** Information type changed from Private Security to Public Security ** Changed in: jasper (Ubuntu) Status: New => Confirmed
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to jasper in Ubuntu. https://bugs.launchpad.net/bugs/1653649 Title: security bug in jasper Status in jasper package in Ubuntu: Confirmed Bug description: 1) Invalid pointer access Bug in jas_matrix_asl mov rax, [rbp+var_10] mov rax, [rax] // invalid memory access https://github.com/mdadams/jasper/blob/master/src/libjasper/base/jas_seq.c#L354 Here pointer 'data' is corrupted and while trying to access it's value application crashes. while ( v4 > 0 ) { v5 = *(_QWORD *)(a1 + 48); v7 = v6; while ( v5 > 0 ) { *v7 = jas_fast32_asl(*v7, a2); // here pointer v7 is not validated --v5; ++v7; } 2) Invalid pointer access Bug in jpc_undo_roi Invalid memory access bug in line jpc_dec.c (https://github.com/mdadams/jasper/blob/master/src/libjasper/jpc/jpc_dec.c#L1925). Here the base address of the matrix is passed to the function jpc_undo_roi() which can be controlled by corrupting the bit stream. An attacker can craft a jp2 image with malicious content to trigger an arbitrary memory read. This can be used along with other vulnerabilities to leak information. for ( i = 0; (signed __int64)i < *(_QWORD *)(a1 + 40); ++i ) { for ( j = 0; (signed __int64)j < *(_QWORD *)(a1 + 48); ++j ) { v15 = *(_QWORD *)(8LL * j + *(_QWORD *)(8LL * i + *(_QWORD *)(a1 + 56))); // crashing here v12 = (v15 ^ (v15 >> 63)) - (v15 >> 63); if ( 1 << v8 > v12 ) All these 2 bugs were found while extensive file format fuzzing and research done on the libjasper library. From the quick checking I found that the address of access can be controlled by crafting jp2 image bit stream. Crash samples attached. Please issue CVEs and fix these issues at the earliest. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/1653649/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp