Double free in libjasper jas_icc.c

Bug #1547865 reported by Jacob Baines on 2016-02-20
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
jasper (Ubuntu)
Medium
Tyler Hicks

Bug Description

A malformed JPEG2000 image being processed by libjasper can lead to a double free in jas_icc.c:jas_iccprof_load(). Specifically, the variable "attrval" is freed via a call to jas_iccattrval_destroy on line 302 and then, if the program moves to the error label before attrval gets assigned a new value at 328, "attrval" gets freed again at line 357.

To reproduce the double free is fairly simple using the libjasper-runtime program 'imginfo':

test@ubuntu:~$ imginfo -f ~/test/bad.jp2

Attached is an image to reproduce this bug. A quick note about the image, it appears to also exercise Bug #555238 which is a stack exhaustion bug in nautilus. Therefore, don't be surprised when the image crashes nautilus. Also attached is output from valgrind and a backtrace from gdb.

lsb_release -rd output:
test@ubuntu:~$ lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04

apt-cache output:
test@ubuntu:~$ apt-cache policy libjasper1
libjasper1:
  Installed: 1.900.1-14ubuntu3.2
  Candidate: 1.900.1-14ubuntu3.2
  Version table:
 *** 1.900.1-14ubuntu3.2 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.900.1-14ubuntu3 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
test@ubuntu:~$ apt-cache policy libjasper-runtime
libjasper-runtime:
  Installed: 1.900.1-14ubuntu3.2
  Candidate: 1.900.1-14ubuntu3.2
  Version table:
 *** 1.900.1-14ubuntu3.2 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     1.900.1-14ubuntu3 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages

CVE References

Jacob Baines (baines-jacob) wrote :
Jacob Baines (baines-jacob) wrote :
Jacob Baines (baines-jacob) wrote :
Tyler Hicks (tyhicks) wrote :

Hello and thanks for the bug report. I have verified this bug on Xenial (jasper 1.900.1-debian1-2.4), as well.

I initially thought that it may be CVE-2014-8137 but we have released updates for that issue and I've verified that the corresponding patch is being applied in the jasper package's build. This must be a new issue.

Have you alerted upstream jasper or any other parties about this issue?

Changed in jasper (Ubuntu):
status: New → Confirmed
Jacob Baines (baines-jacob) wrote :

I haven't notified upstream or anyone else.

Marc Deslauriers (mdeslaur) wrote :

I've assigned CVE-2016-1577 to this issue.

Tyler Hicks (tyhicks) wrote :

Proposed fix for this issue. I've tested it with the reproducer and with https://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/scripts/test-jasper.py.

Tyler Hicks (tyhicks) wrote :

Jacob - would you be ok with a coordinated release date (CRD) of <2016-03-03 14:00:00 UTC>? If so, we ask that you keep this issue private until the CRD.

Jacob Baines (baines-jacob) wrote :

Yes, that CRD is fine and I will keep the issue private.

Tyler Hicks (tyhicks) on 2016-03-03
Changed in jasper (Ubuntu):
status: Confirmed → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jasper - 1.900.1-13ubuntu0.3

---------------
jasper (1.900.1-13ubuntu0.3) precise-security; urgency=medium

  * SECURITY UPDATE: Denial of service or possible code execution via crafted
    ICC color profile (LP: #1547865)
    - debian/patches/09-CVE-2016-1577.patch: Prevent double-free in
      src/libjasper/base/jas_icc.c
    - CVE-2016-1577
  * SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC
    color profile
    - debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in
      src/libjasper/base/jas_icc.c
    - CVE-2016-2116

 -- Tyler Hicks <email address hidden> Fri, 26 Feb 2016 00:07:11 -0600

Changed in jasper (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jasper - 1.900.1-debian1-2.4ubuntu0.15.10.1

---------------
jasper (1.900.1-debian1-2.4ubuntu0.15.10.1) wily-security; urgency=medium

  * SECURITY UPDATE: Denial of service or possible code execution via crafted
    ICC color profile (LP: #1547865)
    - debian/patches/09-CVE-2016-1577.patch: Prevent double-free in
      src/libjasper/base/jas_icc.c
    - CVE-2016-1577
  * SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC
    color profile
    - debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in
      src/libjasper/base/jas_icc.c
    - CVE-2016-2116

 -- Tyler Hicks <email address hidden> Fri, 26 Feb 2016 00:07:11 -0600

Changed in jasper (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jasper - 1.900.1-14ubuntu3.3

---------------
jasper (1.900.1-14ubuntu3.3) trusty-security; urgency=medium

  * SECURITY UPDATE: Denial of service or possible code execution via crafted
    ICC color profile (LP: #1547865)
    - debian/patches/09-CVE-2016-1577.patch: Prevent double-free in
      src/libjasper/base/jas_icc.c
    - CVE-2016-1577
  * SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC
    color profile
    - debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in
      src/libjasper/base/jas_icc.c
    - CVE-2016-2116

 -- Tyler Hicks <email address hidden> Fri, 26 Feb 2016 00:07:11 -0600

Changed in jasper (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers