[Touch-packages] [Bug 1653649] Re: security bug in jasper

Tue, 10 Jan 2017 16:56:09 -0800 

** Information type changed from Private Security to Public Security

** Changed in: jasper (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to jasper in Ubuntu.
https://bugs.launchpad.net/bugs/1653649

Title:
  security bug in jasper

Status in jasper package in Ubuntu:
  Confirmed

Bug description:
  1) Invalid pointer access Bug in jas_matrix_asl

  mov     rax, [rbp+var_10]
  mov     rax, [rax]     // invalid memory access 

  
  
https://github.com/mdadams/jasper/blob/master/src/libjasper/base/jas_seq.c#L354
  Here pointer 'data' is corrupted and while trying to access it's value 
application crashes. 

   while ( v4 > 0 )
        {
          v5 = *(_QWORD *)(a1 + 48);
          v7 = v6;
          while ( v5 > 0 )
          {
            *v7 = jas_fast32_asl(*v7, a2); // here pointer v7 is not validated
            --v5;
            ++v7;
          }

        
  2) Invalid pointer access Bug in jpc_undo_roi

  Invalid memory access bug in line jpc_dec.c
  
(https://github.com/mdadams/jasper/blob/master/src/libjasper/jpc/jpc_dec.c#L1925).
  Here the base address of the matrix is passed to the function
  jpc_undo_roi() which can be controlled by corrupting the bit stream.
  An attacker can craft a jp2 image with malicious content to trigger an
  arbitrary memory read. This can be used along with other
  vulnerabilities to leak information.

  for ( i = 0; (signed __int64)i < *(_QWORD *)(a1 + 40); ++i )
  {
    for ( j = 0; (signed __int64)j < *(_QWORD *)(a1 + 48); ++j )
    {
      v15 = *(_QWORD *)(8LL * j + *(_QWORD *)(8LL * i + *(_QWORD *)(a1 + 56))); 
 // crashing here
      v12 = (v15 ^ (v15 >> 63)) - (v15 >> 63);
      if ( 1 << v8 > v12 )


  All these 2 bugs were found while extensive file format fuzzing and
  research done on the libjasper library.

  From the quick checking I found that the address of access can be
  controlled by crafting jp2 image bit stream. Crash samples attached.

  Please issue CVEs and fix these issues at the earliest.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/1653649/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to