Marc Espie and Christian Weisgerber have discoverd several integer overflows in libjasper ** Please note that this issue is confidential at the moment and no information should be disclosed until it is made public **
What exactly am I supposed to do about this without any further information/patches/updated versions available? I am a bit irritated.
(In reply to comment #1) > What exactly am I supposed to do about this without any further > information/patches/updated versions available? I am a bit irritated. > sorry, the CC was just to inform you. For the moment, patches have been provided on vendor-sec, but some of them are *BSD specific (e.g they use strlcat()), so they'll need some additional work to make them apply on Linux.
The following analysis was provided by Ludwig Nussel of Suse/Novell: CVE-2008-3520: - patches change all occurrences of malloc(a*b) with jas_alloc2(a,b). Hard to tell whether any are actually exploitable. Some seem to multiply a value from the file with the size of a structure indeed. The ones that multiply two variables seem to be harmless due to 16 or only 8 bit values. I talked to Marc Espie but he is not interested in investigating it further. So unless someone wants to spend a lot of time analyzing the context of every multiplication patching all such places seems to be a logical defensive measurement. CVE-2008-3521: - tmp race in jas_stream_tmpfile(), jas_stream.c CVE-2008-3522: - vsprintf buffer overflow in jas_stream_printf(), jas_stream.c. Potentially dangerous. Called from mif_hdr_put() where it's not obvious to me whether there is a limit on the passed string.
Created attachment 163282 [details, diff] jasper-1.900.1-CVE-2008-3520+1+2.patch Relevant portions of the patches shipped by OpenBSD
Patrick, we are currently discussing whether the patch and information about the vulnerabilities should be embargoed and until when. Please keep them confidential until this discussion has yielded a decision. In the meantime, please test the patch and prepare an ebuild and attach the ebuild to this bug. We can do prestable testing if we go for an extended embargo.
Created attachment 163324 [details, diff] Patch for jasper-1.900.1-r1.ebuild The patch seems to work straightforward - see attachment.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink, armin76 amd64 : keytoaster, tester hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : maekke, armin76
Ugh. Please post a full working ebuild next time -- The PV in the `ebuild.patch' should be PN, or the security patch shouldn't have PN in the name...
Created attachment 163328 [details] jasper-1.900.1-r1.ebuild HPPA is OK.
(In reply to comment #8) Ugh. Please post a full working ebuild next time -- The PV in the - `ebuild.patch' should be PN, or the security patch shouldn't have PN in the + `ebuild.patch' should be P, or the security patch shouldn't have PN in the The attached ebuild fixes that.
Created attachment 163329 [details] jasper-1.900.1-r2.ebuild Try this :-)
oops, I lost that race. Sorry
(In reply to comment #8) > Ugh. Please post a full working ebuild next time -- The PV in the > `ebuild.patch' should be PN, or the security patch shouldn't have PN in the > name... Sorry for the inconvenience.
Report for alpha: - compiles just fine - imagemagick is able to use the library - jasper is able to change the format between jpeg and bmp green light here.
looks good on amd64/x86.
looks good on ppc64
Looks good on ia64/sparc
it's public
Sorry, I forgot we haven't been stabling in-tree. Please commit straight to stable with the keywords gathered.
*jasper-1.900.1-r2 (04 Oct 2008) 04 Oct 2008; Robert Buchholz <rbu@gentoo.org> jasper-1.701.0.ebuild, +jasper-1.900.1-r2.ebuild: Fix multiple integer overflows (bug #222819), remove mips stable keyword.
Arches, please test and mark stable: =media-libs/jasper-1.900.1-r2 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Already stabled : "alpha amd64 hppa ia64 ppc64 sparc x86" Missing keywords: "arm ppc s390 sh"
ppc stable
GLSA request filed.
Let's recap this: CVE-2008-3521 is not actually an issue, as Tomas Hoger pointed out in https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3521 CVE-2008-3520: Tomas Hoger pointed out on vendor-sec that the patch that was applied by us does not contain all needed jas_malloc -> jas_alloc2 changes. It also contains some unneeded hunks, but we can live with this. I'll attach the additional hunks we need to apply. @Phosphan, can you apply those in an ebuild bump (or refresh the patch we ship with those additions). Thanks.
Created attachment 170366 [details, diff] jasper-1.900.1-CVE-2008-3520-redhat-additions.patch
phosphan, ping
(In reply to comment #26) > phosphan, ping Thanks for pinging, did not notice this due to email overload after being absent for one month. Hope I will find the time to do this soon. Sorry.
Joined both patches and the fix from bug #245545 in -r3. Please check and declare it stable soon since the older versions are either insecure or broken.
Arches, please test and mark stable media-libs/jasper-1.900.1-r3. Target keywords: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
ppc64 done
Stable on alpha.
sparc stable
amd64/x86 stable
Stable for HPPA.
arm/ia64/sh stable
GLSA 200812-18, thanks.
