[oss-security] 20161022 Re: jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c)

[oss-security] 20161023 jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887)

93835

https://blogs.gentoo.org/ago/2016/10/18/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c

https://bugzilla.redhat.com/show_bug.cgi?id=1388828

https://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d

FEDORA-2016-6c789ba91d

FEDORA-2016-e0f0d48142

USN-3693-1

According to the versions of the jasper package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The jp2_colr_destroy function in     libjasper/jp2/jp2_cod.c in JasPer before 1.900.10     allows remote attackers to cause a denial of service     (NULL pointer dereference).(CVE-2016-8887)

  - The jp2_cdef_destroy function in jp2_cod.c in JasPer     before 2.0.13 allows remote attackers to cause a denial     of service (NULL pointer dereference) via a crafted     image.(CVE-2017-6850)

  - The jp2_colr_destroy function in jp2_cod.c in JasPer     before 1.900.13 allows remote attackers to cause a     denial of service (NULL pointer dereference) by     leveraging incorrect cleanup of JP2 box data on error.
    NOTE: this vulnerability exists because of an     incomplete fix for CVE-2016-8887.(CVE-2016-10250)

  - Heap-based buffer overflow in the jpc_dec_decodepkt     function in jpc_t2dec.c in JasPer 2.0.10 allows remote     attackers to have unspecified impact via a crafted     image.(CVE-2017-6852)

  - Race condition in the jas_stream_tmpfile function in     libjasper/base/jas_stream.c in JasPer 1.900.1 allows     local users to cause a denial of service (program exit)     by creating the appropriate tmp.XXXXXXXXXX temporary     file, which causes Jasper to exit. NOTE: this was     originally reported as a symlink issue, but this was     incorrect. NOTE: some vendors dispute the severity of     this issue, but it satisfies CVE's requirements for     inclusion.(CVE-2008-3521)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that JasPer incorrectly handled certain malformed JPEG-2000 image files. If a user or automated system using JasPer were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE-2016-8691 FPE on unknown address ... jpc_dec_process_siz ...
jpc_dec.c

CVE-2016-8692 FPE on unknown address ... jpc_dec_process_siz ...
jpc_dec.c

CVE-2016-8693 attempting double-free ... mem_close ... jas_stream.c

CVE-2016-8882 segfault / NULL pointer access in jpc_pi_destroy

CVE-2016-9560 stack-based buffer overflow in jpc_tsfb_getbands2 (jpc_tsfb.c)

CVE-2016-8887 part 1 + 2 NULL pointer dereference in jp2_colr_destroy (jp2_cod.c)

CVE-2016-8654 Heap-based buffer overflow in QMFB code in JPC codec

CVE-2016-8883 assert in jpc_dec_tiledecode()

TEMP-CVE heap-based buffer overflow in jpc_dec_tiledecode (jpc_dec.c)

For Debian 7 'Wheezy', these problems have been fixed in version 1.900.1-13+deb7u5.

We recommend that you upgrade your jasper packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for jasper to version 1.900.14 fixes several issues.

These security issues were fixed :

  - CVE-2016-8887: NULL pointer dereference in     jp2_colr_destroy (jp2_cod.c) (bsc#1006836)

  - CVE-2016-8886: memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599)

  - CVE-2016-8884,CVE-2016-8885: two NULL pointer     dereferences in bmp_getdata (incomplete fix for     CVE-2016-8690) (bsc#1007009)

  - CVE-2016-8883: assert in jpc_dec_tiledecode()     (bsc#1006598)

  - CVE-2016-8882: segfault / NULL pointer access in     jpc_pi_destroy (bsc#1006597)

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593)

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591)

  - CVE-2016-8693 Double free vulnerability in mem_close     (bsc#1005242)

  - CVE-2016-8691, CVE-2016-8692: Divide by zero in     jpc_dec_process_siz (bsc#1005090)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084)

  - CVE-2016-2116: Memory leak in the     jas_iccprof_createfrombuf function in JasPer allowed     remote attackers to cause a denial of service (memory     consumption) via a crafted ICC color profile in a JPEG     2000 image file (bsc#968373) 

  - CVE-2016-2089: invalid read in the JasPer's     jas_matrix_clip() function (bsc#963983)

  - CVE-2016-1867: Out-of-bounds Read in the JasPer's     jpc_pi_nextcprl() function (bsc#961886)

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553).

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919)

  - CVE-2008-3522: Buffer overflow in the jas_stream_printf     function in libjasper/base/jas_stream.c in JasPer might     have allowed context-dependent attackers to have an     unknown impact via vectors related to the mif_hdr_put     function and use of vsprintf (bsc#392410)

  - jasper: NULL pointer dereference in jp2_colr_destroy     (jp2_cod.c) (incomplete fix for CVE-2016-8887)     (bsc#1006839)

For additional change description please have a look at the changelog.

This update was imported from the SUSE:SLE-12:Update update project.

This update for jasper fixes the following issues: Security fixes :

  - CVE-2016-8887: NULL pointer dereference in     jp2_colr_destroy (jp2_cod.c) (bsc#1006836)

  - CVE-2016-8886: memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599)

  - CVE-2016-8884,CVE-2016-8885: two NULL pointer     dereferences in bmp_getdata (incomplete fix for     CVE-2016-8690) (bsc#1007009)

  - CVE-2016-8883: assert in jpc_dec_tiledecode()     (bsc#1006598)

  - CVE-2016-8882: segfault / NULL pointer access in     jpc_pi_destroy (bsc#1006597)

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593)

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591)

  - CVE-2016-8693: Double free vulnerability in mem_close     (bsc#1005242)

  - CVE-2016-8691, CVE-2016-8692: Divide by zero in     jpc_dec_process_siz (bsc#1005090)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084)

  - CVE-2016-2089: invalid read in the JasPer's     jas_matrix_clip() function (bsc#963983)

  - CVE-2016-1867: Out-of-bounds Read in the JasPer's     jpc_pi_nextcprl() function (bsc#961886)

  - CVE-2016-1577, CVE-2016-2116: double free vulnerability     in the jas_iccattrval_destroy function (bsc#968373)

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553)

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919)

  - CVE-2008-3522: multiple integer overflows (bsc#392410)

  - bsc#1006839: NULL pointer dereference in     jp2_colr_destroy (jp2_cod.c) (incomplete fix for     CVE-2016-8887)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for jasper to version 1.900.14 fixes several issues. These security issues were fixed :

  - CVE-2016-8887: NULL pointer dereference in     jp2_colr_destroy (jp2_cod.c) (bsc#1006836)

  - CVE-2016-8886: memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599)

  - CVE-2016-8884,CVE-2016-8885: two NULL pointer     dereferences in bmp_getdata (incomplete fix for     CVE-2016-8690) (bsc#1007009)

  - CVE-2016-8883: assert in jpc_dec_tiledecode()     (bsc#1006598)

  - CVE-2016-8882: segfault / NULL pointer access in     jpc_pi_destroy (bsc#1006597)

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593)

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591)

  - CVE-2016-8693 Double free vulnerability in mem_close     (bsc#1005242)

  - CVE-2016-8691, CVE-2016-8692: Divide by zero in     jpc_dec_process_siz (bsc#1005090)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084)

  - CVE-2016-2116: Memory leak in the     jas_iccprof_createfrombuf function in JasPer allowed     remote attackers to cause a denial of service (memory     consumption) via a crafted ICC color profile in a JPEG     2000 image file (bsc#968373)

  - CVE-2016-2089: invalid read in the JasPer's     jas_matrix_clip() function (bsc#963983)

  - CVE-2016-1867: Out-of-bounds Read in the JasPer's     jpc_pi_nextcprl() function (bsc#961886)

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553).

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919)

  - CVE-2008-3522: Buffer overflow in the jas_stream_printf     function in libjasper/base/jas_stream.c in JasPer might     have allowed context-dependent attackers to have an     unknown impact via vectors related to the mif_hdr_put     function and use of vsprintf (bsc#392410)

  - jasper: NULL pointer dereference in jp2_colr_destroy     (jp2_cod.c) (incomplete fix for CVE-2016-8887)     (bsc#1006839) For additional change description please     have a look at the changelog.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update contains security fix for CVE-2016-8883, CVE-2016-8882, CVE-2016-8881, CVE-2016-8880, CVE-2016-8884, CVE-2016-8885, CVE-2016-8887, CVE-2016-8886.

----

New version of jasper is available (jasper-1.900.13). Security fix for CVE-2016-8690, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693.

----

New version of jasper is available (1.900.3)

----

Security fix for CVE-2016-2089

----

New version of jasper is available.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for jasper to version 1.900.14 fixes several issues.

These security issues were fixed :

  - CVE-2008-3522: Buffer overflow in the jas_stream_printf     function in libjasper/base/jas_stream.c in JasPer might     have allowed context-dependent attackers to have an     unknown impact via vectors related to the mif_hdr_put     function and use of vsprintf (bsc#392410)

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919).

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553).

  - CVE-2016-1577: Double free vulnerability in the     jas_iccattrval_destroy function in JasPer allowed remote     attackers to cause a denial of service (crash) or     possibly execute arbitrary code via a crafted ICC color     profile in a JPEG 2000 image file, a different     vulnerability than CVE-2014-8137 (bsc#968373).

  - CVE-2016-2116: Memory leak in the     jas_iccprof_createfrombuf function in JasPer allowed     remote attackers to cause a denial of service (memory     consumption) via a crafted ICC color profile in a JPEG     2000 image file (bsc#968373)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084).

  - CVE-2016-8691, CVE-2016-8692: Missing range check on     XRsiz and YRsiz fields of SIZ marker segment     (bsc#1005090).

  - CVE-2016-8693: The memory stream interface allowed for a     buffer size of zero. The case of a zero-sized buffer was     not handled correctly, as it could lead to a double free     (bsc#1005242).

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591).

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593).

  - CVE-2016-8882: NULL pointer access in jpc_pi_destroy     (bsc#1006597).

  - CVE-2016-8883: Assert triggered in jpc_dec_tiledecode()     (bsc#1006598).

  - CVE-2016-8886: Memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599).

    For additional change description please have a look at     the changelog.

ID	Name	Product	Family	Severity
130699	EulerOS 2.0 SP5 : jasper (EulerOS-SA-2019-2237)	Nessus	Huawei Local Security Checks	high
110765	Ubuntu 14.04 LTS / 16.04 LTS : jasper vulnerabilities (USN-3693-1)	Nessus	Ubuntu Local Security Checks	medium
95664	Debian DLA-739-1 : jasper security updat	Nessus	Debian Local Security Checks	medium
94945	openSUSE Security Update : jasper (openSUSE-2016-1309)	Nessus	SuSE Local Security Checks	critical
94729	SUSE SLES11 Security Update : jasper (SUSE-SU-2016:2776-1)	Nessus	SuSE Local Security Checks	critical
94728	SUSE SLED12 / SLES12 Security Update : jasper (SUSE-SU-2016:2775-1)	Nessus	SuSE Local Security Checks	critical
94689	Fedora 23 : jasper (2016-6c789ba91d)	Nessus	Fedora Local Security Checks	medium
94662	Fedora 24 : jasper (2016-e0f0d48142)	Nessus	Fedora Local Security Checks	medium
94601	openSUSE Security Update : jasper (openSUSE-2016-1270)	Nessus	SuSE Local Security Checks	critical

CVE-2016-8887

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins