Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 179159 - media-libs/jasper Possible crash issue (CVE-2007-2721)
Summary: media-libs/jasper Possible crash issue (CVE-2007-2721)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-19 22:18 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2020-03-28 23:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-19 22:18:17 UTC
The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer
JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted
attackers to cause a denial of service (crash) and possibly corrupt
the heap via malformed image files, as originally demonstrated using
imagemagick convert.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-19 22:26:28 UTC
sci please advise.
Comment 2 Markus Dittrich (RETIRED) gentoo-dev 2007-05-20 17:10:59 UTC
Hi guys,

Thanks for the heads-up!

I just had a look at bug #413041 in Debian's bugzilla and
what a mess!
In any case, I just pushed out jasper-1.900.1-r1 which 
has as the fix for the overflow in jpc/jpc_cs.c. This addresses
the problems with the testfiles broken2.jp2 and broken4.jp2
as posted in Debian's bugzilla. However, the other ones
(broken.jpc, ..) still cause segfaults on my x86 box and
are still unresolved in debian as well AFAIKT.

How should we proceed from here? 

Thanks,
Markus
Comment 3 Markus Dittrich (RETIRED) gentoo-dev 2007-05-20 18:51:40 UTC
My apologies, I didn't mean to close this one at all :(
I don't know what happened! Reopening.....

Markus
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-20 19:28:39 UTC
I guess you checked "Resolve bug" before comitting:)

Markus do you have any idea about a possible timeframe for the remaining fixes?

The issue doesn't seem too serious so I'd rather avoid calling arches twice if it's not needed.

Comment 5 Markus Dittrich (RETIRED) gentoo-dev 2007-05-20 20:39:35 UTC
Unfortunately, I don't know jasper well at all so I don't really
have a time frame yet for when the rest will be fixed and by
whom. I'll keep an eye on debian's bugzilla for any progress.

I suspect that the best way to proceed would be to ping 
upstream, make them aware of the problems (not sure
if this has happened yet) and hope they will provide an
updated release that fixes these issues. I'll ping them later
and post back with any news.

Thanks,
Markus
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-03 15:21:06 UTC
Markus, any news? Otherwise I'll call arches.
Comment 7 Markus Dittrich (RETIRED) gentoo-dev 2007-06-04 13:17:36 UTC
Hi Sune,

Sorry for the delay! I just heard back from upstream 
and here's what they have to say

----------- SNIP ----------------
On Mon, 21 May 2007, Markus Dittrich wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Greetings and sorry to bug you with this.
> A few days a ago a security advisory
> was issued for libjasper
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2721  

I will add your email to my work queue for JasPer.
Since I do not have much time to work on JasPer
these days, it may take a while before I can
resolve the issues mentioned in your email.

--Michael

----------- SNIP -------------------------------------------------

Sounds to me as if the remaining issues won't get
resolved in the very near future. Nothing has happened
over at debian regarding the remaining issues either
AFAICT. Hence, maybe we should just go ahead and
push out what we have so far. What do you think?

Best,
Markus
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-04 14:59:37 UTC
Thx Micheal, lets get this stabled.

Arches please test and mark stable. Target keywords are:

jasper-1.900.1-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
Comment 9 Emanuele Gentili 2007-06-04 15:25:14 UTC
media-libs/jasper-1.900.1-r1  USE="jpeg opengl"

