Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 222819 (CVE-2008-3520) - media-libs/jasper <1.900.1-r3 multiple vulnerabilities (CVE-2008-{3520,3521,3522})
Summary: media-libs/jasper <1.900.1-r3 multiple vulnerabilities (CVE-2008-{3520,3521,3...
Status: RESOLVED FIXED
Alias: CVE-2008-3520
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: 245545
Blocks:
  Show dependency tree
 
Reported: 2008-05-19 14:46 UTC by Matthias Geerdsen (RETIRED)
Modified: 2008-12-16 22:09 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
jasper-1.900.1-CVE-2008-3520+1+2.patch (jasper-1.900.1-CVE-2008-3520+1+2.patch,26.85 KB, patch)
2008-08-19 09:30 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
Patch for jasper-1.900.1-r1.ebuild (ebuild.patch,280 bytes, patch)
2008-08-19 19:19 UTC, Patrick Kursawe (RETIRED)
no flags Details | Diff
jasper-1.900.1-r1.ebuild (jasper-1.900.1-r1.ebuild,1.35 KB, text/plain)
2008-08-19 20:50 UTC, Jeroen Roovers
no flags Details
jasper-1.900.1-r2.ebuild (jasper-1.900.1-r2.ebuild,1.35 KB, text/plain)
2008-08-19 20:53 UTC, Robert Buchholz (RETIRED)
no flags Details
jasper-1.900.1-CVE-2008-3520-redhat-additions.patch (jasper-1.900.1-CVE-2008-3520-redhat-additions.patch,8.02 KB, patch)
2008-10-30 23:29 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-05-19 14:46:36 UTC
Marc Espie and Christian Weisgerber have discoverd several integer overflows in libjasper

** Please note that this issue is confidential at the moment and no information should be disclosed until it is made public **
Comment 1 Patrick Kursawe (RETIRED) gentoo-dev 2008-05-20 07:15:03 UTC
What exactly am I supposed to do about this without any further information/patches/updated versions available? I am a bit irritated.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-20 21:35:01 UTC
(In reply to comment #1)
> What exactly am I supposed to do about this without any further
> information/patches/updated versions available? I am a bit irritated.
> 

sorry, the CC was just to inform you. For the moment, patches have been provided on vendor-sec, but some of them are *BSD specific (e.g they use strlcat()), so they'll need some additional work to make them apply on Linux.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 09:29:19 UTC
The following analysis was provided by Ludwig Nussel of Suse/Novell:

CVE-2008-3520:
- patches change all occurrences of malloc(a*b) with
  jas_alloc2(a,b). Hard to tell whether any are actually
  exploitable. Some seem to multiply a value from the file with the
  size of a structure indeed. The ones that multiply two variables
  seem to be harmless due to 16 or only 8 bit values. I talked to
  Marc Espie but he is not interested in investigating it further.
  So unless someone wants to spend a lot of time analyzing the
  context of every multiplication patching all such places seems to
  be a logical defensive measurement.

CVE-2008-3521:
- tmp race in jas_stream_tmpfile(), jas_stream.c

CVE-2008-3522:
- vsprintf buffer overflow in jas_stream_printf(), jas_stream.c. Potentially
  dangerous. Called from mif_hdr_put() where it's not obvious to me
  whether there is a limit on the passed string.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 09:30:00 UTC
Created attachment 163282 [details, diff]
jasper-1.900.1-CVE-2008-3520+1+2.patch

Relevant portions of the patches shipped by OpenBSD
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 09:31:57 UTC
Patrick, we are currently discussing whether the patch and information about the vulnerabilities should be embargoed and until when. Please keep them confidential until this discussion has yielded a decision.
In the meantime, please test the patch and prepare an ebuild and attach the ebuild to this bug. We can do prestable testing if we go for an extended embargo.
Comment 6 Patrick Kursawe (RETIRED) gentoo-dev 2008-08-19 19:19:09 UTC
Created attachment 163324 [details, diff]
Patch for jasper-1.900.1-r1.ebuild

The patch seems to work straightforward - see attachment.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 19:46:42 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 8 Jeroen Roovers gentoo-dev 2008-08-19 20:22:57 UTC
Ugh. Please post a full working ebuild next time -- The PV in the `ebuild.patch' should be PN, or the security patch shouldn't have PN in the name...
Comment 9 Jeroen Roovers gentoo-dev 2008-08-19 20:50:53 UTC
Created attachment 163328 [details]
jasper-1.900.1-r1.ebuild

