Summary: | <media-libs/jasper-2.0.14: Left shift of negative value in jas_fast32_asl() in jas_math.h | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | sci |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ | ||
See Also: | https://bugzilla.suse.com/show_bug.cgi?id=1020353 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2017-03-27 09:20:35 UTC
CVE ID: CVE-2017-5498 Summary: libjasper/include/jasper/jas_math.h in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via vectors involving left shift of a negative value. Published: 2017-03-01T15:59:00.000Z From https://bugzilla.suse.com/show_bug.cgi?id=1020353#c1: > This issue should only show if jasper was compiled with `-fsanitize=undefined`. > > When I run the reproducer against our SLE-12:Update codestream then `imginfo` > runs into an assertion instead: > > jpc_dec.c:1829: jpc_dequantize: Assertion `absstepsize >= 0' failed. > > I don't think this issue is very severe, since under most circumstances the > undefined left shifts do the expected thing. > > I found various upstream commits that deal with this: > > 1) They disabled the undefind behaviour sanitizer via the preprocessor on this > specific spot: > > https://github.com/mdadams/jasper/commit/b032fe7fedd0b856bbe5bd7186fc1d22c03ade9f > > 2) They added a runtime assertion that the undefined left shift does what they > expect from it: > > https://github.com/mdadams/jasper/commit/dc129830baf8cfe104454d3a6e426f55af51b1d3 > > 3) They replaced all bit shift operations by calls to their wrapper function: > > https://github.com/mdadams/jasper/commit/b9be3d9f35fccb7811ff68bbd6a57156f0192427 @ Maintainer(s): Please bump to >=2.0.13! |