Bug 28318 - jasper new security issues CVE-2021-3272 and CVE-2021-2692[67]
Summary: jasper new security issues CVE-2021-3272 and CVE-2021-2692[67]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-08 16:24 CET by David Walser
Modified: 2021-03-04 17:55 CET (History)
6 users (show)

See Also:
Source RPM: jasper-2.0.23-1.mga7.src.rpm
CVE: CVE-2021-3272, CVE-2021-26926, CVE-2021-26927
Status comment:


Attachments

Description David Walser 2021-02-08 16:24:23 CET
Fedora has issued an advisory on February 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HD2Y2LT4N5ZWCMKYCUIKB3XODNJLOW3J/

The issue will be fixed upstream in 2.0.25, and the RedHat bug has a link to the upstream commit that fixed the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1921325

Mageia 7 is also affected.
David Walser 2021-02-08 16:26:42 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patch available from Fedora

Comment 1 Lewis Smith 2021-02-08 17:31:32 CET
Assigning to DavidG as having done a few recent commits.

Assignee: bugsquad => geiger.david68210

David Walser 2021-02-08 17:34:34 CET

QA Contact: (none) => security
Component: Backports => Security

Comment 2 David GEIGER 2021-02-08 17:44:23 CET
Freeze push asked for new 2.0.25 release!
Comment 3 David GEIGER 2021-02-10 04:25:04 CET
Done for both mga8 and mga7 in Core/updates_testing repo!
Comment 4 David Walser 2021-02-10 16:36:35 CET
Since we're apparently not allowed to fix anything else before the Mageia 8 release, this will have to wait and be re-pushed later.

Saving the Mageia 7 package list:
jasper-2.0.25-1.mga7
libjasper4-2.0.25-1.mga7
libjasper-devel-2.0.25-1.mga7

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
Status comment: Patch available from Fedora => Updated in SVN

Comment 5 David GEIGER 2021-02-11 07:04:09 CET
If it is tested on mga8 it can be moved to Core/Release, so please if someone can test it, thanks in advance!

there is also mingw-jasper to test on mga8
Comment 6 Aurelien Oudelet 2021-02-11 18:44:50 CET
Looking at this. jasper is a software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard (i.e., ISO/IEC 15444-1).  This package
contains tools for working with JPEG-2000 images.

$ rpm -qa | grep jasper
lib64jasper4-2.0.23-2.mga8
urpmi jasper
jasper-2.0.23-2.mga8
install OK.

Looking at https://bugs.mageia.org/show_bug.cgi?id=27842
Thanks Len, I see what to do.

https://github.com/jasper-software/jasper/issues/259

Using PoC hoob_8

$ jasper --input ./hoob_8 --output test.jp2
warning: not enough tile data (25 bytes)
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: component data type mismatch
=================================================================
==15245==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000fs0 at pc 0x7f641ad754be bp 0x7fffbeaa2a50 sp 0x7fffbeaa2a48
READ of size 8 at 0x6020000002f8 thread T0.......
[...]

Correctly reproduced.

Installing using QA Repo
jasper-2.0.25-1.mga8.x86_64.rpm
lib64jasper4-2.0.25-1.mga8.x86_64.rpm

$ jasper --input ./hoob_8 --output test.jp2
warning: not enough tile data (25 bytes)
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: bad segmentation symbol
error: component data type mismatch (IHDR)
error: cannot load image data

No heap-buffer-overflow.

Give this OK.
mingw-jasper should be same.

CC: (none) => ouaurelien

Comment 7 Nicolas Lécureuil 2021-02-27 00:44:47 CET
seems available for tests.

Assignee: geiger.david68210 => qa-bugs
CC: (none) => mageia

Comment 8 David Walser 2021-02-27 01:10:39 CET
Needed to be pushed in Cauldron still.

Assignee: qa-bugs => geiger.david68210

Comment 9 Nicolas Lécureuil 2021-02-27 01:23:27 CET
done.

Just after a release it is hard sometimes to see what is or not yet push and where :)

Status comment: Updated in SVN => (none)
Assignee: geiger.david68210 => qa-bugs

Comment 10 David Walser 2021-02-27 01:46:44 CET
Package list for Mageia 8:
jasper-2.0.25-1.mga8
libjasper-devel-2.0.25-1.mga8
libjasper4-debuginfo-2.0.25-1.mga8
libjasper4-2.0.25-1.mga8

from jasper-2.0.25-1.mga8.src.rpm

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8

Comment 11 David GEIGER 2021-02-27 04:56:47 CET
Already fixed and pushed for mga8 before mga8 released!

CC: (none) => geiger.david68210

Comment 12 David Walser 2021-02-27 16:13:01 CET
That was the problem David. We wipe updates_testing at release time.
Comment 13 David Walser 2021-02-27 19:29:48 CET
Fedora has issued an advisory on February 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZSE7IN2V4KAQDTSMRIVDIHQ6XXFC4AUH/

Two additional issues were also fixed in 2.0.25.

