Fedora has issued advisories on June 2 and 4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V63HVBFSQBPI6D3JW46NY32DKGCE2YB4/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z4Y3IHK6BEQT5WT5T4M6MVARCCSWXQLU/ The issue is fixed upstream in 2.0.15. The last update for Mageia 5/6 was supposed to have also fixed this, but it's worth double checking.
openSUSE has issued an advisory on May 28: https://lists.opensuse.org/opensuse-updates/2018-05/msg00130.html It fixes one new issue. Mageia 5 and Mageia 6 are probably also affected.
Summary: jasper missing fix for security issue CVE-2016-9396 => jasper missing fix for security issue CVE-2016-9396 and new security issue CVE-2018-9055
Done for Cauldron, mga6 and also mga5!
CC: (none) => geiger.david68210
Thanks David! Advisory: ======================== Updated japser packages fix security vulnerabilities: An assertion failure was possible to trigger in JPC_NOMINALGAIN (CVE-2016-9396). Denial of service via a reachable assertion in the function jpc_firstone in libjasper/jpc/jpc_math.c could lead to denial of service (CVE-2018-9055). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9396 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9055 https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V63HVBFSQBPI6D3JW46NY32DKGCE2YB4/ https://lists.opensuse.org/opensuse-updates/2018-05/msg00130.html ======================== Updated packages in core/updates_testing: ======================== jasper-1.900.23-1.1.mga5 libjasper1-1.900.23-1.1.mga5 libjasper-devel-1.900.23-1.1.mga5 libjasper-static-devel-1.900.23-1.1.mga5 jasper-1.900.23-5.1.mga6 libjasper1-1.900.23-5.1.mga6 libjasper-devel-1.900.23-5.1.mga6 libjasper-static-devel-1.900.23-5.1.mga6 from SRPMS: jasper-1.900.23-1.1.mga5.src.rpm jasper-1.900.23-5.1.mga6.src.rpm
CC: (none) => nicolas.salgueroVersion: Cauldron => 6Assignee: nicolas.salguero => qa-bugsWhiteboard: (none) => MGA5TOO
Taking this on for Mageia 6, x86_64 Have accumulated a number of testcases discovered upstream using the American Fuzzy Lop technique. There is a chance that some of these might require testing in an ASAN framework. More later.
CC: (none) => tarazed25
MGA5-32 on Dell Latitude D600 Xfce No installation issues. Downloaded testfiles relax.jp2 and imagewithalpha.jp2 from bug 19605 Comment 23. Gimp cannot open any of the 2, which is in line with bug 19605 $ imginfo relax.jp2 just hangs for 20 min. now, no feedback at all. I wonder if this is dues to the laptop not being able to handle this???
CC: (none) => herman.viaene
@Herman In the middle of the PoC tests just now but shall see how 64-bits handles those files. This machine has lots of RAM as well.
Created attachment 10231 [details] Brief description of PoC tests for various CVEs Some of the CVEs have been listed against jasper before which could explain why some of the tests run fine before and after the update (no change, and indications that the underlying issues are handled cleanly).
@Herman - comment 5. Try $ imginfo -f relax.jp2 ^ That one caught me too at the beginning.
