Ubuntu

internal jasper should be patched for CVE-2007-2721

Reported by Ralph Giles on 2007-10-17
254
Affects Status Importance Assigned to Milestone
ghostscript (Ubuntu)
Medium
Unassigned
Dapper
Undecided
Unassigned
Edgy
Undecided
Unassigned
Feisty
Undecided
Unassigned
Gutsy
Medium
Kees Cook
Hardy
Medium
Unassigned
gs-gpl (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Edgy
Medium
Kees Cook
Feisty
Medium
Kees Cook
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned

Bug Description

Binary package hint: ghostscript

The memory corruption issue with malformed input in jasper described in CVE-2007-2721 also applies to the modified copy of the jasper 1.701 jpeg2k library included with Ghostscript. The same patch should be applied to the version in the Ghostscript package.

We've made the change upstream in r8298. http://ghostscript.com/pipermail/gs-cvs/2007-October/007877.html

Kees Cook (kees) wrote :

Thanks for the heads-up! We will prepare updates. Is there a reason that ghostscript doesn't link against the system libjasper instead?

Changed in ghostscript:
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Confirmed
Till Kamppeter (till-kamppeter) wrote :

I have simply taken the Ghostscript as it comes from upstream.

Ralph, can you tell what is changed in the libjasper which comes with Ghostscript and whether one could perhaps come to an agreement with libjasper upstream to make it possible for Ghostscript to use the system's libjasper?

Kees Cook (kees) wrote :

Dapper is not affected: jasper was not included in the code.

Changed in ghostscript:
status: Confirmed → Fix Committed
assignee: keescook → nobody
status: Fix Committed → Confirmed
status: New → Incomplete
status: New → Invalid
status: Incomplete → Invalid
status: New → Invalid
assignee: nobody → keescook
status: New → Fix Committed
importance: Undecided → Medium
Changed in gs-gpl:
status: New → Invalid
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Fix Committed
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Fix Committed
status: New → Invalid
Kees Cook (kees) on 2007-10-18
Changed in gs-gpl:
status: New → Invalid
Ralph Giles (giles-ghostscript) wrote :

Thanks for the prompt response!

There are two main issues: One is a patch for handling broken streams produced by certain popular authoring software. Upstream rejected the patch because it increases memory footprint (a "you can free this" tag is incorrect in these files). A combination of not-my-problem and the usual tension between a reference implementation and liberal acceptance for applications. The jpeg2k implementation in libpoppler works around such files in the same way.

Analysis and patch here: http://bugs.ghostscript.com/show_bug.cgi?id=687416

The second is a patch to add support for returning raw palette data, which is required by the PDF spec. I haven't tried getting this one upstream.

Since then our fork has diverged a bit more (error reporting through a callback instead of printf() and assert() and some optimizations, both of which are most important on Windows) but the API difference can be ifdef'd around. So lInking with the system libjasper could be done at the expense of handling these files. Or you could apply our patches to your libjasper. The two specific ones mentioned above are ABI compatible.

I hope to try again for upstream inclusion when I get a chance to merge our changes into the 1.900.1 release.

Kees Cook (kees) wrote :
Changed in ghostscript:
status: Fix Committed → Fix Released
Changed in gs-gpl:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Fix in 8.61.dfsg.1~svn8187-1.1

Changed in ghostscript:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.