Double free in libjasper jas_icc.c
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
jasper (Ubuntu) |
Fix Released
|
Medium
|
Tyler Hicks |
Bug Description
A malformed JPEG2000 image being processed by libjasper can lead to a double free in jas_icc.
To reproduce the double free is fairly simple using the libjasper-runtime program 'imginfo':
test@ubuntu:~$ imginfo -f ~/test/bad.jp2
Attached is an image to reproduce this bug. A quick note about the image, it appears to also exercise Bug #555238 which is a stack exhaustion bug in nautilus. Therefore, don't be surprised when the image crashes nautilus. Also attached is output from valgrind and a backtrace from gdb.
lsb_release -rd output:
test@ubuntu:~$ lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
apt-cache output:
test@ubuntu:~$ apt-cache policy libjasper1
libjasper1:
Installed: 1.900.1-14ubuntu3.2
Candidate: 1.900.1-14ubuntu3.2
Version table:
*** 1.900.1-14ubuntu3.2 0
500 http://
500 http://
100 /var/lib/
1.
500 http://
test@ubuntu:~$ apt-cache policy libjasper-runtime
libjasper-runtime:
Installed: 1.900.1-14ubuntu3.2
Candidate: 1.900.1-14ubuntu3.2
Version table:
*** 1.900.1-14ubuntu3.2 0
500 http://
500 http://
100 /var/lib/
1.
500 http://
Changed in jasper (Ubuntu): | |
status: | Confirmed → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Tyler Hicks (tyhicks) |
information type: | Private Security → Public Security |
Hello and thanks for the bug report. I have verified this bug on Xenial (jasper 1.900.1- debian1- 2.4), as well.
I initially thought that it may be CVE-2014-8137 but we have released updates for that issue and I've verified that the corresponding patch is being applied in the jasper package's build. This must be a new issue.
Have you alerted upstream jasper or any other parties about this issue?