Summary: jasper new security issue CVE-2021-3272 => jasper new security issues CVE-2021-3272 and CVE-2021-2692[67]

Comment 14 Len Lawrence 2021-02-28 20:58:43 CET
mga7, x64

Before updates:

CVE-2021-26926
Out of bounds read
https://bugzilla.redhat.com/show_bug.cgi?id=1922320
PoC: https://github.com/jasper-software/jasper/issues/264
$ jasper -f poc.jp2 --output-format jpg
warning: number of components mismatch
warning: number of components mismatch
warning: component data type mismatch
[...]
error: The JPG encoder cannot handle an image with this geometry.
error: cannot encode image
<This looks like a clean exit, so the problem may have been fixed already>
The test is intended for an ASAN compiled package which would produce detailed diagnostics.

CVE-2021-26927
Null pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1922494
PoC: https://github.com/jasper-software/jasper/issues/265
$ jasper -f poc2.jp2 --output-format jpg
warning: component data type mismatch
Segmentation fault (core dumped)

CC: (none) => tarazed25

Comment 15 Len Lawrence 2021-02-28 23:38:02 CET
Updated three of the packages.

$ jasper -f poc.jp2 --output-format jpg
error: number of components mismatch (IHDR)
error: cannot load image data

$ jasper -f poc2.jp2 --output-format jpg
error: component data type mismatch (IHDR)
error: cannot load image data

Both PoC tests returned good results after the update confirming that the issues have been fixed.

Repeated tests used in earlier bugs for jasper.

$ jasper --input ht2jk.jpg --output-format jp2 --output riverpan2.jpg
$ file riverpan2.jpg
riverpan2.jpg: JPEG 2000 Part 1 (JP2)
$ display riverpan2.jpg
<OK>
$ imginfo -f riverpan2.jpg
jp2 3 2816 558 8 4713984
$ ll riverpan*
-rw-r--r-- 1 lcl lcl 1570642 Feb 28  2021 riverpan2.jpg
-rw-r--r-- 1 lcl lcl 1570642 Dec 16 16:14 riverpan.jp2

$ jasper -f sail.j2k -F sail2.bmp -T bmp
sail2.bmp displays OK with ImageMagick.
$ imginfo -f sail2.bmp
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
bmp 3 640 480 8 921600
$ convert sail2.bmp sail2.ppm
$ imginfo -f sail2.ppm
pnm 3 640 480 8 921600

No regressions.

Whiteboard: MGA7TOO => MGA7-64-OK

Aurelien Oudelet 2021-02-28 23:43:00 CET

Whiteboard: MGA7-64-OK => MGA7TOO MGA7-64-OK

Comment 16 Thomas Andrews 2021-03-01 14:49:18 CET
So I take it we still need an official QA test for MGA8. 

Anyone?

CC: (none) => andrewsfarm

Comment 17 Aurelien Oudelet 2021-03-01 14:58:17 CET
I did some tests before. Seems always fixed today with same PoC from Len above.
So I give also an OK for MGA8-64-OK.

It needs an advisory.

CVE: (none) => CVE-2021-3272, CVE-2021-26926, CVE-2021-26927
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 18 David GEIGER 2021-03-01 15:08:09 CET
japser-2.0.25 was already tested and pushed to Core/Release before mga8 released!

So need just some test for mga7.

Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK => MGA7-64-OK
Source RPM: jasper-2.0.23-2.mga8.src.rpm => jasper-2.0.23-1.mga7.src.rpm
Version: 8 => 7

Comment 19 Thomas Andrews 2021-03-01 15:11:16 CET
(In reply to Aurelien Oudelet from comment #17)
> I did some tests before. Seems always fixed today with same PoC from Len
> above.
> So I give also an OK for MGA8-64-OK.
> 
Thanks, Aurelien. I'll validate. it.

> It needs an advisory.

Yeah, I'm noticing a number of bugs like that, mostly those that apply to both releases.
Thomas Andrews 2021-03-01 15:11:58 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 20 Thomas Andrews 2021-03-01 15:13:34 CET
OK, David. Always some confusion so soon after the release.
Comment 21 David Walser 2021-03-03 00:40:15 CET
Advisory:
========================

Updated jasper packages fix security vulnerabilities:

jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based
buffer over-read when there is an invalid relationship between the number of
channels and the number of image components (CVE-2021-3272).

A flaw was found in jasper. An out of bounds read issue was found in jp2_decode
function which may lead to disclosure of information or program crash
(CVE-2021-26926).

A flaw was found in jasper. A null pointer dereference in jp2_decode in
jp2_dec.c may lead to program crash and denial of service (CVE-2021-26927).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26926
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26927
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HD2Y2LT4N5ZWCMKYCUIKB3XODNJLOW3J/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZSE7IN2V4KAQDTSMRIVDIHQ6XXFC4AUH/
Comment 22 Len Lawrence 2021-03-03 01:19:05 CET
Addendum to the test report in comment 15:

Picking up the earlier CVE - thanks Dave.

After the update:
CVE-2021-3272
https://github.com/jasper-software/jasper/issues/259
$ jasper --input hoob_8 --output test3.jp2warning: not enough tile data (25 bytes)
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: bad segmentation symbol
error: component data type mismatch (IHDR)
error: cannot load image data

The upload ASAN test caused an ABORT before the fix so we can say that this version does contain the fix.
Comment 23 Aurelien Oudelet 2021-03-04 14:32:00 CET
Advisory pushed to SVN.

Keywords: (none) => advisory

Comment 24 Mageia Robot 2021-03-04 17:55:32 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0113.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.