Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537530 (CVE-2014-8157) - <media-libs/jasper-1.900.1-r9: input sanitization errors (CVE-2014-{8157,8158})
Summary: <media-libs/jasper-1.900.1-r9: input sanitization errors (CVE-2014-{8157,8158})
Status: RESOLVED FIXED
Alias: CVE-2014-8157
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-24 09:46 UTC by Agostino Sarubbo
Modified: 2015-03-06 15:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-24 09:46:34 UTC
From ${URL} :

#2015-001 JasPer input sanitization errors

Description:

The JasPer project is an open source implementation for the JPEG-2000 codec.

The library is affected by an off-by-one error in a buffer boundary check in
jpc_dec_process_sot(), leading to a heap based buffer overflow, as well as
multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to stack
overflow.

A specially crafted JPEG-2000 file can be used to trigger the vulnerabilities.

Affected version:

JasPer <= 1.900.1

Fixed version:

JasPer, N/A

Credit: vulnerability report received from <pyddeh@...il.com>.

CVE: CVE-2014-8157 (off-by-one heap buffer overflow),
     CVE-2014-8158 (stack overflow)

Timeline:
2015-01-06: vulnerability report received
2015-01-06: contacted affected vendors, assigned CVEs
2015-01-21: advisory release

References:
http://www.ece.uvic.ca/~frodo/jasper


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-01-24 13:14:53 UTC
+*jasper-1.900.1-r9 (24 Jan 2015)
+
+  24 Jan 2015; Justin Lecher <jlec@gentoo.org> +jasper-1.900.1-r9.ebuild,
+  +files/jasper-CVE-2014-8157.patch, +files/jasper-CVE-2014-8158.patch:
+  Add fixes for CVE-2014-815{7,8}, #537530
+
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2015-01-24 13:15:48 UTC
@arches, please stabilize, target is

media-libs/jasper-1.900.1-r9
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-25 09:40:27 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2015-01-25 11:14:09 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-01-25 11:14:59 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2015-01-25 21:19:35 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-01-31 10:32:33 UTC
ppc stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-02-01 04:09:33 UTC
CVE-2014-8158 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8158):
  Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and
  earlier allow remote attackers to cause a denial of service (crash) or
  possibly execute arbitrary code via a crafted JPEG 2000 image.

CVE-2014-8157 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8157):
  Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and
  earlier allows remote attackers to cause a denial of service (crash) or
  possibly execute arbitrary code via a crafted JPEG 2000 image, which
  triggers a heap-based buffer overflow.
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-16 10:23:01 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-02-18 08:52:14 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-02-23 11:37:52 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-02-24 10:58:20 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Justin Lecher (RETIRED) gentoo-dev 2015-02-24 11:24:55 UTC
+  24 Feb 2015; Justin Lecher <jlec@gentoo.org> -jasper-1.900.1-r8.ebuild:
+  Drop vulnerable version
+

Cleaned
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-02-25 01:15:16 UTC
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-03-06 15:29:28 UTC
This issue was resolved and addressed in
 GLSA 201503-01 at http://security.gentoo.org/glsa/glsa-201503-01.xml
by GLSA coordinator Mikle Kolyada (Zlogene).