Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 614026 (CVE-2017-5498)

Summary: <media-libs/jasper-2.0.14: Left shift of negative value in jas_fast32_asl() in jas_math.h
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: sci
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1020353
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-03-27 09:20:35 UTC
Details at $URL.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-03-28 06:22:08 UTC
   CVE ID: CVE-2017-5498
   Summary: libjasper/include/jasper/jas_math.h in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via vectors involving left shift of a negative value.
 Published: 2017-03-01T15:59:00.000Z
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-03 20:40:03 UTC
From https://bugzilla.suse.com/show_bug.cgi?id=1020353#c1:

> This issue should only show if jasper was compiled with `-fsanitize=undefined`.
> 
> When I run the reproducer against our SLE-12:Update codestream then `imginfo`
> runs into an assertion instead:
> 
>   jpc_dec.c:1829: jpc_dequantize: Assertion `absstepsize >= 0' failed.
> 
> I don't think this issue is very severe, since under most circumstances the
> undefined left shifts do the expected thing.
> 
> I found various upstream commits that deal with this:
> 
> 1) They disabled the undefind behaviour sanitizer via the preprocessor on this
> specific spot:
> 
> https://github.com/mdadams/jasper/commit/b032fe7fedd0b856bbe5bd7186fc1d22c03ade9f
> 
> 2) They added a runtime assertion that the undefined left shift does what they
> expect from it:
> 
> https://github.com/mdadams/jasper/commit/dc129830baf8cfe104454d3a6e426f55af51b1d3
> 
> 3) They replaced all bit shift operations by calls to their wrapper function:
> 
> https://github.com/mdadams/jasper/commit/b9be3d9f35fccb7811ff68bbd6a57156f0192427


@ Maintainer(s): Please bump to >=2.0.13!