Ubuntu
jasper package

Double free in libjasper jas_icc.c

Bug #1547865 reported by Jacob Baines
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
jasper (Ubuntu)
Fix Released
Medium
Tyler Hicks

Bug Description

A malformed JPEG2000 image being processed by libjasper can lead to a double free in jas_icc.c:jas_iccprof_load(). Specifically, the variable "attrval" is freed via a call to jas_iccattrval_destroy on line 302 and then, if the program moves to the error label before attrval gets assigned a new value at 328, "attrval" gets freed again at line 357.

To reproduce the double free is fairly simple using the libjasper-runtime program 'imginfo':

test@ubuntu:~$ imginfo -f ~/test/bad.jp2

Attached is an image to reproduce this bug. A quick note about the image, it appears to also exercise Bug #555238 which is a stack exhaustion bug in nautilus. Therefore, don't be surprised when the image crashes nautilus. Also attached is output from valgrind and a backtrace from gdb.

lsb_release -rd output:
test@ubuntu:~$ lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04

apt-cache output:
test@ubuntu:~$ apt-cache policy libjasper1
libjasper1:
  Installed: 1.900.1-14ubuntu3.2
  Candidate: 1.900.1-14ubuntu3.2
  Version table:
 *** 1.900.1-14ubuntu3.2 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.900.1-14ubuntu3 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
test@ubuntu:~$ apt-cache policy libjasper-runtime
libjasper-runtime:
  Installed: 1.900.1-14ubuntu3.2
  Candidate: 1.900.1-14ubuntu3.2
  Version table:
 *** 1.900.1-14ubuntu3.2 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     1.900.1-14ubuntu3 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages

CVE References

Revision history for this message
Jacob Baines (baines-jacob) wrote :
Revision history for this message
Jacob Baines (baines-jacob) wrote :
Revision history for this message
Jacob Baines (baines-jacob) wrote :
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hello and thanks for the bug report. I have verified this bug on Xenial (jasper 1.900.1-debian1-2.4), as well.

I initially thought that it may be CVE-2014-8137 but we have released updates for that issue and I've verified that the corresponding patch is being applied in the jasper package's build. This must be a new issue.

Have you alerted upstream jasper or any other parties about this issue?

Changed in jasper (Ubuntu):
status: New → Confirmed
Revision history for this message
Jacob Baines (baines-jacob) wrote :

I haven't notified upstream or anyone else.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I've assigned CVE-2016-1577 to this issue.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Proposed fix for this issue. I've tested it with the reproducer and with https://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/scripts/test-jasper.py.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Jacob - would you be ok with a coordinated release date (CRD) of <2016-03-03 14:00:00 UTC>? If so, we ask that you keep this issue private until the CRD.

Revision history for this message
Jacob Baines (baines-jacob) wrote :

Yes, that CRD is fine and I will keep the issue private.

Tyler Hicks (tyhicks)
Changed in jasper (Ubuntu):
status: Confirmed → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jasper - 1.900.1-13ubuntu0.3

---------------
jasper (1.900.1-13ubuntu0.3) precise-security; urgency=medium

  * SECURITY UPDATE: Denial of service or possible code execution via crafted
    ICC color profile (LP: #1547865)
    - debian/patches/09-CVE-2016-1577.patch: Prevent double-free in
      src/libjasper/base/jas_icc.c
    - CVE-2016-1577
  * SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC
    color profile
    - debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in
      src/libjasper/base/jas_icc.c
    - CVE-2016-2116

 -- Tyler Hicks <email address hidden> Fri, 26 Feb 2016 00:07:11 -0600

Changed in jasper (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jasper - 1.900.1-debian1-2.4ubuntu0.15.10.1

---------------
jasper (1.900.1-debian1-2.4ubuntu0.15.10.1) wily-security; urgency=medium

  * SECURITY UPDATE: Denial of service or possible code execution via crafted
    ICC color profile (LP: #1547865)
    - debian/patches/09-CVE-2016-1577.patch: Prevent double-free in
      src/libjasper/base/jas_icc.c
    - CVE-2016-1577
  * SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC
    color profile
    - debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in
      src/libjasper/base/jas_icc.c
    - CVE-2016-2116

 -- Tyler Hicks <email address hidden> Fri, 26 Feb 2016 00:07:11 -0600

Changed in jasper (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jasper - 1.900.1-14ubuntu3.3

---------------
jasper (1.900.1-14ubuntu3.3) trusty-security; urgency=medium

  * SECURITY UPDATE: Denial of service or possible code execution via crafted
    ICC color profile (LP: #1547865)
    - debian/patches/09-CVE-2016-1577.patch: Prevent double-free in
      src/libjasper/base/jas_icc.c
    - CVE-2016-1577
  * SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC
    color profile
    - debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in
      src/libjasper/base/jas_icc.c
    - CVE-2016-2116

 -- Tyler Hicks <email address hidden> Fri, 26 Feb 2016 00:07:11 -0600

Changed in jasper (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.