Bug 23139 - jasper missing fix for security issue CVE-2016-9396 and new security issue CVE-2018-9055
Summary: jasper missing fix for security issue CVE-2016-9396 and new security issue CV...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-07 22:38 CEST by David Walser
Modified: 2018-06-14 20:16 CEST (History)
5 users (show)

See Also:
Source RPM: jasper-2.0.14-1.mga7.src.rpm
CVE:
Status comment:


Attachments
Brief description of PoC tests for various CVEs (1.52 KB, text/plain)
2018-06-09 18:27 CEST, Len Lawrence
Details
Un piccolo divertimento (2.60 KB, text/plain)
2018-06-09 19:48 CEST, Len Lawrence
Details
Testcases for several CVEs. (7.70 KB, text/plain)
2018-06-09 23:18 CEST, Len Lawrence
Details

Description David Walser 2018-06-07 22:38:44 CEST
Fedora has issued advisories on June 2 and 4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V63HVBFSQBPI6D3JW46NY32DKGCE2YB4/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z4Y3IHK6BEQT5WT5T4M6MVARCCSWXQLU/

The issue is fixed upstream in 2.0.15.

The last update for Mageia 5/6 was supposed to have also fixed this, but it's worth double checking.
Comment 1 David Walser 2018-06-07 23:29:30 CEST
openSUSE has issued an advisory on May 28:
https://lists.opensuse.org/opensuse-updates/2018-05/msg00130.html

It fixes one new issue.  Mageia 5 and Mageia 6 are probably also affected.

Summary: jasper missing fix for security issue CVE-2016-9396 => jasper missing fix for security issue CVE-2016-9396 and new security issue CVE-2018-9055

Comment 2 David GEIGER 2018-06-08 07:47:06 CEST
Done for Cauldron, mga6 and also mga5!

CC: (none) => geiger.david68210

Comment 3 David Walser 2018-06-08 14:05:03 CEST
Thanks David!

Advisory:
========================

Updated japser packages fix security vulnerabilities:

An assertion failure was possible to trigger in JPC_NOMINALGAIN
(CVE-2016-9396).

Denial of service via a reachable assertion in the function jpc_firstone in
libjasper/jpc/jpc_math.c could lead to denial of service (CVE-2018-9055).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9055
https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V63HVBFSQBPI6D3JW46NY32DKGCE2YB4/
https://lists.opensuse.org/opensuse-updates/2018-05/msg00130.html
========================

Updated packages in core/updates_testing:
========================
jasper-1.900.23-1.1.mga5
libjasper1-1.900.23-1.1.mga5
libjasper-devel-1.900.23-1.1.mga5
libjasper-static-devel-1.900.23-1.1.mga5
jasper-1.900.23-5.1.mga6
libjasper1-1.900.23-5.1.mga6
libjasper-devel-1.900.23-5.1.mga6
libjasper-static-devel-1.900.23-5.1.mga6

from SRPMS:
jasper-1.900.23-1.1.mga5.src.rpm
jasper-1.900.23-5.1.mga6.src.rpm

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA5TOO
Version: Cauldron => 6
Assignee: nicolas.salguero => qa-bugs

Comment 4 Len Lawrence 2018-06-09 10:10:01 CEST
Taking this on for Mageia 6, x86_64
Have accumulated a number of testcases discovered upstream using the American Fuzzy Lop technique.  There is a chance that some of these might require testing in an ASAN framework.  More later.

CC: (none) => tarazed25

Comment 5 Herman Viaene 2018-06-09 12:02:34 CEST
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Downloaded testfiles relax.jp2 and imagewithalpha.jp2 from bug 19605 Comment 23.
Gimp cannot open any of the 2, which is in line with bug 19605
$ imginfo relax.jp2
just hangs for 20 min. now, no feedback at all. I wonder if this is dues to the laptop not being able to handle this???

CC: (none) => herman.viaene

Comment 6 Len Lawrence 2018-06-09 17:49:22 CEST
@Herman
In the middle of the PoC tests just now but shall see how 64-bits handles those files.  This machine has lots of RAM as well.
Comment 7 Len Lawrence 2018-06-09 18:27:05 CEST
Created attachment 10231 [details]
Brief description of PoC tests for various CVEs

Some of the CVEs have been listed against jasper before which could explain why some of the tests run fine before and after the update (no change, and indications that the underlying issues are handled cleanly).
Comment 8 Len Lawrence 2018-06-09 19:06:58 CEST
@Herman - comment 5.  Try 
$ imginfo -f relax.jp2
           ^
That one caught me too at the beginning.
Comment 9 Len Lawrence 2018-06-09 19:48:01 CEST
Created attachment 10232 [details]
Un piccolo divertimento
Comment 10 Len Lawrence 2018-06-09 20:55:39 CEST
There were two failures in the PoC tests, for CVEs 2016-939{7,8}.

Referring back to Herman's tests and bug 19605 c3....

