Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 394879 (CVE-2011-4516) - <media-libs/jasper-1.900.1-r4: JPEG2000 File Processing vulnerabilities CVE-2011-{4516,4517}
Summary: <media-libs/jasper-1.900.1-r4: JPEG2000 File Processing vulnerabilities CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2011-4516
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/47175/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-15 23:35 UTC by Michael Harrison
Modified: 2012-01-23 20:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2011-12-15 23:35:31 UTC
1) An error in the "jpc_cox_getcompparms()" function (src/libjasper/jpc/jpc_cs.c) when processing a coding style default (COD) marker segment can be exploited to overwrite a certain callback function pointer.

2) An error in the "jpc_crg_getparms()" function (src/libjasper/jpc/jpc_cs.c) when processing a component registration (CRG) marker segment can be exploited to cause a heap-based buffer overflow.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

Original Advisory:
http://www.kb.cert.org/vuls/id/887409

I have verified that the files /src/libjasper/jpc/jpc_cs.c and /src/libjasper/jpc/jpc_cs.h both exist and that they contain the specified functions getcompparms() and getparms(). I went no farther. 

Solution: Do not process files from untrusted sources.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-12-16 16:27:33 UTC
Michael, thanks for the bug. Please include all herds and maintainers (from the package metadata) in CC. Also, please do not include version information in the Summary until we know what version is fixed in Gentoo. Thanks!
Comment 2 Justin Lecher gentoo-dev 2011-12-17 13:02:59 UTC
Is their a possible fix available?
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-12-17 17:19:52 UTC
(In reply to comment #3)
> Does this be a valid fix?
> 

It looks like it, yeah.
Comment 5 Patrick Kursawe (RETIRED) gentoo-dev 2011-12-17 20:53:14 UTC
Looks ok, -r4 in CVS. Could the arch teams make it stable soon, please?
Comment 6 Agostino Sarubbo gentoo-dev 2011-12-18 01:31:43 UTC
(In reply to comment #5)
Could the arch teams make it stable soon, please?

done, amd64/x86 stable
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-12-18 15:48:57 UTC
Arches, please test and mark stable:
=media-libs/jasper-1.900.1-r4
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Already stable  : "amd64 x86"
Missing keywords: "alpha arm hppa ia64 ppc ppc64 s390 sh sparc"
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2011-12-18 16:45:20 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-12-19 12:41:17 UTC
Stable for HPPA.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2011-12-20 00:08:37 UTC
CVE-2011-4517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4517):
  The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1
  uses an incorrect data type during a certain size calculation, which allows
  remote attackers to trigger a heap-based buffer overflow and execute
  arbitrary code, or cause a denial of service (heap memory corruption), via a
  malformed JPEG2000 file.

CVE-2011-4516 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4516):
  Heap-based buffer overflow in the jpc_cox_getcompparms function in
  libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption) via a
  crafted numrlvls value in a JPEG2000 file.
Comment 11 Mark Loeser (RETIRED) gentoo-dev 2011-12-27 00:48:22 UTC
ppc/ppc64 done
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-12-27 05:23:04 UTC
Thanks, everyone. GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:36:46 UTC
This issue was resolved and addressed in
 GLSA 201201-10 at http://security.gentoo.org/glsa/glsa-201201-10.xml
by GLSA coordinator Sean Amoss (ackle).