Fedora has issued an advisory on February 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HD2Y2LT4N5ZWCMKYCUIKB3XODNJLOW3J/ The issue will be fixed upstream in 2.0.25, and the RedHat bug has a link to the upstream commit that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1921325 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Patch available from Fedora
Assigning to DavidG as having done a few recent commits.
Assignee: bugsquad => geiger.david68210
QA Contact: (none) => securityComponent: Backports => Security
Freeze push asked for new 2.0.25 release!
Done for both mga8 and mga7 in Core/updates_testing repo!
Since we're apparently not allowed to fix anything else before the Mageia 8 release, this will have to wait and be re-pushed later. Saving the Mageia 7 package list: jasper-2.0.25-1.mga7 libjasper4-2.0.25-1.mga7 libjasper-devel-2.0.25-1.mga7
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOOStatus comment: Patch available from Fedora => Updated in SVN
If it is tested on mga8 it can be moved to Core/Release, so please if someone can test it, thanks in advance! there is also mingw-jasper to test on mga8
Looking at this. jasper is a software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard (i.e., ISO/IEC 15444-1). This package contains tools for working with JPEG-2000 images. $ rpm -qa | grep jasper lib64jasper4-2.0.23-2.mga8 urpmi jasper jasper-2.0.23-2.mga8 install OK. Looking at https://bugs.mageia.org/show_bug.cgi?id=27842 Thanks Len, I see what to do. https://github.com/jasper-software/jasper/issues/259 Using PoC hoob_8 $ jasper --input ./hoob_8 --output test.jp2 warning: not enough tile data (25 bytes) warning: bad segmentation symbol warning: bad segmentation symbol warning: bad segmentation symbol warning: bad segmentation symbol warning: component data type mismatch ================================================================= ==15245==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000fs0 at pc 0x7f641ad754be bp 0x7fffbeaa2a50 sp 0x7fffbeaa2a48 READ of size 8 at 0x6020000002f8 thread T0....... [...] Correctly reproduced. Installing using QA Repo jasper-2.0.25-1.mga8.x86_64.rpm lib64jasper4-2.0.25-1.mga8.x86_64.rpm $ jasper --input ./hoob_8 --output test.jp2 warning: not enough tile data (25 bytes) warning: bad segmentation symbol warning: bad segmentation symbol warning: bad segmentation symbol warning: bad segmentation symbol error: component data type mismatch (IHDR) error: cannot load image data No heap-buffer-overflow. Give this OK. mingw-jasper should be same.
CC: (none) => ouaurelien
seems available for tests.
Assignee: geiger.david68210 => qa-bugsCC: (none) => mageia
Needed to be pushed in Cauldron still.
Assignee: qa-bugs => geiger.david68210
done. Just after a release it is hard sometimes to see what is or not yet push and where :)
Status comment: Updated in SVN => (none)Assignee: geiger.david68210 => qa-bugs
Package list for Mageia 8: jasper-2.0.25-1.mga8 libjasper-devel-2.0.25-1.mga8 libjasper4-debuginfo-2.0.25-1.mga8 libjasper4-2.0.25-1.mga8 from jasper-2.0.25-1.mga8.src.rpm
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8
Already fixed and pushed for mga8 before mga8 released!
CC: (none) => geiger.david68210
That was the problem David. We wipe updates_testing at release time.
Fedora has issued an advisory on February 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZSE7IN2V4KAQDTSMRIVDIHQ6XXFC4AUH/ Two additional issues were also fixed in 2.0.25.
