Bug 19605 - jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583, CVE-2016-9591, CVE-2017-549[89], CVE-2017-550[0-5] and more
Summary: jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, C...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/705673/
Whiteboard: MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2016-10-16 22:44 CEST by David Walser
Modified: 2018-06-09 20:57 CEST (History)
9 users (show)

See Also:
Source RPM: jasper-1.900.1-26.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-10-16 22:44:34 CEST
CVEs have been assigned for security issues in jasper:
http://openwall.com/lists/oss-security/2016/10/16/14

Information about the status of these and fixes for some of them:
http://openwall.com/lists/oss-security/2016/10/16/17

We should update to 1.900.4 and include any fixes from git.
David Walser 2016-10-16 22:44:43 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-10-17 10:53:12 CEST
Assigning to the registered maintainer

Assignee: bugsquad => mageia
CC: (none) => marja11

Comment 2 David Walser 2016-10-23 19:53:21 CEST
More CVEs:
http://openwall.com/lists/oss-security/2016/10/23/8
http://openwall.com/lists/oss-security/2016/10/23/1
http://openwall.com/lists/oss-security/2016/10/23/2
http://openwall.com/lists/oss-security/2016/10/23/3

Summary: jasper new security issues CVE-2016-869[1-3] => jasper new security issues CVE-2016-869[1-3], CVE-2016-888[0-7]

Comment 3 David Walser 2016-11-02 18:58:16 CET
Fedora now has a 1.900.13, which should be significantly improved:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/THLEZURI4D24PRM7SMASC5I25IAWXXTM/
Comment 4 David GEIGER 2016-11-02 19:01:52 CET
There is a more recent available release 1.900.18 

https://github.com/mdadams/jasper/releases

CC: (none) => geiger.david68210

Comment 5 David Walser 2016-11-04 15:59:53 CET
CVE request for another issue fixed upstream:
http://openwall.com/lists/oss-security/2016/11/04/11
Comment 6 David Walser 2016-11-04 17:40:00 CET
openSUSE has issued an advisory for this today (November 4):
https://lists.opensuse.org/opensuse-updates/2016-11/msg00010.html

URL: (none) => http://lwn.net/Vulnerabilities/705673/
Summary: jasper new security issues CVE-2016-869[1-3], CVE-2016-888[0-7] => jasper new security issues CVE-2016-869[0-3], CVE-2016-888[0-7]

Comment 7 David Walser 2016-11-07 18:44:25 CET
openSUSE has issued an advisory for this on November 5:
https://lists.opensuse.org/opensuse-updates/2016-11/msg00018.html

LWN reference:
http://lwn.net/Vulnerabilities/705824/
Comment 8 David Walser 2016-11-09 17:16:34 CET
CVE request for another issue fixed upstream:
http://openwall.com/lists/oss-security/2016/11/09/8
Comment 9 David Walser 2016-11-10 14:42:54 CET
(In reply to David Walser from comment #8)
> CVE request for another issue fixed upstream:
> http://openwall.com/lists/oss-security/2016/11/09/8

CVE-2016-9262 for this one:
http://openwall.com/lists/oss-security/2016/11/10/4

Summary: jasper new security issues CVE-2016-869[0-3], CVE-2016-888[0-7] => jasper new security issues CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262

Comment 10 David Walser 2016-11-16 15:24:15 CET
More security issues in jasper:
http://openwall.com/lists/oss-security/2016/11/16/4
Comment 11 David Walser 2016-11-17 16:43:50 CET
(In reply to David Walser from comment #10)
> More security issues in jasper:
> http://openwall.com/lists/oss-security/2016/11/16/4

CVE-2016-938[7-9] and CVE-2016-939[0-9]:
http://openwall.com/lists/oss-security/2016/11/17/1

Summary: jasper new security issues CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262 => jasper new security issues CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9]

Comment 12 David Walser 2016-11-20 17:27:58 CET
Two more security issues for jasper:
http://openwall.com/lists/oss-security/2016/11/19/5
http://openwall.com/lists/oss-security/2016/11/20/1
Comment 13 David Walser 2016-11-24 13:22:47 CET
(In reply to David Walser from comment #12)
> Two more security issues for jasper:
> http://openwall.com/lists/oss-security/2016/11/19/5
> http://openwall.com/lists/oss-security/2016/11/20/1

CVE-2016-9557 and CVE-2016-9560:
http://openwall.com/lists/oss-security/2016/11/23/2
http://openwall.com/lists/oss-security/2016/11/23/5
Comment 14 David Walser 2016-11-29 18:27:03 CET
Another issue (CVE-2016-8654) has been fixed upstream:
http://openwall.com/lists/oss-security/2016/11/29/6

The commit to fix the issue is linked in the message above.

Summary: jasper new security issues CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9] => jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9]

Comment 15 David Walser 2016-12-09 18:00:10 CET
LWN reference with some of the CVEs:

Summary: jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9] => jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560

Comment 16 David Walser 2016-12-12 20:28:02 CET
LWN reference for CVE-2016-8654:
https://lwn.net/Vulnerabilities/708870/
Comment 17 David Walser 2016-12-13 18:25:10 CET
Another CVE for jasper:
http://openwall.com/lists/oss-security/2016/12/13/3

Summary: jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560 => jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583

Comment 18 David Walser 2016-12-16 14:02:28 CET
Another CVE for jasper:
http://www.openwall.com/lists/oss-security/2016/12/16/3

Summary: jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583 => jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583, CVE-2016-9591

Comment 19 David Walser 2017-01-09 23:29:45 CET
LWN reference for CVE-2016-9395 CVE-2016-9398 CVE-2016-9591:
https://lwn.net/Vulnerabilities/711059/
Comment 20 David Walser 2017-01-17 02:38:07 CET
More CVEs:
http://openwall.com/lists/oss-security/2017/01/17/1
http://openwall.com/lists/oss-security/2017/01/17/2
http://openwall.com/lists/oss-security/2017/01/17/3
http://openwall.com/lists/oss-security/2017/01/17/4

Summary: jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583, CVE-2016-9591 => jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583, CVE-2016-9591, CVE-2017-549[89], CVE-2017-550[0-5]

Comment 21 David Walser 2017-02-03 00:14:58 CET
LWN reference for CVE-2016-9583:
https://lwn.net/Vulnerabilities/713423/
Comment 22 Zombie Ryushu 2017-02-11 07:08:22 CET
Package        : jasper
CVE ID         : CVE-2016-1867 CVE-2016-8654 CVE-2016-8691 CVE-2016-8692 
                 CVE-2016-8693 CVE-2016-8882 CVE-2016-9560

Multiple vulnerabilities have been discovered in the JasPer library
for processing JPEG-2000 images, which may result in denial of service
or the execution of arbitrary code if a malformed image is processed.

CC: (none) => zombie_ryushu

Comment 23 Nicolas Salguero 2017-02-22 17:11:43 CET
Hi,

I tried to update jasper so here is a summary that applies to Mageia 5 and Cauldron:

I found that, starting with version 1.900.24, the name of the dynamic library was no more libjasper.so.1* but libjasper.so.2* (and, in version 2.0.10, it is libjasper.so.4*).

So I used version 1.900.23 (which solves CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9]) and added some patches for CVE-2016-8654, CVE-2016-9557, CVE-2016-9560, CVE-2016-9583 and CVE-2016-9591.  The remaining unpatched security problems are CVE-2017-549[89] and CVE-2017-550[0-5] (for which there is currently no upstream patch).

I had to add another patch replacing an "assert()" by an error message because that assert, with the file "http://www.fnordware.com/j2k/relax.jp2", caused the crash of pcmanfm (when it tries to create the thumbnail) and of the gimp plugin "file-jp2-load".  The current version of jasper, with the same file, also causes the crash of the gimp plugin but does not affect pcmanfm because the creation of the thumbnail fails before that assert.