Created attachment 10232 [details] Un piccolo divertimento
There were two failures in the PoC tests, for CVEs 2016-939{7,8}. Referring back to Herman's tests and bug 19605 c3.... Downloaded ht2jk.jpg from https://jpeg.org/jpeg2000/htj2k.html. $ file ht2jk.jpg ht2jk.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=12, manufacturer=Canon, model=Canon PowerShot A540, orientation=upper-left, xresolution=186, yresolution=194, resolutionunit=2, datetime=2009:09:13 12:26:29], baseline, precision 8, 2816x558, frames 3 Looks like an ordinary JPEG. $ imginfo -f ht2jk.jpg jpg 3 2816 558 8 4713984 $ jasper --input ht2jk.jpg --output-format jp2 --output riverpan.jp2 $ imginfo -f riverpan.jp2 warning: ignoring invalid option max_samples jp2 3 2816 558 8 4713984 $ diff riverpan.jp2 ht2jk.jpg Binary files riverpan.jp2 and ht2jk.jpg differ $ od -a ht2jk.jpg | head -2 0000000 del X del ` nul dle J F I F nul soh soh soh nul ` 0000020 nul ` nul nul del a nak ` E x i f nul nul M M $ od -a riverpan.jp2 | head -2 0000000 nul nul nul ff j P sp sp cr nl bel nl nul nul nul dc4 0000020 f t y p j p 2 sp nul nul nul nul j p 2 sp Comparing the tailends also indicates a difference in encoding so the file has been converted, not just renamed. Downloaded these sample files from github - relax.jp2, sail.j2k, world.jp2. $ imginfo -f relax.jp2 warning: ignoring invalid option max_samples ICC Profile CS 52474220 error: failed to create jas_cmprof_t cannot load image This is not a regression because the same image copied to another system with pre-update jasper loaded gives the same message. ImageMagick has no problem displaying it. $ imginfo -f sail.j2k warning: ignoring invalid option max_samples jpc 3 640 480 8 921600 $ imginfo -f world.jp2 warning: ignoring invalid option max_samples jp2 3 800 400 8 960000 These display fine also. $ jasper -t pnm -f glenshiel.pnm -T jp2 -F greyvale.jp2 $ display greyvale.jp2 $ imginfo -f greyvale.jp2 warning: ignoring invalid option max_samples jp2 1 2304 1728 8 3981312 $ jasper -f sail.j2k -F sail.bmp -T bmp $ display sail.bmp $ imginfo -f sail.bmp THE BMP FORMAT IS NOT FULLY SUPPORTED! THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA. IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD. bmp 3 640 480 8 921600 No regression there. The image displays fine. $ jasper -f sail.j2k -t jp2 -F sail.pnm -T pnm error: expecting signature box error: cannot load image data This produced an empty output file. $ convert sail.j2k sail.bmp $ display sail.bmp $ jasper -f sail.bmp -t bmp -F sail.pnm -T pnm THE BMP FORMAT IS NOT FULLY SUPPORTED! THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA. IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD. cannot get info error: cannot load image data $ display sail.pnm display: improper image header `sail.pnm' @ error/pnm.c/ReadPNMImage/287. jasper is still a work in progress by the looks of it. None of these failures should be regarded as regressions. We have seen them before, but the failed PoCs need looking into. The conversions work in the main, so if the failures can be signalled back upstream this is probably good to go, but shall await advice.
Created attachment 10233 [details] Testcases for several CVEs.
Attachment 10231 is obsolete: 0 => 1
Had to replace the PoC report. I seem to have picked up a fragment of my initial report somehow. Also, it should have been emphasized that the tests show that the two issues which are the essential point of this update do appear to have been addressed effectively.
Re Comment 8 : tx Len, but $ imginfo -f relax.jp2 warning: ignoring invalid option max_samples ICC Profile CS 52474220 error: failed to create jas_cmprof_t cannot load image and $ imginfo -f imagewithalpha.jp2 warning: ignoring invalid option max_samples cannot get header error: failed to parse ICC profile cannot load image Comfirm Len's results. $ imginfo -f 1973-024.jpg jpg 3 2904 4208 8 36660096 $ jasper --input 1973-024.jpg --output-format jp2 --output 1973-024.jp2 $ imginfo -f 1973-024.jp2 warning: ignoring invalid option max_samples jp2 3 2904 4208 8 36660096 Looks OK in gimp. The whole thing seriously overloads this little machine, abandoning further tests. As for me, it might be OK'ed.
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Thanks for your tests Herman. Ready to OK this because the failed PoC tests are for CVEs which are not directly mentioned in the advisory.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
David, are there additional patches for the CVEs mentioned in Comment 10?
(In reply to David Walser from comment #15) > David, are there additional patches for the CVEs mentioned in Comment 10? I can't find any patches for this two CVEs :( https://github.com/mdadams/jasper/issues/56 https://github.com/mdadams/jasper/issues/71
Thanks David and David, looks like we have done as much as we can. Validating this.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0281.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED