[oss-security] 20161117 Re: jasper: multiple assertion failures

94374

RHSA-2017:1208

https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure

https://bugzilla.redhat.com/show_bug.cgi?id=1396959

https://github.com/mdadams/jasper/commit/d91198abd00fc435a397fe6bad906a4c1748e9cf

USN-3693-1

The remote NewStart CGSL host, running version MAIN 4.05, has jasper packages installed that are affected by multiple vulnerabilities:

  - JasPer before version 2.0.10 is vulnerable to a null     pointer dereference was found in the decoded creation of     JPEG 2000 image files. A specially crafted file could     cause an application using JasPer to crash.
    (CVE-2016-9600)

  - A use-after-free flaw was found in the way JasPer,     before version 2.0.12, decode certain JPEG 2000 image     files. A specially crafted file could cause an     application using JasPer to crash. (CVE-2016-9591)

  - An out-of-bounds heap read vulnerability was found in     the jpc_pi_nextpcrl() function of jasper before 2.0.6     when processing crafted input. (CVE-2016-9583)

  - A heap-buffer overflow vulnerability was found in QMFB     code in JPC codec caused by buffer being allocated with     too small size. jasper versions before 2.0.0 are     affected. (CVE-2016-8654)

  - Stack-based buffer overflow in the jpc_tsfb_getbands2     function in jpc_tsfb.c in JasPer before 1.900.30 allows     remote attackers to have unspecified impact via a     crafted image. (CVE-2016-9560)

  - Multiple integer overflows in the (1) jas_realloc     function in base/jas_malloc.c and (2) mem_resize     function in base/jas_stream.c in JasPer before 1.900.22     allow remote attackers to cause a denial of service via     a crafted image, which triggers use after free     vulnerabilities. (CVE-2016-9262)

  - Integer overflow in the jpc_pi_nextcprl function in     jpc_t2cod.c in JasPer before 1.900.20 allows remote     attackers to have unspecified impact via a crafted file,     which triggers use of an uninitialized value.
    (CVE-2016-10251)

  - The jpc_pi_nextrpcl function in jpc_t2cod.c in JasPer     before 1.900.17 allows remote attackers to cause a     denial of service (assertion failure) via a crafted     file. (CVE-2016-9393)

  - The calcstepsizes function in jpc_dec.c in JasPer before     1.900.17 allows remote attackers to cause a denial of     service (assertion failure) via a crafted file.
    (CVE-2016-9392)

  - The jas_seq2d_create function in jas_seq.c in JasPer     before 1.900.17 allows remote attackers to cause a     denial of service (assertion failure) via a crafted     file. (CVE-2016-9394)

  - The jpc_bitstream_getbits function in jpc_bs.c in JasPer     before 2.0.10 allows remote attackers to cause a denial     of service (assertion failure) via a very large integer.
    (CVE-2016-9391)

  - The ras_getcmap function in ras_dec.c in JasPer before     1.900.14 allows remote attackers to cause a denial of     service (assertion failure) via a crafted image file.
    (CVE-2016-9388)

  - The jpc_irct and jpc_iict functions in jpc_mct.c in     JasPer before 1.900.14 allow remote attackers to cause a     denial of service (assertion failure). (CVE-2016-9389)

  - The jas_seq2d_create function in jas_seq.c in JasPer     before 1.900.14 allows remote attackers to cause a     denial of service (assertion failure) via a crafted     image file. (CVE-2016-9390)

  - Integer overflow in the jpc_dec_process_siz function in     libjasper/jpc/jpc_dec.c in JasPer before 1.900.13 allows     remote attackers to have unspecified impact via a     crafted file, which triggers an assertion failure.
    (CVE-2016-9387)

  - Integer overflow in the jpc_dec_tiledecode function in     jpc_dec.c in JasPer before 1.900.12 allows remote     attackers to have unspecified impact via a crafted image     file, which triggers a heap-based buffer overflow.
    (CVE-2016-10249)

  - The jpc_tsfb_synthesize function in jpc_tsfb.c in JasPer     before 1.900.9 allows remote attackers to cause a denial     of service (NULL pointer dereference) via vectors     involving an empty sequence. (CVE-2016-10248)

  - The jpc_dec_tiledecode function in jpc_dec.c in JasPer     before 1.900.8 allows remote attackers to cause a denial     of service (assertion failure) via a crafted file.
    (CVE-2016-8883)

  - The jpc_dec_process_siz function in     libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows     remote attackers to cause a denial of service (divide-     by-zero error and application crash) via a crafted YRsiz     value in a BMP image to the imginfo command.
    (CVE-2016-8692)

  - The bmp_getdata function in libjasper/bmp/bmp_dec.c in     JasPer 1.900.5 allows remote attackers to cause a denial     of service (NULL pointer dereference) by calling the     imginfo command with a crafted BMP image. NOTE: this     vulnerability exists because of an incomplete fix for     CVE-2016-8690. (CVE-2016-8884)

  - Double free vulnerability in the mem_close function in     jas_stream.c in JasPer before 1.900.10 allows remote     attackers to cause a denial of service (crash) or     possibly execute arbitrary code via a crafted BMP image     to the imginfo command. (CVE-2016-8693)

  - The bmp_getdata function in libjasper/bmp/bmp_dec.c in     JasPer before 1.900.5 allows remote attackers to cause a     denial of service (NULL pointer dereference) via a     crafted BMP image in an imginfo command. (CVE-2016-8690)

  - The bmp_getdata function in libjasper/bmp/bmp_dec.c in     JasPer before 1.900.9 allows remote attackers to cause a     denial of service (NULL pointer dereference) by calling     the imginfo command with a crafted BMP image.
    (CVE-2016-8885)

  - The jpc_dec_process_siz function in     libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows     remote attackers to cause a denial of service (divide-     by-zero error and application crash) via a crafted XRsiz     value in a BMP image to the imginfo command.
    (CVE-2016-8691)

  - Double free vulnerability in the jas_iccattrval_destroy     function in JasPer 1.900.1 and earlier allows remote     attackers to cause a denial of service (crash) or     possibly execute arbitrary code via a crafted ICC color     profile in a JPEG 2000 image file, a different     vulnerability than CVE-2014-8137. (CVE-2016-1577)

  - Memory leak in the jas_iccprof_createfrombuf function in     JasPer 1.900.1 and earlier allows remote attackers to     cause a denial of service (memory consumption) via a     crafted ICC color profile in a JPEG 2000 image file.
    (CVE-2016-2116)

  - The jas_matrix_clip function in jas_seq.c in JasPer     1.900.1 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted JPEG 2000 image. (CVE-2016-2089)

  - Double free vulnerability in the jasper_image_stop_load     function in JasPer 1.900.17 allows remote attackers to     cause a denial of service (crash) via a crafted JPEG     2000 image file. (CVE-2015-5203)

  - The jpc_pi_nextcprl function in JasPer 1.900.1 allows     remote attackers to cause a denial of service (out-of-     bounds read and application crash) via a crafted JPEG     2000 image. (CVE-2016-1867)

  - Use-after-free vulnerability in the mif_process_cmpt     function in libjasper/mif/mif_cod.c in the JasPer     JPEG-2000 library before 1.900.2 allows remote attackers     to cause a denial of service (crash) via a crafted JPEG     2000 image file. (CVE-2015-5221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

CVE-2016-9396

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that JasPer incorrectly handled certain malformed JPEG-2000 image files. If a user or automated system using JasPer were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard.

Security Fix(es) :

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600;
Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.

Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the jasper package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Multiple flaws were found in the way JasPer decoded     JPEG 2000 image files. A specially crafted file could     cause an application using JasPer to crash or,     possibly, execute arbitrary code. (CVE-2016-8654,     CVE-2016-9560, CVE-2016-10249, CVE-2015-5203,     CVE-2015-5221, CVE-2016-1577, CVE-2016-8690,     CVE-2016-8693, CVE-2016-8884, CVE-2016-8885,     CVE-2016-9262, CVE-2016-9591)

  - Multiple flaws were found in the way JasPer decoded     JPEG 2000 image files. A specially crafted file could     cause an application using JasPer to crash.
    (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116,     CVE-2016-8691, CVE-2016-8692, CVE-2016-8883,     CVE-2016-9387, CVE-2016-9388, CVE-2016-9389,     CVE-2016-9390, CVE-2016-9391, CVE-2016-9392,     CVE-2016-9393, CVE-2016-9394, CVE-2016-9583,     CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A

specially crafted file could cause an application using JasPer to crash or,

possibly, execute arbitrary code. ( CVE-2016-8654 , CVE-2016-9560 , CVE-2016-10249 ,

CVE-2015-5203 , CVE-2015-5221 , CVE-2016-1577 , CVE-2016-8690 , CVE-2016-8693 ,

CVE-2016-8884 , CVE-2016-8885 , CVE-2016-9262 , CVE-2016-9591 )

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A

specially crafted file could cause an application using JasPer to crash.

(CVE-2016-1867 , CVE-2016-2089 , CVE-2016-2116 , CVE-2016-8691 , CVE-2016-8692 ,

CVE-2016-8883 , CVE-2016-9387 , CVE-2016-9388 , CVE-2016-9389 , CVE-2016-9390 ,

CVE-2016-9391 , CVE-2016-9392 , CVE-2016-9393 , CVE-2016-9394 , CVE-2016-9583 ,

CVE-2016-9600 , CVE-2016-10248 , CVE-2016-10251)

Security fix for CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9560, CVE-2016-9591, CVE-2016-9600, CVE-2016-10251

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard.

Security Fix(es) :

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600;
Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.

Security Fix(es) :

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Bump release

  - Multiple security fixes (fixed by thoger): CVE-2015-5203     CVE-2015-5221 CVE-2016-1577 CVE-2016-1867     (CVE-2016-2089) CVE-2016-2116 CVE-2016-8654     CVE-2016-8690 CVE-2016-8691 (CVE-2016-8692)     CVE-2016-8693 CVE-2016-8883 CVE-2016-8884 CVE-2016-8885     (CVE-2016-9262) CVE-2016-9387 CVE-2016-9388     CVE-2016-9389 CVE-2016-9390 (CVE-2016-9391)     CVE-2016-9392 CVE-2016-9393 CVE-2016-9394 CVE-2016-9560     (CVE-2016-9583) CVE-2016-9591 CVE-2016-9600     CVE-2016-10248 CVE-2016-10249 (CVE-2016-10251)

  - Fix implicit declaration warning caused by security     fixes above

  - CVE-2014-8157 - dec->numtiles off-by-one check in     jpc_dec_process_sot (#1183672)

  - CVE-2014-8158 - unrestricted stack memory use in     jpc_qmfb.c (#1183680)

  - CVE-2014-8137 - double-free in in jas_iccattrval_destroy     (#1173567)

  - CVE-2014-8138 - heap overflow in jp2_decode (#1173567)

  - CVE-2014-9029 - incorrect component number check in COC,     RGN and QCC marker segment decoders (#1171209)

From Red Hat Security Advisory 2017:1208 :

An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard.

Security Fix(es) :

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600;
Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.

ID	Name	Product	Family	Severity
127345	NewStart CGSL MAIN 4.05 : jasper Multiple Vulnerabilities (NS-SA-2019-0109)	Nessus	NewStart CGSL Local Security Checks	high
120882	Fedora 28 : jasper (2018-ec39fe2c9c)	Nessus	Fedora Local Security Checks	high
110765	Ubuntu 14.04 LTS / 16.04 LTS : JasPer vulnerabilities (USN-3693-1)	Nessus	Ubuntu Local Security Checks	high
110303	Fedora 27 : jasper (2018-e6df7fcf75)	Nessus	Fedora Local Security Checks	high
101464	Virtuozzo 6 : jasper / jasper-devel / jasper-libs / jasper-utils (VZLSA-2017-1208)	Nessus	Virtuozzo Local Security Checks	high
100812	EulerOS 2.0 SP2 : jasper (EulerOS-SA-2017-1095)	Nessus	Huawei Local Security Checks	high
100811	EulerOS 2.0 SP1 : jasper (EulerOS-SA-2017-1094)	Nessus	Huawei Local Security Checks	high
100637	Amazon Linux AMI : jasper (ALAS-2017-836)	Nessus	Amazon Linux Local Security Checks	critical
100281	Fedora 24 : jasper (2017-da0b00fd64)	Nessus	Fedora Local Security Checks	high
100231	Fedora 25 : jasper (2017-cfc20d5d45)	Nessus	Fedora Local Security Checks	high
100174	CentOS 6 / 7 : jasper (CESA-2017:1208)	Nessus	CentOS Local Security Checks	high
100120	Scientific Linux Security Update : jasper on SL6.x, SL7.x i386/x86_64 (20170509)	Nessus	Scientific Linux Local Security Checks	high
100116	OracleVM 3.3 / 3.4 : jasper (OVMSA-2017-0102)	Nessus	OracleVM Local Security Checks	high
100093	RHEL 6 / 7 : jasper (RHSA-2017:1208)	Nessus	Red Hat Local Security Checks	high
100089	Oracle Linux 6 / 7 : jasper (ELSA-2017-1208)	Nessus	Oracle Linux Local Security Checks	high

CVE-2016-9387

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

critical

high

high

high

high

high

high

high