jasper 2.0.19 has been released on July 28: https://github.com/jasper-software/jasper/releases The upstream NEWS file lists some CVEs we haven't previously mentioned: https://github.com/jasper-software/jasper/blob/master/NEWS Assuming those are new fixes vs. what we had already patched, we should update it.
Assignig to you, David, as having done several relatively recent updates to this. Change this if you do not agree.
Assignee: bugsquad => geiger.david68210
Done for mga7!
I found a Gentoo advisory from August 9, 2019, with more CVEs: https://security.gentoo.org/glsa/201908-03 Fortunately the additional ones are bogus, previously fixed, or fixed here. The CVE-2016-939[6-8] duplicates were fixed in Bug 19605. New CVEs from the Gentoo advisory are: CVE-2017-13745 fixed here CVE-2017-13746 fixed here CVE-2017-13747 (CVE-2016-9398) CVE-2017-13749 fixed here CVE-2017-13752 (CVE-2016-9397) CVE-2017-13753 (CVE-2016-9396) CVE-2017-14229 (bogus) CVE-2017-6851 fixed here CVE-2017-6852 fixed here CVE-2018-20584 (bogus) Advisory: ======================== Updated jasper packages fix security vulnerabilities: The jas_matrix_bindsub function in jas_seq.c in JasPer 2.0.10 allows remote attackers to cause a denial of service (invalid read) via a crafted image (CVE-2017-6851). Heap-based buffer overflow in the jpc_dec_decodepkt function in jpc_t2dec.c in JasPer 2.0.10 allows remote attackers to have unspecified impact via a crafted image (CVE-2017-6852). JasPer 2.0.12 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted image, related to the jp2_decode function in libjasper/jp2/jp2_dec.c (CVE-2017-9782). There is a reachable assertion abort in the function jpc_dec_process_sot() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack by triggering an unexpected jpc_ppmstabtostreams return value (CVE-2017-13745). There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1297 in JasPer 2.0.12 that will lead to a remote denial of service attack (CVE-2017-13746). There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a remote denial of service attack (CVE-2017-13748). There is a reachable assertion abort in the function jpc_pi_nextrpcl() in jpc/jpc_t2cod.c in JasPer 2.0.12 that will lead to a remote denial of service attack (CVE-2017-13749). There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1296 in JasPer 2.0.12 that will lead to a remote denial of service attack (CVE-2017-13750). There is a reachable assertion abort in the function calcstepsizes() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack (CVE-2017-13751). JasPer 2.0.13 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted image, related to the jas_image_ishomosamp function in libjasper/base/jas_image.c (CVE-2017-14132). JasPer 2.0.14 allows denial of service via a reachable assertion in the function jpc_abstorelstepsize in libjasper/jpc/jpc_enc.c (CVE-2018-9252). An issue was discovered in JasPer 2.0.14. There is a NULL pointer dereference in the function ras_putdatastd in ras/ras_enc.c (CVE-2018-18873). An issue has been found in JasPer 2.0.14. There is a memory leak in jas_malloc.c when called from jpc_unk_getparms in jpc_cs.c (CVE-2018-19139). An issue was discovered in JasPer 2.0.14. There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c (CVE-2018-19543). jp2_encode in jp2/jp2_enc.c in JasPer 2.0.14 has a heap-based buffer over-read (CVE-2018-20570). JasPer 2.0.14 has a memory leak in base/jas_malloc.c in libjasper.a when "--output-format jp2" is used (CVE-2018-20622). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6851 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6852 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9782 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13745 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13746 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13748 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13749 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13750 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13751 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14132 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9252 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18873 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19139 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19543 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20570 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20622 https://github.com/jasper-software/jasper/blob/master/NEWS https://security.gentoo.org/glsa/201908-03 ======================== Updated packages in core/updates_testing: ======================== jasper-2.0.19-1.mga7 libjasper4-2.0.19-1.mga7 libjasper-devel-2.0.19-1.mga7 from jasper-2.0.19-1.mga7.src.rpm
CC: (none) => geiger.david68210Summary: jasper new security issues CVE-2017-9782, CVE-2017-13748, CVE-2017-13750, CVE-2017-13751, CVE-2017-14132, CVE-2018-9252, CVE-2018-18873, CVE-2018-19139, CVE-2018-19543, CVE-2018-20570, CVE-2018-20622 => jasper new security issues CVE-2017-685[12], CVE-2017-9782, CVE-2017-1374[5-9], CVE-2017-1375[0-3], CVE-2017-14132, CVE-2017-14229, CVE-2018-9252, CVE-2018-18873, CVE-2018-19139, CVE-2018-19543, CVE-2018-20570, CVE-2018-20584, CVE-2018-20622Assignee: geiger.david68210 => qa-bugs
Staking this one out. Looks like there might be a lot of PoCs - bound to take a while.
CC: (none) => tarazed25
Finished collecting PoC for all the CVEs. Updating later.
Created attachment 11789 [details] PoC tests before and after updates
mga7, x86_64 Satisfactory conclusion to the PoC tests (see attachment). Tried testing examples from Bug 23139 with images from GitHub. ht2jk displays as an ordinary JPEG with ImageMagick. Compare: $ imginfo -f ht2jk.jpg jpg 3 2816 558 8 4713984 $ file ht2jk.jpg ht2jk.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=12, manufacturer=Canon, model=Canon PowerShot A540, orientation=upper-left, xresolution=186, yresolution=194, resolutionunit=2, datetime=2009:09:13 12:26:29], baseline, precision 8, 2816x558, components 3 $ jasper --input ht2jk.jpg --output-format jp2 --output riverpan.jp2 $ imginfo -f riverpan.jp2 jp2 3 2816 558 8 4713984 $ ll riverpan.jp2 -rw-r--r-- 1 lcl lcl 1570642 Aug 7 15:38 riverpan.jp2 The file size is a little more than 3 times the file size - 3 components. No regression - in fact a better result than in the previous bug. A hexdump finds the jp2 filetype in the header. $ imginfo -f relax.jp2 ICC Profile CS 52474220 cannot load image A similar message was posted in the earlier test so there may still be problems. IM display renders both images without issues. $ imginfo -f sail.j2k jpc 3 640 480 8 921600 $ display sail.j2k Fine. $ jasper -t pnm -f glenshiel.pnm -T jp2 -F greyvale.jp2 $ display greyvale.jp2 Perfect. $ jasper -f sail.j2k -F sail.bmp -T bmp lcl@difda:jasper $ imginfo -f sail.bmp THE BMP FORMAT IS NOT FULLY SUPPORTED! THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA. IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD. bmp 3 640 480 8 921600 $ display sail.bmp No problem. This conversion still does not work: $ jasper -f sail.j2k -t jp2 -F sail.pnm -T pnm error: cannot get box error: cannot load image data No regressions observed, conversions work in the main and all the PoC tests give positive results.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0337.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE-2018-19542 also fixed by this update: https://ubuntu.com/security/notices/USN-4688-1
CVE-2021-27845 also fixed by this update: https://lists.suse.com/pipermail/sle-security-updates/2022-February/010303.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S5RBUBOWU2ZWM5DFWVKEIL4FWPETOKDU/