Downloaded ht2jk.jpg from https://jpeg.org/jpeg2000/htj2k.html.
$ file ht2jk.jpg 
ht2jk.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=12, manufacturer=Canon, model=Canon PowerShot A540, orientation=upper-left, xresolution=186, yresolution=194, resolutionunit=2, datetime=2009:09:13 12:26:29], baseline, precision 8, 2816x558, frames 3

Looks like an ordinary JPEG.
$ imginfo -f ht2jk.jpg 
jpg 3 2816 558 8 4713984

$ jasper --input ht2jk.jpg --output-format jp2 --output riverpan.jp2
$ imginfo -f riverpan.jp2
warning: ignoring invalid option max_samples
jp2 3 2816 558 8 4713984
$ diff riverpan.jp2 ht2jk.jpg
Binary files riverpan.jp2 and ht2jk.jpg differ
$ od -a ht2jk.jpg | head -2
0000000 del   X del   ` nul dle   J   F   I   F nul soh soh soh nul   `
0000020 nul   ` nul nul del   a nak   `   E   x   i   f nul nul   M   M
$ od -a riverpan.jp2 | head -2
0000000 nul nul nul  ff   j   P  sp  sp  cr  nl bel  nl nul nul nul dc4
0000020   f   t   y   p   j   p   2  sp nul nul nul nul   j   p   2  sp
Comparing the tailends also indicates a difference in encoding so the file has been converted, not just renamed.

Downloaded these sample files from github - relax.jp2, sail.j2k, world.jp2.
$ imginfo -f relax.jp2
warning: ignoring invalid option max_samples
ICC Profile CS 52474220
error: failed to create jas_cmprof_t
cannot load image

This is not a regression because the same image copied to another system with pre-update jasper loaded gives the same message.  ImageMagick has no problem displaying it.

$ imginfo -f sail.j2k 
warning: ignoring invalid option max_samples
jpc 3 640 480 8 921600
$ imginfo -f world.jp2 
warning: ignoring invalid option max_samples
jp2 3 800 400 8 960000
These display fine also.

$ jasper -t pnm -f glenshiel.pnm -T jp2 -F greyvale.jp2
$ display greyvale.jp2
$ imginfo -f greyvale.jp2
warning: ignoring invalid option max_samples
jp2 1 2304 1728 8 3981312

$ jasper -f sail.j2k -F sail.bmp -T bmp
$ display sail.bmp
$ imginfo -f sail.bmp
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
bmp 3 640 480 8 921600
No regression there.  The image displays fine.

$ jasper -f sail.j2k -t jp2 -F sail.pnm -T pnm
error: expecting signature box
error: cannot load image data
This produced an empty output file.
$ convert sail.j2k sail.bmp
$ display sail.bmp
$ jasper -f sail.bmp -t bmp -F sail.pnm -T pnm
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
cannot get info
error: cannot load image data
$ display sail.pnm
display: improper image header `sail.pnm' @ error/pnm.c/ReadPNMImage/287.

jasper is still a work in progress by the looks of it.  None of these failures should be regarded as regressions.  We have seen them before, but the failed PoCs need looking into.

The conversions work in the main, so if the failures can be signalled back upstream this is probably good to go, but shall await advice.
Comment 11 Len Lawrence 2018-06-09 23:18:41 CEST
Created attachment 10233 [details]
Testcases for several CVEs.

Attachment 10231 is obsolete: 0 => 1

Comment 12 Len Lawrence 2018-06-09 23:28:05 CEST
Had to replace the PoC report.  I seem to have picked up a fragment of my initial report somehow.

Also, it should have been emphasized that the tests show that the two issues which are the essential point of this update do appear to have been addressed effectively.
Comment 13 Herman Viaene 2018-06-10 11:05:47 CEST
Re Comment 8 : tx Len, but
$ imginfo -f relax.jp2 
warning: ignoring invalid option max_samples
ICC Profile CS 52474220
error: failed to create jas_cmprof_t
cannot load image
and
$ imginfo -f imagewithalpha.jp2 
warning: ignoring invalid option max_samples
cannot get header
error: failed to parse ICC profile
cannot load image
Comfirm Len's results.
$ imginfo -f 1973-024.jpg 
jpg 3 2904 4208 8 36660096
$ jasper --input 1973-024.jpg --output-format jp2 --output 1973-024.jp2
$ imginfo -f 1973-024.jp2
warning: ignoring invalid option max_samples
jp2 3 2904 4208 8 36660096
Looks OK in gimp.
The whole thing seriously overloads this little machine, abandoning further tests. As for me, it might be OK'ed.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 14 Len Lawrence 2018-06-10 11:32:13 CEST
Thanks for your tests Herman.  Ready to OK this because the failed PoC tests are for CVEs which are not directly mentioned in the advisory.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK

Comment 15 David Walser 2018-06-10 11:42:29 CEST
David, are there additional patches for the CVEs mentioned in Comment 10?
Comment 16 David GEIGER 2018-06-11 10:50:00 CEST
(In reply to David Walser from comment #15)
> David, are there additional patches for the CVEs mentioned in Comment 10?

I can't find any patches for this two CVEs :(

https://github.com/mdadams/jasper/issues/56

https://github.com/mdadams/jasper/issues/71
Comment 17 Len Lawrence 2018-06-11 11:16:16 CEST
Thanks David and David, looks like we have done as much as we can.  Validating this.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 18 claire robinson 2018-06-14 17:56:34 CEST
Advisory uploaded

Keywords: (none) => advisory

Comment 19 Mageia Robot 2018-06-14 20:16:05 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0281.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.