An issue in jasper was reported on August 20 (CVE-2015-5221): http://openwall.com/lists/oss-security/2015/08/20/4 I don't know of any patch for this issue yet. Mageia 5 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
Another CVE was assigned for an issue reported today (January 28): http://openwall.com/lists/oss-security/2016/01/28/6
Summary: jasper new security issue CVE-2015-5221 => jasper new security issue CVE-2015-5221 and CVE-2016-2089
Some security issues in jasper have been assigned CVE-2015-5203, and a patch is available that may fix some of them, but it does not completely apply cleanly: http://openwall.com/lists/oss-security/2015/08/21/4 We have a backported patch from Arch checked into SVN, but currently disabled, because tests in Bug 16629 showed that it was broken. Advisory bits related to this CVE, which I'm moving to this bug for now: A double-free issue in JasPer 1.900.1 in the jasper_image_stop_load() function can cause a denial of service if a specially crafted JPEG image is loaded (CVE-2015-5203). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5203 http://openwall.com/lists/oss-security/2015/08/21/4
URL: (none) => http://lwn.net/Vulnerabilities/655645/Summary: jasper new security issue CVE-2015-5221 and CVE-2016-2089 => jasper new security issues CVE-2015-5203, CVE-2015-5221, and CVE-2016-2089
(In reply to David Walser from comment #1) > Another CVE was assigned for an issue reported today (January 28): > http://openwall.com/lists/oss-security/2016/01/28/6 OpenSuSE has issued an advisory for CVE-2016-2089 today (February 10): http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html from http://lwn.net/Vulnerabilities/675051/
Assigning to maintainer.
Assignee: bugsquad => mageia
(In reply to David Walser from comment #3) > (In reply to David Walser from comment #1) > > Another CVE was assigned for an issue reported today (January 28): > > http://openwall.com/lists/oss-security/2016/01/28/6 > > OpenSuSE has issued an advisory for CVE-2016-2089 today (February 10): > http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html > > from http://lwn.net/Vulnerabilities/675051/ CVE-2016-2089 moved to Bug 17872.
Summary: jasper new security issues CVE-2015-5203, CVE-2015-5221, and CVE-2016-2089 => jasper new security issues CVE-2015-5203 and CVE-2015-5221
LWN reference for CVE-2015-5221: http://lwn.net/Vulnerabilities/697339/ Fedora has issued an advisory for this on August 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UNLVBZWDEXZCFWOBZ3YVEQINMRBRX5QV/ Fedora's patch for CVE-2015-5203 looks like it's functionally the same as the one we previously used in Bug 16629, so we may run into the same problem again. They have a patch for CVE-2015-5221, which is new. Patched packages uploaded for Mageia 5 and Cauldron. Testing procedure in: https://bugs.mageia.org/show_bug.cgi?id=14729 Advisory: ======================== Updated jasper packages fix security vulnerabilities: A double-free issue in JasPer 1.900.1 in the jasper_image_stop_load() function can cause a denial of service if a specially crafted JPEG image is loaded (CVE-2015-5203). A use-after-free which leads to double-free vulnerability was found in Jasper JPEG-2000 library, in src/libjasper/mif/mif_cod.c file (CVE-2015-5221). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5203 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5221 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UNLVBZWDEXZCFWOBZ3YVEQINMRBRX5QV/ ======================== Updated packages in core/updates_testing: ======================== jasper-1.900.1-20.5.mga5 libjasper1-1.900.1-20.5.mga5 libjasper-devel-1.900.1-20.5.mga5 libjasper-static-devel-1.900.1-20.5.mga5 from jasper-1.900.1-20.5.mga5.src.rpm
Assignee: mageia => qa-bugsVersion: Cauldron => 5Whiteboard: MGA5TOO => has_procedureSeverity: normal => major
Trying this on x86_64. ImageMagick functions work fine on a random JPEG image before update. Checking the references now for a PoC.