1. emerges on x86
2. passes test suite
3. passes collision test
4. works

Portage 2.1.2.7 (default-linux/x86/2006.1, gcc-4.1.2, glibc-2.5-r3, 2.6.17-gentoo-r8-panic i686)
=================================================================
System uname: 2.6.17-gentoo-r8-panic i686 Intel(R) Pentium(R) M processor 2.00GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Mon, 04 Jun 2007 08:00:01 +0000
ccache version 2.4 [disabled]
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O3 -march=pentium-m -msse2 -mmmx -msse -mfpmath=sse -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O3 -march=pentium-m -msse2 -mmmx -msse -mfpmath=sse -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="it_IT.UTF-8"
LC_ALL="C"
LINGUAS="it"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/webapps-experimental /usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acpi adns alsa apache arts asf ati avi bash-completion beagle berkdb bitmap-fonts browserplugin bzip2 cairo caps cdr cli cracklib crd crypt cups curl daap dbus dga djvu dmi dri dts dvd dvdr dvi emacs evo exif fbcon ffmpeg firefox flac foomatic fortran gdbm gif gimpprint glitz gnome gnutls gpm gtk hal i810 iconv imagemagick intel ipod ipv6 isdnlog java jpeg kde libg++ libnotify libsexy lns mad midi mmap mmx mng mono mozilla moznocompose moznoirc moznomail mozsvg mp3 mp4 mpeg mudflap musepack nautilus ncurses network njb nls nptl nptlonly nsplugin numeric ogg ole opengl openmp openntpd oss pam pcre pdf perl php png portaudio posix ppds pppd pwdb python qt qt3 radeon readline real reflection samba sdl session sndfile spl sse sse2 ssl svg t1lib tcpd test theora threads truetype-fonts type1-fonts unicode usb v4l vcd vorbis win32codecs wma wmf wmv wxwindows x264 x86 xine xml2 xorg xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it" USERLAND="GNU" VIDEO_CARDS="vesa i810 vga"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

For me Stable in x86
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-04 15:42:06 UTC
The update breaks ABI thus it would be nice to have a big fat usual "revdep-rebuild" warning sticked to it. It breaks digikam at least.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-04 15:47:28 UTC
Markus please provide an updated elog warning.

Arches I guess you can just continue stable marking.
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2007-06-04 16:46:52 UTC
Stable for HPPA.
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-04 18:54:24 UTC
sparc stable and added the note myself.
Comment 14 Markus Dittrich (RETIRED) gentoo-dev 2007-06-04 20:30:01 UTC
(In reply to comment #13)
> sparc stable and added the note myself.
> 

Thanks much! Unfortunately, I wasn't aware of the ABI break.
I really wonder if I should ask the graphics folks if they
would be willing to take over this package since the sci herd 
doesn't quite seem like its proper home:)

Best,
Markus
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2007-06-05 19:27:07 UTC
ppc64 stable
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2007-06-05 19:38:47 UTC
ppc stable
Comment 17 Christian Faulhammer (RETIRED) gentoo-dev 2007-06-06 07:50:00 UTC
x86 stable
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2007-06-06 13:28:05 UTC
alpha/ia64 stable
Comment 19 Kenneth Prugh (RETIRED) gentoo-dev 2007-06-07 23:28:59 UTC
media-libs/jasper-1.900.1-r1 is stable on amd64

1) Emerges cleanly with USE="X jpeg jpeg2k mpeg perl png truetype xml zlib -bzip2 -doc -fpx -graphviz -gs -jbig -lcms -nocxx -tiff -wmf"

2) No Collisions

3) Works

Portage 2.1.2.7 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.5-r3, 2.6.22-rc4-kamikaze x86_64)
=================================================================
System uname: 2.6.22-rc4-kamikaze x86_64 Intel(R) Core(TM)2 CPU          6600  @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 07 Jun 2007 15:00:01 +0000
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=nocona -fomit-frame-pointer -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=nocona -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="http://gentoo.osuosl.org/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://www.gtlib.gatech.edu/pub/gentoo "
MAKEOPTS="-j3"
PKGDIR="/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X aac acl alsa amd64 berkdb bitmap-fonts cli cracklib crypt cups dbus dri flac fortran gdbm gpm hal iconv ipv6 isdnlog jpeg kde kdeenablefinal libg++ mad midi mmx mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre perl png pppd python qt4 readline reflection session spl sse sse2 ssl symlink tcpd test truetype truetype-fonts type1-fonts unicode vorbis xml xorg zlib" ALSA_CARDS="usb-audio hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 20 Christoph Mende (RETIRED) gentoo-dev 2007-06-07 23:31:20 UTC
sorry for the delay, amd64 stable, thanks Kenneth
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-08 06:18:10 UTC
I vote NO.
Comment 22 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-09 20:53:58 UTC
"possible?" just "crash"? Then i vote noglsa