Summary: jasper new security issue CVE-2021-3272 => jasper new security issues CVE-2021-3272 and CVE-2021-2692[67]
mga7, x64 Before updates: CVE-2021-26926 Out of bounds read https://bugzilla.redhat.com/show_bug.cgi?id=1922320 PoC: https://github.com/jasper-software/jasper/issues/264 $ jasper -f poc.jp2 --output-format jpg warning: number of components mismatch warning: number of components mismatch warning: component data type mismatch [...] error: The JPG encoder cannot handle an image with this geometry. error: cannot encode image <This looks like a clean exit, so the problem may have been fixed already> The test is intended for an ASAN compiled package which would produce detailed diagnostics. CVE-2021-26927 Null pointer dereference https://bugzilla.redhat.com/show_bug.cgi?id=1922494 PoC: https://github.com/jasper-software/jasper/issues/265 $ jasper -f poc2.jp2 --output-format jpg warning: component data type mismatch Segmentation fault (core dumped)
CC: (none) => tarazed25
Updated three of the packages. $ jasper -f poc.jp2 --output-format jpg error: number of components mismatch (IHDR) error: cannot load image data $ jasper -f poc2.jp2 --output-format jpg error: component data type mismatch (IHDR) error: cannot load image data Both PoC tests returned good results after the update confirming that the issues have been fixed. Repeated tests used in earlier bugs for jasper. $ jasper --input ht2jk.jpg --output-format jp2 --output riverpan2.jpg $ file riverpan2.jpg riverpan2.jpg: JPEG 2000 Part 1 (JP2) $ display riverpan2.jpg <OK> $ imginfo -f riverpan2.jpg jp2 3 2816 558 8 4713984 $ ll riverpan* -rw-r--r-- 1 lcl lcl 1570642 Feb 28 2021 riverpan2.jpg -rw-r--r-- 1 lcl lcl 1570642 Dec 16 16:14 riverpan.jp2 $ jasper -f sail.j2k -F sail2.bmp -T bmp sail2.bmp displays OK with ImageMagick. $ imginfo -f sail2.bmp THE BMP FORMAT IS NOT FULLY SUPPORTED! THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA. IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD. bmp 3 640 480 8 921600 $ convert sail2.bmp sail2.ppm $ imginfo -f sail2.ppm pnm 3 640 480 8 921600 No regressions.
Whiteboard: MGA7TOO => MGA7-64-OK
Whiteboard: MGA7-64-OK => MGA7TOO MGA7-64-OK
So I take it we still need an official QA test for MGA8. Anyone?
CC: (none) => andrewsfarm
I did some tests before. Seems always fixed today with same PoC from Len above. So I give also an OK for MGA8-64-OK. It needs an advisory.
CVE: (none) => CVE-2021-3272, CVE-2021-26926, CVE-2021-26927Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
japser-2.0.25 was already tested and pushed to Core/Release before mga8 released! So need just some test for mga7.
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK => MGA7-64-OKSource RPM: jasper-2.0.23-2.mga8.src.rpm => jasper-2.0.23-1.mga7.src.rpmVersion: 8 => 7
(In reply to Aurelien Oudelet from comment #17) > I did some tests before. Seems always fixed today with same PoC from Len > above. > So I give also an OK for MGA8-64-OK. > Thanks, Aurelien. I'll validate. it. > It needs an advisory. Yeah, I'm noticing a number of bugs like that, mostly those that apply to both releases.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
OK, David. Always some confusion so soon after the release.
Advisory: ======================== Updated jasper packages fix security vulnerabilities: jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components (CVE-2021-3272). A flaw was found in jasper. An out of bounds read issue was found in jp2_decode function which may lead to disclosure of information or program crash (CVE-2021-26926). A flaw was found in jasper. A null pointer dereference in jp2_decode in jp2_dec.c may lead to program crash and denial of service (CVE-2021-26927). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26926 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26927 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HD2Y2LT4N5ZWCMKYCUIKB3XODNJLOW3J/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZSE7IN2V4KAQDTSMRIVDIHQ6XXFC4AUH/
Addendum to the test report in comment 15: Picking up the earlier CVE - thanks Dave. After the update: CVE-2021-3272 https://github.com/jasper-software/jasper/issues/259 $ jasper --input hoob_8 --output test3.jp2warning: not enough tile data (25 bytes) warning: bad segmentation symbol warning: bad segmentation symbol warning: bad segmentation symbol warning: bad segmentation symbol error: component data type mismatch (IHDR) error: cannot load image data The upload ASAN test caused an ABORT before the fix so we can say that this version does contain the fix.
Advisory pushed to SVN.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0113.html
Status: NEW => RESOLVEDResolution: (none) => FIXED