
warning: ignoring options
pnm 3 640 480 8 921600

Looks like jasper still has some rough edges but it can probably go out based  on comments 4, 5, 6.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 7 Thomas Andrews 2019-05-10 01:19:29 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-05-12 10:18:18 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2019-05-12 11:37:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0167.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED