Bug 17622 - jasper new security issues CVE-2015-5203 and CVE-2015-5221
Summary: jasper new security issues CVE-2015-5203 and CVE-2015-5221
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/655645/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-01-25 18:11 CET by David Walser
Modified: 2016-09-16 11:27 CEST (History)
4 users (show)

See Also:
Source RPM: jasper-1.900.1-20.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-01-25 18:11:00 CET
An issue in jasper was reported on August 20 (CVE-2015-5221):
http://openwall.com/lists/oss-security/2015/08/20/4

I don't know of any patch for this issue yet.

Mageia 5 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2016-01-25 18:11:11 CET

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-01-28 13:50:05 CET
Another CVE was assigned for an issue reported today (January 28):
http://openwall.com/lists/oss-security/2016/01/28/6

Summary: jasper new security issue CVE-2015-5221 => jasper new security issue CVE-2015-5221 and CVE-2016-2089

Comment 2 David Walser 2016-02-05 17:31:17 CET
Some security issues in jasper have been assigned CVE-2015-5203, and a patch is available that may fix some of them, but it does not completely apply cleanly:
http://openwall.com/lists/oss-security/2015/08/21/4

We have a backported patch from Arch checked into SVN, but currently disabled, because tests in Bug 16629 showed that it was broken.

Advisory bits related to this CVE, which I'm moving to this bug for now:

A double-free issue in JasPer 1.900.1 in the jasper_image_stop_load() function
can cause a denial of service if a specially crafted JPEG image is loaded
(CVE-2015-5203).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5203
http://openwall.com/lists/oss-security/2015/08/21/4

URL: (none) => http://lwn.net/Vulnerabilities/655645/
Summary: jasper new security issue CVE-2015-5221 and CVE-2016-2089 => jasper new security issues CVE-2015-5203, CVE-2015-5221, and CVE-2016-2089

Comment 3 David Walser 2016-02-10 21:10:14 CET
(In reply to David Walser from comment #1)
> Another CVE was assigned for an issue reported today (January 28):
> http://openwall.com/lists/oss-security/2016/01/28/6

OpenSuSE has issued an advisory for CVE-2016-2089 today (February 10):
http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html

from http://lwn.net/Vulnerabilities/675051/
Comment 4 Samuel Verschelde 2016-02-23 13:05:43 CET
Assigning to maintainer.

Assignee: bugsquad => mageia

Comment 5 David Walser 2016-03-03 16:16:55 CET
(In reply to David Walser from comment #3)
> (In reply to David Walser from comment #1)
> > Another CVE was assigned for an issue reported today (January 28):
> > http://openwall.com/lists/oss-security/2016/01/28/6
> 
> OpenSuSE has issued an advisory for CVE-2016-2089 today (February 10):
> http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html
> 
> from http://lwn.net/Vulnerabilities/675051/

CVE-2016-2089 moved to Bug 17872.

Summary: jasper new security issues CVE-2015-5203, CVE-2015-5221, and CVE-2016-2089 => jasper new security issues CVE-2015-5203 and CVE-2015-5221

Comment 6 David Walser 2016-08-16 19:28:28 CEST
LWN reference for CVE-2015-5221:
http://lwn.net/Vulnerabilities/697339/

Fedora has issued an advisory for this on August 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UNLVBZWDEXZCFWOBZ3YVEQINMRBRX5QV/

Fedora's patch for CVE-2015-5203 looks like it's functionally the same as the one we previously used in Bug 16629, so we may run into the same problem again.

They have a patch for CVE-2015-5221, which is new.

Patched packages uploaded for Mageia 5 and Cauldron.

Testing procedure in:
https://bugs.mageia.org/show_bug.cgi?id=14729

Advisory:
========================

Updated jasper packages fix security vulnerabilities:

A double-free issue in JasPer 1.900.1 in the jasper_image_stop_load() function
can cause a denial of service if a specially crafted JPEG image is loaded
(CVE-2015-5203).

A use-after-free which leads to double-free vulnerability was found in Jasper
JPEG-2000 library, in src/libjasper/mif/mif_cod.c file (CVE-2015-5221).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5221
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UNLVBZWDEXZCFWOBZ3YVEQINMRBRX5QV/
========================

Updated packages in core/updates_testing:
========================
jasper-1.900.1-20.5.mga5
libjasper1-1.900.1-20.5.mga5
libjasper-devel-1.900.1-20.5.mga5
libjasper-static-devel-1.900.1-20.5.mga5

from jasper-1.900.1-20.5.mga5.src.rpm

Assignee: mageia => qa-bugs
Version: Cauldron => 5
Whiteboard: MGA5TOO => has_procedure
Severity: normal => major

Comment 7 Len Lawrence 2016-08-30 20:44:36 CEST
Trying this on x86_64.  ImageMagick functions work fine on a random JPEG image before update.
Checking the references now for a PoC.

CC: (none) => tarazed25

Comment 8 Len Lawrence 2016-08-30 22:07:44 CEST
Of course we are not testing ImageMagick.  Using it here only as a cross-check.

Referring to David's disclaimer about CVE-2015-5203 in comment #6 I recovered the PoC file used in earlier tests and ran jasper before the updates.


