FS#43155 - [jasper] CVE-2014-8137 CVE-2014-8138: arbitrary code execution / denial of service

Attached to Project: Arch Linux
Opened by Levente Polyak (anthraxx) - Friday, 19 December 2014, 01:35 GMT
Last edited by Eric Belanger (Snowman) - Friday, 19 December 2014, 03:38 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Eric Belanger (Snowman)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Hey, sorry that you have to deal with this twice but i just notices there are 2 more issues [0] that we should backport to mitigate:
CVE-2014-8137 [1] is a double free with severity low and CVE-2014-8138 [2] is a heap buffer overflow with severity high.

CVE-2014-8137: double-free in in jas_iccattrval_destroy()
A double free flaw was found in the way JasPer parsed ICC color profiles in JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
Mitigation through attached patches [3][4].

CVE-2014-8138: heap overflow in jp2_decode()
A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
Mitigation through attached patch [5].

[0] https://marc.info/?l=oss-security&m=141891163026757&w=2
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8137
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8138
[3] https://bugzilla.redhat.com/attachment.cgi?id=967283
[4] https://bugzilla.redhat.com/attachment.cgi?id=967284
[5] https://bugzilla.redhat.com/attachment.cgi?id=967280
This task depends upon

Closed by  Eric Belanger (Snowman)
Friday, 19 December 2014, 03:38 GMT
Reason for closing:  Fixed
Additional comments about closing:  Thanks.
All fixed in jasper-1.900.1-12
Comment by Levente Polyak (anthraxx) - Friday, 19 December 2014, 02:26 GMT
wow, seems like we are also vulnerable to CVE-2011-4516 and CVE-2011-4517, i'm currently digging deeper into this topic, will attach the patches
Comment by Levente Polyak (anthraxx) - Friday, 19 December 2014, 02:57 GMT
As mentioned above i'm also attaching CVE-2011-4516 and CVE-2011-4517, can be looked up at debian [0].
Also i added a filename buffer overflow patch from debian.

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652649

Loading...