HPPA is OK.
Comment 10 Jeroen Roovers gentoo-dev 2008-08-19 20:52:10 UTC
(In reply to comment #8)
 Ugh. Please post a full working ebuild next time -- The PV in the
- `ebuild.patch' should be PN, or the security patch shouldn't have PN in the
+ `ebuild.patch' should be P, or the security patch shouldn't have PN in the

The attached ebuild fixes that.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 20:53:10 UTC
Created attachment 163329 [details]
jasper-1.900.1-r2.ebuild

Try this :-)
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 20:54:07 UTC
oops, I lost that race. Sorry
Comment 13 Patrick Kursawe (RETIRED) gentoo-dev 2008-08-20 07:29:40 UTC
(In reply to comment #8)
> Ugh. Please post a full working ebuild next time -- The PV in the
> `ebuild.patch' should be PN, or the security patch shouldn't have PN in the
> name...

Sorry for the inconvenience. 

Comment 14 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2008-08-20 08:41:41 UTC
Report for alpha:
 - compiles just fine
 - imagemagick is able to use the library
 - jasper is able to change the format between jpeg and bmp

green light here.
Comment 15 Markus Meier gentoo-dev 2008-08-20 17:51:02 UTC
looks good on amd64/x86.
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2008-08-20 22:39:54 UTC
looks good on ppc64
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2008-08-26 15:04:48 UTC
Looks good on ia64/sparc
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-09-14 11:34:04 UTC
it's public
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-09-14 11:35:09 UTC
Sorry, I forgot we haven't been stabling in-tree. Please commit straight to stable with the keywords gathered.
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 18:35:39 UTC
*jasper-1.900.1-r2 (04 Oct 2008)

  04 Oct 2008; Robert Buchholz <rbu@gentoo.org> jasper-1.701.0.ebuild,
  +jasper-1.900.1-r2.ebuild:
  Fix multiple integer overflows (bug #222819), remove mips stable keyword.
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 18:36:40 UTC
Arches, please test and mark stable:
=media-libs/jasper-1.900.1-r2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ia64 ppc64 sparc x86"
Missing keywords: "arm ppc s390 sh"
Comment 22 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-11 16:52:00 UTC
ppc stable
Comment 23 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-13 18:50:29 UTC
GLSA request filed.
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2008-10-30 23:29:11 UTC
Let's recap this:
CVE-2008-3521 is not actually an issue, as Tomas Hoger pointed out in
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3521

CVE-2008-3520: Tomas Hoger pointed out on vendor-sec that the patch that was applied by us does not contain all needed jas_malloc -> jas_alloc2 changes. It also contains some unneeded hunks, but we can live with this. I'll attach the additional hunks we need to apply.

@Phosphan, can you apply those in an ebuild bump (or refresh the patch we ship with those additions). Thanks.
Comment 25 Robert Buchholz (RETIRED) gentoo-dev 2008-10-30 23:29:42 UTC
Created attachment 170366 [details, diff]
jasper-1.900.1-CVE-2008-3520-redhat-additions.patch
Comment 26 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 23:35:09 UTC
phosphan, ping
Comment 27 Patrick Kursawe (RETIRED) gentoo-dev 2008-11-27 09:34:23 UTC
(In reply to comment #26)
> phosphan, ping

Thanks for pinging, did not notice this due to email overload after being absent for one month. Hope I will find the time to do this soon. Sorry.

Comment 28 Patrick Kursawe (RETIRED) gentoo-dev 2008-12-10 10:48:32 UTC
Joined both patches and the fix from bug #245545 in -r3. Please check and declare it stable soon since the older versions are either insecure or broken.
Comment 29 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-11 20:17:17 UTC
Arches, please test and mark stable media-libs/jasper-1.900.1-r3. Target keywords: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Comment 30 Brent Baude (RETIRED) gentoo-dev 2008-12-11 21:27:32 UTC
ppc64 done
Comment 31 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-13 12:54:13 UTC
ppc stable
Comment 32 Tobias Klausmann gentoo-dev 2008-12-13 15:18:32 UTC
Stable on alpha.
Comment 33 Friedrich Oslage (RETIRED) gentoo-dev 2008-12-13 22:05:56 UTC
sparc stable
Comment 34 Markus Meier gentoo-dev 2008-12-14 12:44:59 UTC
amd64/x86 stable
Comment 35 Jeroen Roovers gentoo-dev 2008-12-14 21:03:00 UTC
Stable for HPPA.
Comment 36 Raúl Porcel (RETIRED) gentoo-dev 2008-12-16 10:50:01 UTC
arm/ia64/sh stable
Comment 37 Robert Buchholz (RETIRED) gentoo-dev 2008-12-16 22:09:19 UTC
GLSA 200812-18, thanks.