CC: (none) => tarazed25
Of course we are not testing ImageMagick. Using it here only as a cross-check. Referring to David's disclaimer about CVE-2015-5203 in comment #6 I recovered the PoC file used in earlier tests and ran jasper before the updates. $ jasper --input poc.jp2 --output-format jpg --output test.jpg write component failed error: cannot decode code stream error: cannot load image data $ gimp poc.jp2 Opening '/home/lcl/qa/jasper/poc.jp2' failed: Couldn't decode '/home/lcl/qa/jasper/poc.jp2'. $ jasper -f poc.jp2 -F temp.bmp -t jp2 -T bmp write component failed error: cannot decode code stream error: cannot load image data # Tried an existing JPEG2000 file: $ jasper -f piuva.jp2 -F temp.bmp -t jp2 -T bmp $ ls -l temp.bmp -rw-r--r-- 1 lcl wireshark 326454 Aug 30 20:05 temp.bmp # The temporary bitmap file displays perfectly using ImageMagick. # gimp displays the piuva.jp2 file if the user agrees to conversion of the built-in # colour profile to sRGB space. # Checking with ImageMagick: $ display poc.jp2 display: Invalid number of tiles : 1 x 101946 (maximum fixed by jpeg2000 norm is 65535 tiles) `OpenJP2' @ error/jp2.c/JP2ErrorHandler/193. display: Marker handler function failed to read the marker segment `OpenJP2' @ error/jp2.c/JP2ErrorHandler/193. display: unable to decode image file `poc.jp2' @ error/jp2.c/ReadJP2Image/349. Obtained the PoC file for CVE-2015-5221 and fed it to jasper: $ jasper -f jasper.poc -F temp.bmp -t jp2 -T bmp warning: trailing garbage in marker segment (6 bytes) # This is in accord with the readme.txt supplied with the image file. $ display temp.bmp # This showed a tiny narrow rectangle at [0,0] on the screen, possibly 6 pixels high.
Installed the updates and ran the PoC tests. CVE-2015-5221: $ jasper -f jasper.poc -F temp.bmp -t jp2 -T bmp warning: trailing garbage in marker segment (6 bytes) CVE-2015-5203: $ jasper -f poc.jp2 -F temp.bmp -t jp2 -T bmp write component failed error: cannot decode code stream error: cannot load image data # Note no segfaults or stack dumps, which might indicate that the patches are working. However, jasper continues to convert supported image file format conversions: $ jasper -f Badlands.jpg -F badlands.pnm -t jpg -T pnm $ jasper -f piuva.jp2 -F temp.jpg -t jp2 -T jpg $ jasper -f Badlands.jpg -F badlands.jp2 -t jpg -T jp2 $ jasper -f badlands.jp2 -F badlands.jpc -t jp2 -T jpc $ jasper -f Badlands.jpg -F badlands.bmp -t jpg -T bmp $ jasper -f Badlands.jpg -F badlands.ras -t jpg -T ras Leaving this as it is to allow for comments.
s/format conversions/formats correctly/
In VirtualBox, M5, KDE, 32-bit imagemagick & imagemagick-desktop uses jasper Package(s) under test: jasper imagemagick imagemagick-desktop use imagemagick with the ImageMagick-desktop icon default install of jasper imagemagick & imagemagick-desktop [root@localhost wilcal]# urpmi jasper Package jasper-1.900.1-20.4.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.5.2-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.5.2-1.mga5.i586 is already installed I can open, and edit, a jpg image with the ImageMagick-desktop icon install jasper from updates_testing [root@localhost wilcal]# urpmi jasper Package jasper-1.900.1-20.5.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.5.2-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.5.2-1.mga5.i586 is already installed ( there are no updates to the imagemagick packages ) I can open and view the image previously created with ImageMagick-desktop I can open, and edit, a 2nd jpg image with the ImageMagick-desktop icon
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit imagemagick & imagemagick-desktop uses jasper Package(s) under test: jasper imagemagick imagemagick-desktop use imagemagick with the ImageMagick-desktop icon default install of jasper imagemagick & imagemagick-desktop [root@localhost wilcal]# urpmi jasper Package jasper-1.900.1-20.4.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.5.2-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.5.2-1.mga5.x86_64 is already installed I can open, and edit, a jpg image with the ImageMagick-desktop icon install jasper from updates_testing [root@localhost wilcal]# urpmi jasper Package jasper-1.900.1-20.5.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.5.2-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.5.2-1.mga5.x86_64 is already installed I can open and view the image previously created with ImageMagick-desktop I can open, and edit, a 2nd jpg image with the ImageMagick-desktop icon
This is a minor security update therefore if there are any functional problems they should be on a seperate bug. IMO this bug is good to go and I'll validate it in 24-hours unless there is objections.
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0298.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED