Bug 222819 (CVE-2008-3520)

Comment 1 Patrick Kursawe (RETIRED) 2008-05-20 07:15:03 UTC

What exactly am I supposed to do about this without any further information/patches/updated versions available? I am a bit irritated.

Comment 2 Pierre-Yves Rofes (RETIRED) 2008-05-20 21:35:01 UTC

(In reply to comment #1)
> What exactly am I supposed to do about this without any further
> information/patches/updated versions available? I am a bit irritated.
> 

sorry, the CC was just to inform you. For the moment, patches have been provided on vendor-sec, but some of them are *BSD specific (e.g they use strlcat()), so they'll need some additional work to make them apply on Linux.

Comment 3 Robert Buchholz (RETIRED) 2008-08-19 09:29:19 UTC

The following analysis was provided by Ludwig Nussel of Suse/Novell:

CVE-2008-3520:
- patches change all occurrences of malloc(a*b) with
  jas_alloc2(a,b). Hard to tell whether any are actually
  exploitable. Some seem to multiply a value from the file with the
  size of a structure indeed. The ones that multiply two variables
  seem to be harmless due to 16 or only 8 bit values. I talked to
  Marc Espie but he is not interested in investigating it further.
  So unless someone wants to spend a lot of time analyzing the
  context of every multiplication patching all such places seems to
  be a logical defensive measurement.

CVE-2008-3521:
- tmp race in jas_stream_tmpfile(), jas_stream.c

CVE-2008-3522:
- vsprintf buffer overflow in jas_stream_printf(), jas_stream.c. Potentially
  dangerous. Called from mif_hdr_put() where it's not obvious to me
  whether there is a limit on the passed string.

Comment 4 Robert Buchholz (RETIRED) 2008-08-19 09:30:00 UTC

Created attachment 163282 [details, diff]
jasper-1.900.1-CVE-2008-3520+1+2.patch

Relevant portions of the patches shipped by OpenBSD

Comment 5 Robert Buchholz (RETIRED) 2008-08-19 09:31:57 UTC

Patrick, we are currently discussing whether the patch and information about the vulnerabilities should be embargoed and until when. Please keep them confidential until this discussion has yielded a decision.
In the meantime, please test the patch and prepare an ebuild and attach the ebuild to this bug. We can do prestable testing if we go for an extended embargo.

Comment 6 Patrick Kursawe (RETIRED) 2008-08-19 19:19:09 UTC

Created attachment 163324 [details, diff]
Patch for jasper-1.900.1-r1.ebuild

The patch seems to work straightforward - see attachment.

Comment 7 Robert Buchholz (RETIRED) 2008-08-19 19:46:42 UTC

Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76

Comment 8 Jeroen Roovers (RETIRED) 2008-08-19 20:22:57 UTC

Ugh. Please post a full working ebuild next time -- The PV in the `ebuild.patch' should be PN, or the security patch shouldn't have PN in the name...

Comment 9 Jeroen Roovers (RETIRED) 2008-08-19 20:50:53 UTC

Created attachment 163328 [details]
jasper-1.900.1-r1.ebuild

HPPA is OK.

Comment 10 Jeroen Roovers (RETIRED) 2008-08-19 20:52:10 UTC

(In reply to comment #8)
 Ugh. Please post a full working ebuild next time -- The PV in the
- `ebuild.patch' should be PN, or the security patch shouldn't have PN in the
+ `ebuild.patch' should be P, or the security patch shouldn't have PN in the

The attached ebuild fixes that.

Comment 11 Robert Buchholz (RETIRED) 2008-08-19 20:53:10 UTC

Created attachment 163329 [details]
jasper-1.900.1-r2.ebuild

Try this :-)

Comment 12 Robert Buchholz (RETIRED) 2008-08-19 20:54:07 UTC

oops, I lost that race. Sorry

Comment 13 Patrick Kursawe (RETIRED) 2008-08-20 07:29:40 UTC

(In reply to comment #8)
> Ugh. Please post a full working ebuild next time -- The PV in the
> `ebuild.patch' should be PN, or the security patch shouldn't have PN in the
> name...

Sorry for the inconvenience. 

Comment 14 Jose Luis Rivero (yoswink) (RETIRED) 2008-08-20 08:41:41 UTC

Report for alpha:
 - compiles just fine
 - imagemagick is able to use the library
 - jasper is able to change the format between jpeg and bmp

green light here.

Comment 15 Markus Meier 2008-08-20 17:51:02 UTC

looks good on amd64/x86.

Comment 16 Markus Rothe (RETIRED) 2008-08-20 22:39:54 UTC

looks good on ppc64

Comment 17 Raúl Porcel (RETIRED) 2008-08-26 15:04:48 UTC

Looks good on ia64/sparc

Comment 18 Robert Buchholz (RETIRED) 2008-09-14 11:34:04 UTC

it's public

Comment 19 Robert Buchholz (RETIRED) 2008-09-14 11:35:09 UTC

Sorry, I forgot we haven't been stabling in-tree. Please commit straight to stable with the keywords gathered.

Comment 20 Robert Buchholz (RETIRED) 2008-10-04 18:35:39 UTC

*jasper-1.900.1-r2 (04 Oct 2008)

  04 Oct 2008; Robert Buchholz <rbu@gentoo.org> jasper-1.701.0.ebuild,
  +jasper-1.900.1-r2.ebuild:
  Fix multiple integer overflows (bug #222819), remove mips stable keyword.

Comment 21 Robert Buchholz (RETIRED) 2008-10-04 18:36:40 UTC

Arches, please test and mark stable:
=media-libs/jasper-1.900.1-r2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ia64 ppc64 sparc x86"
Missing keywords: "arm ppc s390 sh"

Comment 22 Tobias Scherbaum (RETIRED) 2008-10-11 16:52:00 UTC

ppc stable

Comment 23 Tobias Heinlein (RETIRED) 2008-10-13 18:50:29 UTC

GLSA request filed.

Comment 24 Robert Buchholz (RETIRED) 2008-10-30 23:29:11 UTC

Let's recap this:
CVE-2008-3521 is not actually an issue, as Tomas Hoger pointed out in
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3521

CVE-2008-3520: Tomas Hoger pointed out on vendor-sec that the patch that was applied by us does not contain all needed jas_malloc -> jas_alloc2 changes. It also contains some unneeded hunks, but we can live with this. I'll attach the additional hunks we need to apply.

@Phosphan, can you apply those in an ebuild bump (or refresh the patch we ship with those additions). Thanks.

Comment 25 Robert Buchholz (RETIRED) 2008-10-30 23:29:42 UTC

Created attachment 170366 [details, diff]
jasper-1.900.1-CVE-2008-3520-redhat-additions.patch

Comment 26 Robert Buchholz (RETIRED) 2008-11-26 23:35:09 UTC

phosphan, ping

Comment 27 Patrick Kursawe (RETIRED) 2008-11-27 09:34:23 UTC

(In reply to comment #26)
> phosphan, ping

Thanks for pinging, did not notice this due to email overload after being absent for one month. Hope I will find the time to do this soon. Sorry.

Comment 28 Patrick Kursawe (RETIRED) 2008-12-10 10:48:32 UTC

Joined both patches and the fix from bug #245545 in -r3. Please check and declare it stable soon since the older versions are either insecure or broken.

Comment 29 Pierre-Yves Rofes (RETIRED) 2008-12-11 20:17:17 UTC

Arches, please test and mark stable media-libs/jasper-1.900.1-r3. Target keywords: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"

Comment 30 Brent Baude (RETIRED) 2008-12-11 21:27:32 UTC

ppc64 done

Comment 31 Tobias Scherbaum (RETIRED) 2008-12-13 12:54:13 UTC

ppc stable

Comment 32 Tobias Klausmann (RETIRED) 2008-12-13 15:18:32 UTC

Stable on alpha.

Comment 33 Friedrich Oslage (RETIRED) 2008-12-13 22:05:56 UTC

sparc stable

Comment 34 Markus Meier 2008-12-14 12:44:59 UTC

amd64/x86 stable

Comment 35 Jeroen Roovers (RETIRED) 2008-12-14 21:03:00 UTC

Stable for HPPA.

Comment 36 Raúl Porcel (RETIRED) 2008-12-16 10:50:01 UTC

arm/ia64/sh stable

Comment 37 Robert Buchholz (RETIRED) 2008-12-16 22:09:19 UTC

GLSA 200812-18, thanks.