In my tests, I used these files:
https://github.com/bitsgalore/jp2kMagic/raw/master/sampleImages/balloon.jp2
https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/1410918/+attachment/4298538/+files/Cevennes2.jp2
https://sourceforge.net/p/iipimage/discussion/299494/thread/dc7ea3fd/621e/attachment/sample.jp2
https://sourceforge.net/p/iipimage/discussion/299494/thread/dc7ea3fd/5bd9/attachment/Paris_12-080422_0687-23-00001_0001292.jp2
http://www.fnordware.com/j2k/relax.jp2
imagewithalpha.jp2 from https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/427100/+attachment/884717/+files/image.tar.bz2

Current situation (jasper 1.900.1):
  - The gimp plugin crashes with balloon.jp2, Cevennes2.jp2 and relax.jp2. Gimp is unable to open imagewithalpha.jp2 and Paris_12-080422_0687-23-00001_0001292.jp2. Gimp only opens sample.jp2.
  - (Only for Cauldron as the binary does not exist in Mageia 5) jiv crashes with relax.jp2. jiv is unable to open imagewithalpha.jp2 and Paris_12-080422_0687-23-00001_0001292.jp2. jiv opens balloon.jp2, Cevennes2.jp2 and sample.jp2 (even if it takes some time to opens those files).
  - Pcmanfm is only able to create a thumbnail for sample.jp2 (if it is configured to create thumbnails for files smaller than 32768KB, default is 2048KB).

Situation with jasper 1.900.23 + patches:
  - Gimp is unable to open imagewithalpha.jp2, Paris_12-080422_0687-23-00001_0001292.jp2 and relax.jp2. Gimp opens balloon.jp2, Cevennes2.jp2 and sample.jp2.
  - (Both Cauldron and Mageia 5) jiv is unable to open imagewithalpha.jp2, Paris_12-080422_0687-23-00001_0001292.jp2, relax.jp2 and sample.jp2. jiv opens balloon.jp2 and Cevennes2.jp2 (even if it takes some time to opens those files).
  - Pcmanfm is able to create a thumbnail for balloon.jp2, Cevennes2.jp2 and sample.jp2 (if it is configured to create thumbnails for files smaller than 32768KB, default is 2048KB).

I commited that new version to SVN but I neither submit to mga5/updates_testing nor asked for a freeze push because of CVE-2017-549[89] and CVE-2017-550[0-5].

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 24 David Walser 2017-02-22 17:54:25 CET
Wow, thanks!  You can do the freeze push request for Cauldron as a partial fix is better than nothing there.  Mageia 5 can wait a bit more.  Nice catch with that assert, as those shouldn't be left enabled in production code anyway.
Comment 25 Thomas Backlund 2017-03-02 14:04:32 CET
Does this package now suffer from the same breakage that happend in cauldron ?

CC: (none) => tmb
Whiteboard: MGA5TOO => MGA5TOO feedback

Comment 26 Nicolas Salguero 2017-03-02 14:26:01 CET
The corrected patch for CVE-2016-9557 has been committed into Mga5 and Cauldron SVN so there should be no more breakage.
Comment 27 David Walser 2017-03-06 11:53:36 CET
Another bug:
http://openwall.com/lists/oss-security/2017/03/06/1

and a fix for a different one:
http://openwall.com/lists/oss-security/2017/03/06/3
Comment 28 Nicolas Salguero 2017-03-06 11:55:53 CET
(In reply to David Walser from comment #27)
> and a fix for a different one:
> http://openwall.com/lists/oss-security/2017/03/06/3

Added to Mga5 and Cauldron SVN.  jasper-1.900.23-3.mga6 contains the patch.
Comment 29 David Walser 2017-03-07 11:59:03 CET
Another fix:
http://openwall.com/lists/oss-security/2017/03/07/1
Comment 30 Nicolas Salguero 2017-03-07 13:22:05 CET
(In reply to David Walser from comment #29)
> Another fix:
> http://openwall.com/lists/oss-security/2017/03/07/1

Added to Mga5 and Cauldron SVN.  jasper-1.900.23-4.mga6 contains the patch.
Comment 31 David Walser 2017-03-13 23:46:54 CET
http://openwall.com/lists/oss-security/2017/03/13/22
http://openwall.com/lists/oss-security/2017/03/13/23
http://openwall.com/lists/oss-security/2017/03/13/24
http://openwall.com/lists/oss-security/2017/03/13/25
http://openwall.com/lists/oss-security/2017/03/13/26
http://openwall.com/lists/oss-security/2017/03/13/27

CVE-2016-1024[89], CVE-2016-1025[01], CVE-2017-685[02] were assigned.  These won't fit in the bug title.

Summary: jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583, CVE-2016-9591, CVE-2017-549[89], CVE-2017-550[0-5] => , CVE-2017-550[0-5] and more jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583, CVE-2016-9591, CVE-2017-549[89]

Comment 32 Nicolas Salguero 2017-03-20 14:28:38 CET
According to the links provided in comment 31, CVE-2016-1024[89], CVE-2016-1025[01] and CVE-2017-6850 are already fixed in jasper-1.900.23-4.mga6.  The only remaining issue is CVE-2017-6852, for which there is currently no fix.
Comment 33 David Walser 2017-04-10 00:52:59 CEST
SUSE has issued an advisory on April 5:
https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00010.html

It includes several CVEs, including CVE-2016-9600, which I don't believe has been mentioned here yet.
Comment 34 Nicolas Salguero 2017-04-19 15:02:49 CEST
I added a patch for CVE-2016-9600 to Mga5 and Cauldron SVN.  jasper-1.900.23-5.mga6 contains that patch.
Comment 35 Nicolas Lécureuil 2017-05-01 22:19:29 CEST
can we send this to QA for test and validation ?
Comment 36 David Walser 2017-05-10 12:15:40 CEST
RedHat has added an advisory for this on May 9:
https://rhn.redhat.com/errata/RHSA-2017-1208.html
Nicolas Lécureuil 2017-05-18 10:47:01 CEST

Version: Cauldron => 5
Whiteboard: MGA5TOO feedback => feedback

Comment 38 David Walser 2017-07-08 18:58:30 CEST
CVE-2017-1000050:
http://openwall.com/lists/oss-security/2017/07/08/3
Comment 39 David Walser 2017-07-27 16:26:33 CEST
openSUSE has issued an advisory on July 26, fixing several CVEs in jasper:
https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html
Frédéric "LpSolit" Buclin 2017-09-06 16:10:36 CEST

Whiteboard: feedback => (none)
Keywords: (none) => feedback

Comment 40 David Walser 2017-09-20 23:42:49 CEST
(In reply to David Walser from comment #38)
> CVE-2017-1000050:
> http://openwall.com/lists/oss-security/2017/07/08/3

Fedora has issued an advisory for this on September 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U5NEJQFBVKG6PRJ5EZ7UIP7ZXOIHDPJF/
Comment 41 David Walser 2017-12-27 04:25:04 CET
Can we update this?  I'm guessing Mageia 6 needs some fixes too.

Keywords: feedback => (none)

Comment 42 David Walser 2017-12-29 04:03:19 CET
If I read Nicolas right, CVE-2017-549[89], CVE-2017-550[0-5], CVE-2017-6852 may be unfixed, but everything should be fixed in this update and what we already have in Mageia 6.

Advisory:
========================

Updated jasper packages fix security vulnerability:

The jasper package has been updated and patched to fix several security issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8654
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8690
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8693
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8751
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8880
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8881
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8882
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8886
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9262
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9390
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9391
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9395
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9397
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9591
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10248
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10249
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10250
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10251
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000050
https://github.com/mdadams/jasper/releases
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/THLEZURI4D24PRM7SMASC5I25IAWXXTM/
https://lists.opensuse.org/opensuse-updates/2016-11/msg00010.html
https://lists.opensuse.org/opensuse-updates/2016-11/msg00018.html
https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00010.html
https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U5NEJQFBVKG6PRJ5EZ7UIP7ZXOIHDPJF/
========================

Updated packages in core/updates_testing:
========================
jasper-1.900.23-1.mga5
libjasper1-1.900.23-1.mga5
libjasper-devel-1.900.23-1.mga5
libjasper-static-devel-1.900.23-1.mga5

from jasper-1.900.23-1.mga5.src.rpm

Assignee: mageia => qa-bugs
CC: (none) => mageia

Comment 43 Thomas Andrews 2017-12-29 23:56:03 CET
On real hardware, ASRock motherboard, Athlon X2 7750, 8GB, nvidia Geforce 9800 GT (nvidia340) graphics.

