These issues were supposed to have been fixed in Bug 19605, but they were not, according to PoC testing here: https://bugs.mageia.org/show_bug.cgi?id=23139#c10
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to the registered maintainer, CC'ing two committers.
Assignee: bugsquad => mageiaCC: (none) => geiger.david68210, marja11, nicolas.salguero
Whiteboard: MGA6TOO, MGA5TOO => MGA6TOOCC: (none) => tmb
Depends on: (none) => 24760
CVE-2016-9398 fixed in Bug 24760.
Summary: jasper missing fixes for security issues CVEs 2016-939[78] => jasper missing fixes for security issues CVE-2016-9397
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
Depends on: (none) => 26690
This security issue is still not fixed upstream and surely never will be: https://github.com/mdadams/jasper/issues/56 And redhat closed their bug as WONTFIX: https://bugzilla.redhat.com/show_bug.cgi?id=1485276
I don't see anything upstream that indicates it won't be fixed. The correct RedHat bug is still open: https://bugzilla.redhat.com/show_bug.cgi?id=1396979
Yes surely nothing indicates that upstream will not fix this issue but after more than 4 years...
They didn't say they don't intend to fix it, they said it's difficult to reproduce and they are a small volunteer effort like many open source projects. When you get dozens of reported vulnerabilities through fuzzing, it can be difficult to fix them all quickly. Just be patient.
Summary: jasper missing fixes for security issues CVE-2016-9397 => jasper missing fix for security issue CVE-2016-9397Status comment: (none) => No fix available as of May 2020
I saw that Debian and Ubuntu dropped jasper, presumably due to security concerns. Can we drop it too? Can things be built against openjpeg/openjpeg2 instead?
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
Someone posted upstream and claimed again that 1.900.26 fixed it in 2016. I believe our QA team previously tested 1.900.23 when it was determined to not be fixed, so this second commit referenced on the upstream issue might have actually fixed it. I sent a message to the qa-discuss list asking to test the PoC again.
Status comment: No fix available as of May 2020 => Need to test the PoC again, might already be fixed
(In reply to David Walser from comment #7) > I saw that Debian and Ubuntu dropped jasper, presumably due to security > concerns. Can we drop it too? Can things be built against > openjpeg/openjpeg2 instead? We should also determine an answer to this question.
Status comment: Need to test the PoC again, might already be fixed => Need to test the PoC again, might already be fixed, also this maybe could be dropped
Does this clear it up? https://bugs.mageia.org/show_bug.cgi?id=23139 Quoting from https://bugs.mageia.org/attachment.cgi?id=10233 date = 2018-06-09 jasper-1.900.23-5.1.mga6 --------------------- CVE-2016-9397 https://github.com/asarubbo/poc/blob/master/00010-jasper-assert-jpc_dequantize $ imginfo -f 00010-jasper-assert-jpc_dequantize warning: ignoring invalid option max_samples warning: ignoring unknown marker segment (0xff76) type = 0xff76 (UNKNOWN); len = 20;00 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 imginfo: jpc_dec.c:1830: jpc_dequantize: Assertion `absstepsize >= 0' failed. Aborted (core dumped) --------------------------------------------------------------- CVE-2016-9398 https://github.com/asarubbo/poc/blob/master/00023-jasper-assert-jpc_floorlog2 $ imginfo -f 00023-jasper-assert-jpc_floorlog2 warning: ignoring invalid option max_samples imginfo: jpc_math.c:94: jpc_floorlog2: Assertion `x > 0' failed. Aborted (core dumped) *************************************************************** Testing again against current jasper-2.0.23-1.mga7 CVE-2016-9397 $ imginfo -f 00010-jasper-assert-jpc_dequantize invalid component bit depth 114 cannot get marker segment error: cannot decode code stream cannot load image <and using the tweaked PoC> $ file POC3 POC3: JPEG 2000 Part 1 (JP2) $ imginfo -f POC3 error: no code stream found cannot load image CVE-2016-9398 $ imginfo -f 00023-jasper-assert-jpc_floorlog2 invalid component bit depth 128 cannot get marker segment error: cannot decode code stream cannot load image These look like good results so I would say that the issue is fixed. Have not changed the whiteboard.
CC: (none) => tarazed25
Thank you Len!
Status comment: Need to test the PoC again, might already be fixed, also this maybe could be dropped => (none)Status: NEW => RESOLVEDResolution: (none) => FIXEDVersion: Cauldron => 7Whiteboard: MGA8TOO, MGA7TOO => (none)