1) An error in the "jpc_cox_getcompparms()" function (src/libjasper/jpc/jpc_cs.c) when processing a coding style default (COD) marker segment can be exploited to overwrite a certain callback function pointer.
2) An error in the "jpc_crg_getparms()" function (src/libjasper/jpc/jpc_cs.c) when processing a component registration (CRG) marker segment can be exploited to cause a heap-based buffer overflow.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
I have verified that the files /src/libjasper/jpc/jpc_cs.c and /src/libjasper/jpc/jpc_cs.h both exist and that they contain the specified functions getcompparms() and getparms(). I went no farther.
Solution: Do not process files from untrusted sources.
Michael, thanks for the bug. Please include all herds and maintainers (from the package metadata) in CC. Also, please do not include version information in the Summary until we know what version is fixed in Gentoo. Thanks!
Is their a possible fix available?
Does this be a valid fix?
(In reply to comment #3)
> Does this be a valid fix?
It looks like it, yeah.
Looks ok, -r4 in CVS. Could the arch teams make it stable soon, please?
(In reply to comment #5)
Could the arch teams make it stable soon, please?
done, amd64/x86 stable
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Already stable : "amd64 x86"
Missing keywords: "alpha arm hppa ia64 ppc ppc64 s390 sh sparc"
Stable for HPPA.
The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1
uses an incorrect data type during a certain size calculation, which allows
remote attackers to trigger a heap-based buffer overflow and execute
arbitrary code, or cause a denial of service (heap memory corruption), via a
malformed JPEG2000 file.
Heap-based buffer overflow in the jpc_cox_getcompparms function in
libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via a
crafted numrlvls value in a JPEG2000 file.
Thanks, everyone. GLSA request filed.
This issue was resolved and addressed in
GLSA 201201-10 at http://security.gentoo.org/glsa/glsa-201201-10.xml
by GLSA coordinator Sean Amoss (ackle).