$ jasper --input poc.jp2 --output-format jpg --output test.jpg
write component failed
error: cannot decode code stream
error: cannot load image data
$ gimp poc.jp2
Opening '/home/lcl/qa/jasper/poc.jp2' failed: Couldn't decode '/home/lcl/qa/jasper/poc.jp2'.

$ jasper -f poc.jp2 -F temp.bmp -t jp2 -T bmp
write component failed
error: cannot decode code stream
error: cannot load image data

# Tried an existing JPEG2000 file:
$ jasper -f piuva.jp2 -F temp.bmp -t jp2 -T bmp
$ ls -l temp.bmp
-rw-r--r-- 1 lcl wireshark 326454 Aug 30 20:05 temp.bmp
# The temporary bitmap file displays perfectly using ImageMagick.

# gimp displays the piuva.jp2 file if the user agrees to conversion of the built-in
# colour profile to sRGB space.

# Checking with ImageMagick:
$ display poc.jp2
display: Invalid number of tiles : 1 x 101946 (maximum fixed by jpeg2000 norm is 65535 tiles)
 `OpenJP2' @ error/jp2.c/JP2ErrorHandler/193.
display: Marker handler function failed to read the marker segment
 `OpenJP2' @ error/jp2.c/JP2ErrorHandler/193.
display: unable to decode image file `poc.jp2' @ error/jp2.c/ReadJP2Image/349.

Obtained the PoC file for CVE-2015-5221 and fed it to jasper:
$ jasper -f jasper.poc -F temp.bmp -t jp2 -T bmp
warning: trailing garbage in marker segment (6 bytes)
# This is in accord with the readme.txt supplied with the image file.
$ display temp.bmp
# This showed a tiny narrow rectangle at [0,0] on the screen, possibly 6 pixels high.
Comment 9 Len Lawrence 2016-08-30 22:51:45 CEST
Installed the updates and ran the PoC tests.

CVE-2015-5221:
$ jasper -f jasper.poc -F temp.bmp -t jp2 -T bmp
warning: trailing garbage in marker segment (6 bytes)

CVE-2015-5203:
$ jasper -f poc.jp2 -F temp.bmp -t jp2 -T bmp
write component failed
error: cannot decode code stream
error: cannot load image data

# Note no segfaults or stack dumps, which might indicate that the patches are working.

However, jasper continues to convert supported image file format conversions:
$ jasper -f Badlands.jpg -F badlands.pnm -t jpg -T pnm
$ jasper -f piuva.jp2 -F temp.jpg -t jp2 -T jpg
$ jasper -f Badlands.jpg -F badlands.jp2 -t jpg -T jp2
$ jasper -f badlands.jp2 -F badlands.jpc -t jp2 -T jpc
$ jasper -f Badlands.jpg -F badlands.bmp -t jpg -T bmp
$ jasper -f Badlands.jpg -F badlands.ras -t jpg -T ras

Leaving this as it is to allow for comments.
Comment 10 Len Lawrence 2016-08-30 22:55:29 CEST
s/format conversions/formats correctly/
Comment 11 William Kenney 2016-09-03 20:02:20 CEST
In VirtualBox, M5, KDE, 32-bit

imagemagick & imagemagick-desktop uses jasper

Package(s) under test:
jasper imagemagick imagemagick-desktop
use imagemagick with the ImageMagick-desktop icon

default install of jasper imagemagick & imagemagick-desktop

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-20.4.mga5.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.9.5.2-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.9.5.2-1.mga5.i586 is already installed

I can open, and edit, a jpg image with the ImageMagick-desktop icon

install jasper from updates_testing

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-20.5.mga5.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.9.5.2-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.9.5.2-1.mga5.i586 is already installed
( there are no updates to the imagemagick packages )

I can open and view the image previously created with ImageMagick-desktop
I can open, and edit, a 2nd jpg image with the ImageMagick-desktop icon

CC: (none) => wilcal.int

Comment 12 William Kenney 2016-09-03 20:23:41 CEST
In VirtualBox, M5, KDE, 64-bit

imagemagick & imagemagick-desktop uses jasper

Package(s) under test:
jasper imagemagick imagemagick-desktop
use imagemagick with the ImageMagick-desktop icon

default install of jasper imagemagick & imagemagick-desktop

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-20.4.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.9.5.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.9.5.2-1.mga5.x86_64 is already installed

I can open, and edit, a jpg image with the ImageMagick-desktop icon

install jasper from updates_testing

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-20.5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.9.5.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.9.5.2-1.mga5.x86_64 is already installed

I can open and view the image previously created with ImageMagick-desktop
I can open, and edit, a 2nd jpg image with the ImageMagick-desktop icon
Comment 13 William Kenney 2016-09-03 20:26:21 CEST
This is a minor security update therefore if there are any functional
problems they should be on a seperate bug. IMO this bug is good to go
and I'll validate it in 24-hours unless there is objections.
Comment 14 William Kenney 2016-09-05 16:08:20 CEST
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2016-09-06 20:43:12 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 15 Mageia Robot 2016-09-16 11:27:56 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0298.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.