Summary: | media-libs/jasper <1.900.1-r3 multiple vulnerabilities (CVE-2008-{3520,3521,3522}) | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthias Geerdsen (RETIRED) <vorlon> | ||||||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||||||
Status: | RESOLVED FIXED | ||||||||||||||
Severity: | normal | CC: | phosphan, sci | ||||||||||||
Priority: | High | ||||||||||||||
Version: | unspecified | ||||||||||||||
Hardware: | All | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | B2 [glsa] | ||||||||||||||
Package list: | Runtime testing required: | --- | |||||||||||||
Bug Depends on: | 245545 | ||||||||||||||
Bug Blocks: | |||||||||||||||
Attachments: |
|
Description
Matthias Geerdsen (RETIRED)
![]() What exactly am I supposed to do about this without any further information/patches/updated versions available? I am a bit irritated. (In reply to comment #1) > What exactly am I supposed to do about this without any further > information/patches/updated versions available? I am a bit irritated. > sorry, the CC was just to inform you. For the moment, patches have been provided on vendor-sec, but some of them are *BSD specific (e.g they use strlcat()), so they'll need some additional work to make them apply on Linux. The following analysis was provided by Ludwig Nussel of Suse/Novell: CVE-2008-3520: - patches change all occurrences of malloc(a*b) with jas_alloc2(a,b). Hard to tell whether any are actually exploitable. Some seem to multiply a value from the file with the size of a structure indeed. The ones that multiply two variables seem to be harmless due to 16 or only 8 bit values. I talked to Marc Espie but he is not interested in investigating it further. So unless someone wants to spend a lot of time analyzing the context of every multiplication patching all such places seems to be a logical defensive measurement. CVE-2008-3521: - tmp race in jas_stream_tmpfile(), jas_stream.c CVE-2008-3522: - vsprintf buffer overflow in jas_stream_printf(), jas_stream.c. Potentially dangerous. Called from mif_hdr_put() where it's not obvious to me whether there is a limit on the passed string. Created attachment 163282 [details, diff]
jasper-1.900.1-CVE-2008-3520+1+2.patch
Relevant portions of the patches shipped by OpenBSD
Patrick, we are currently discussing whether the patch and information about the vulnerabilities should be embargoed and until when. Please keep them confidential until this discussion has yielded a decision. In the meantime, please test the patch and prepare an ebuild and attach the ebuild to this bug. We can do prestable testing if we go for an extended embargo. Created attachment 163324 [details, diff]
Patch for jasper-1.900.1-r1.ebuild
The patch seems to work straightforward - see attachment.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink, armin76 amd64 : keytoaster, tester hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : maekke, armin76 Ugh. Please post a full working ebuild next time -- The PV in the `ebuild.patch' should be PN, or the security patch shouldn't have PN in the name... Created attachment 163328 [details]
jasper-1.900.1-r1.ebuild
HPPA is OK.
(In reply to comment #8) Ugh. Please post a full working ebuild next time -- The PV in the - `ebuild.patch' should be PN, or the security patch shouldn't have PN in the + `ebuild.patch' should be P, or the security patch shouldn't have PN in the The attached ebuild fixes that. Created attachment 163329 [details]
jasper-1.900.1-r2.ebuild
Try this :-)
oops, I lost that race. Sorry (In reply to comment #8) > Ugh. Please post a full working ebuild next time -- The PV in the > `ebuild.patch' should be PN, or the security patch shouldn't have PN in the > name... Sorry for the inconvenience. Report for alpha: - compiles just fine - imagemagick is able to use the library - jasper is able to change the format between jpeg and bmp green light here. looks good on amd64/x86. looks good on ppc64 Looks good on ia64/sparc it's public Sorry, I forgot we haven't been stabling in-tree. Please commit straight to stable with the keywords gathered. *jasper-1.900.1-r2 (04 Oct 2008) 04 Oct 2008; Robert Buchholz <rbu@gentoo.org> jasper-1.701.0.ebuild, +jasper-1.900.1-r2.ebuild: Fix multiple integer overflows (bug #222819), remove mips stable keyword. Arches, please test and mark stable: =media-libs/jasper-1.900.1-r2 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Already stabled : "alpha amd64 hppa ia64 ppc64 sparc x86" Missing keywords: "arm ppc s390 sh" ppc stable GLSA request filed. Let's recap this: CVE-2008-3521 is not actually an issue, as Tomas Hoger pointed out in https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3521 CVE-2008-3520: Tomas Hoger pointed out on vendor-sec that the patch that was applied by us does not contain all needed jas_malloc -> jas_alloc2 changes. It also contains some unneeded hunks, but we can live with this. I'll attach the additional hunks we need to apply. @Phosphan, can you apply those in an ebuild bump (or refresh the patch we ship with those additions). Thanks. Created attachment 170366 [details, diff]
jasper-1.900.1-CVE-2008-3520-redhat-additions.patch
phosphan, ping (In reply to comment #26) > phosphan, ping Thanks for pinging, did not notice this due to email overload after being absent for one month. Hope I will find the time to do this soon. Sorry. Joined both patches and the fix from bug #245545 in -r3. Please check and declare it stable soon since the older versions are either insecure or broken. Arches, please test and mark stable media-libs/jasper-1.900.1-r3. Target keywords: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd" ppc64 done ppc stable Stable on alpha. sparc stable amd64/x86 stable Stable for HPPA. arm/ia64/sh stable GLSA 200812-18, thanks. |