Installed jasper-1.900.23-1.mga5 and libjasper1-1.900.23-1.mga5. Downloaded jp2 test image and opened it with several 64-bit apps. No regressions noted.

CC: (none) => andrewsfarm

Thomas Andrews 2017-12-29 23:57:35 CET

Whiteboard: (none) => MGA5-64-OK

Comment 44 Lewis Smith 2017-12-30 11:54:33 CET
To prioritise.
Comment 45 Lewis Smith 2017-12-30 22:39:50 CET
Thanks TJ for your test.

M5/64 again.
- jasper-1.900.23-1.mga5.x86_64
- lib64jasper1-1.900.23-1.mga5.x86_64

"JasPer is a software-based implementation of the codec specified in the
emerging JPEG-2000 Part-1 standard (i.e., ISO/IEC 15444-1).  This package
contains tools for working with JPEG-2000 images."

- imgcmp   The imgcmp command compares two images of the same geometry with
       respect to a given metric.   [A bit specialised...]
- imginfo  The  imginfo command displays information about an image.
- jasper   The jasper command converts to and from JPEG-2000 files.
These 3 have skimpy man pages, but --help command info.

- tmrdemo  [mystery]
 $ tmrdemo
bad usage :P
 $ tmrdemo -h
jas_tmr_start inf us
jas_tmr_stop  inf us
zero time -nan us
time delay 1.00009012 s
 Do not know what this is supposed to mean.

 $ imginfo -f bell_206.j2k
warning: ignoring invalid option max_samples     [post update only]
jpc 3 258 792 8 613008
 $ imginfo -f bell_206.jp2           [same image, different suffix]
warning: ignoring invalid option max_samples     [post update only]
jpc 3 258 792 8 613008
 $ imginfo -f blackbuck.j2k
jpc 3 512 512 8 786432
warning: ignoring invalid option max_samples     [post update only]
 $ imginfo -f P1000737.jp2
warning: ignoring invalid option max_samples     [post update only]
jp2 3 3072 2048 8 18874368
 Happy to believe all that. Stracing shows the library is being invoked:
strace imginfo -f bell_206.j2k 2>&1 | grep libjasper
open("/lib64/libjasper.so.1", O_RDONLY|O_CLOEXEC) = 3

For jasper:
The following formats are supported:
    mif      My Image Format (MIF)
    pnm      Portable Graymap/Pixmap (PNM)
    bmp      Microsoft Bitmap (BMP)
    ras      Sun Rasterfile (RAS)
    jp2      JPEG-2000 JP2 File Format Syntax (ISO/IEC 15444-1)
    jpc      JPEG-2000 Code Stream Syntax (ISO/IEC 15444-1)
    jpg      JPEG (ISO/IEC 10918-1)
    pgx      JPEG-2000 VM Format (PGX)

BMP -> JP2
 $ jasper -f blackbuck.bmp -t bmp -F ~/tmp/blackbuck.jp2 -T jp2
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
 In spite of which, the output file existed and viewed similar to the input.
$ strace jasper -f blackbuck.bmp -t bmp -F ~/tmp/blackbuck.jp2 -T jp2 2>&1 | grep libjasper
 open("/lib64/libjasper.so.1", O_RDONLY|O_CLOEXEC) = 3

JPG -> JP2
 $ jasper -f neuadd.jpeg -t jpg -F ~/tmp/neuadd.jp2 -T jp2
The original & converted images viewed identically.

JP2 -> JPG
 $ jasper -f bell_206.jp2 -t jp2 -F ~/tmp/bell.jpg -T jpg
error: expecting signature box
error: cannot load image data
Same error with .j2k image copy.
 $ jasper -f P1000737.jp2 -t jp2 -F ~/tmp/pic.jpg -T jpg
worked: I/P & O/P images viewed identically.
Stracing that showed:
 open("/lib64/libjasper.so.1", O_RDONLY|O_CLOEXEC) = 3

JP2 -> BMP
 $ jasper -f blackbuck.j2k -t jp2 -F ~/tmp/pic.bmp -T bmp
error: expecting signature box
error: cannot load image data
 $ jasper -f P1000784.jp2 -t jp2 -F ~/tmp/pic.bmp -T bmp
worked. Original & converted images viewed identically.

Its delicacy on the subject of jp2|j2k input files, which themselves were the result of conversions (as were the ones that did work), was the same before the update - which looks good.
Oh - the new benign error msg from imginfo has appeared with the update, but is more an annoyance than anything: the results are the same as before.

Confirm TJ's OK, validating as this is a one release 64-bit tested update.
Advisory done.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 46 Mageia Robot 2017-12-31 01:11:12 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0474.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 47 Len Lawrence 2018-06-09 20:54:47 CEST
There were two failures in the PoC tests, for CVEs 2016-939{7,8}.

Referring back to Herman's tests and bug 19605 c3....

Downloaded ht2jk.jpg from https://jpeg.org/jpeg2000/htj2k.html.
$ file ht2jk.jpg 
ht2jk.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=12, manufacturer=Canon, model=Canon PowerShot A540, orientation=upper-left, xresolution=186, yresolution=194, resolutionunit=2, datetime=2009:09:13 12:26:29], baseline, precision 8, 2816x558, frames 3

Looks like an ordinary JPEG.
$ imginfo -f ht2jk.jpg 
jpg 3 2816 558 8 4713984

$ jasper --input ht2jk.jpg --output-format jp2 --output riverpan.jp2
$ imginfo -f riverpan.jp2
warning: ignoring invalid option max_samples
jp2 3 2816 558 8 4713984
$ diff riverpan.jp2 ht2jk.jpg
Binary files riverpan.jp2 and ht2jk.jpg differ
$ od -a ht2jk.jpg | head -2
0000000 del   X del   ` nul dle   J   F   I   F nul soh soh soh nul   `
0000020 nul   ` nul nul del   a nak   `   E   x   i   f nul nul   M   M
$ od -a riverpan.jp2 | head -2
0000000 nul nul nul  ff   j   P  sp  sp  cr  nl bel  nl nul nul nul dc4
0000020   f   t   y   p   j   p   2  sp nul nul nul nul   j   p   2  sp
Comparing the tailends also indicates a difference in encoding so the file has been converted, not just renamed.

Downloaded these sample files from github - relax.jp2, sail.j2k, world.jp2.
$ imginfo -f relax.jp2
warning: ignoring invalid option max_samples
ICC Profile CS 52474220
error: failed to create jas_cmprof_t
cannot load image

This is not a regression because the same image copied to another system with pre-update jasper loaded gives the same message.  ImageMagick has no problem displaying it.

$ imginfo -f sail.j2k 
warning: ignoring invalid option max_samples
jpc 3 640 480 8 921600
$ imginfo -f world.jp2 
warning: ignoring invalid option max_samples
jp2 3 800 400 8 960000
These display fine also.

$ jasper -t pnm -f glenshiel.pnm -T jp2 -F greyvale.jp2
$ display greyvale.jp2
$ imginfo -f greyvale.jp2
warning: ignoring invalid option max_samples
jp2 1 2304 1728 8 3981312

$ jasper -f sail.j2k -F sail.bmp -T bmp
$ display sail.bmp
$ imginfo -f sail.bmp
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
bmp 3 640 480 8 921600
No regression there.  The image displays fine.

$ jasper -f sail.j2k -t jp2 -F sail.pnm -T pnm
error: expecting signature box
error: cannot load image data
This produced an empty output file.
$ convert sail.j2k sail.bmp
$ display sail.bmp
$ jasper -f sail.bmp -t bmp -F sail.pnm -T pnm
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
cannot get info
error: cannot load image data
$ display sail.pnm
display: improper image header `sail.pnm' @ error/pnm.c/ReadPNMImage/287.

jasper is still a work in progress by the looks of it.  None of these failures should be regarded as regressions.  We have seen them before, but the failed PoCs need looking into.

The conversions work in the main, so if the PoC failures can be signalled back upstream this is probably good to go, but shall await advice.

CC: (none) => tarazed25

Comment 48 Len Lawrence 2018-06-09 20:57:02 CEST
Mercy me!  Wrong bug for that last comment.  Apologies.

Note You need to log in before you can comment on or make changes to this bug.