1) An error in the "jpc_cox_getcompparms()" function (src/libjasper/jpc/jpc_cs.c) when processing a coding style default (COD) marker segment can be exploited to overwrite a certain callback function pointer. 2) An error in the "jpc_crg_getparms()" function (src/libjasper/jpc/jpc_cs.c) when processing a component registration (CRG) marker segment can be exploited to cause a heap-based buffer overflow. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. Original Advisory: http://www.kb.cert.org/vuls/id/887409 I have verified that the files /src/libjasper/jpc/jpc_cs.c and /src/libjasper/jpc/jpc_cs.h both exist and that they contain the specified functions getcompparms() and getparms(). I went no farther. Solution: Do not process files from untrusted sources.
Michael, thanks for the bug. Please include all herds and maintainers (from the package metadata) in CC. Also, please do not include version information in the Summary until we know what version is fixed in Gentoo. Thanks!
Is their a possible fix available?
Does this be a valid fix? http://pkgs.fedoraproject.org/gitweb/?p=jasper.git;a=blob;f=jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch;h=f753080a3af4375a33650495a15df1b3d5659ab1;hb=c73923e32e029920bdf9deb0719dd180e3942b93
(In reply to comment #3) > Does this be a valid fix? > It looks like it, yeah.
Looks ok, -r4 in CVS. Could the arch teams make it stable soon, please?
(In reply to comment #5) Could the arch teams make it stable soon, please? done, amd64/x86 stable
Arches, please test and mark stable: =media-libs/jasper-1.900.1-r4 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Already stable : "amd64 x86" Missing keywords: "alpha arm hppa ia64 ppc ppc64 s390 sh sparc"
alpha/arm/ia64/s390/sh/sparc stable
Stable for HPPA.
CVE-2011-4517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4517): The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 uses an incorrect data type during a certain size calculation, which allows remote attackers to trigger a heap-based buffer overflow and execute arbitrary code, or cause a denial of service (heap memory corruption), via a malformed JPEG2000 file. CVE-2011-4516 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4516): Heap-based buffer overflow in the jpc_cox_getcompparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted numrlvls value in a JPEG2000 file.
ppc/ppc64 done
Thanks, everyone. GLSA request filed.
This issue was resolved and addressed in GLSA 201201-10 at http://security.gentoo.org/glsa/glsa-201201-10.xml by GLSA coordinator Sean Amoss (ackle).