Vulnerability Note VU#887409
JasPer memory corruption vulnerabilities
Overview
Some versions of JasPer contain multiple vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code.
Description
JasPer fails to properly decode marker segments and other sections in malformed JPEG2000 files. Malformed inputs can cause heap buffer overflows which in turn may result in execution of attacker-controlled code. CVE-2011-4516: src/libjasper/jpc/jpc_cs.c: jpc_cox_getcompparms
if (jpc_getuint8(in, &tmp)) { jpc_cox_destroycompparms(compparms); return -1; } compparms->rlvls[i].parwidthval = tmp & 0xf; compparms->rlvls[i].parheightval = (tmp >> 4) & 0xf; }
/* The type of marker segment. */ uint_fast16_t id; /* The length of the marker segment. */ uint_fast16_t len; /* The starting offset within the stream. */ uint_fast32_t off; /* The parameters of the marker segment. */ jpc_msparms_t parms; /* The marker segment operations. */ struct jpc_msops_s *ops; } jpc_ms_t; Any subsequent failures in decoding the marker segment will result in the destroyparms member of the callback struct being invoked as part of cleanup. If the attacker has overwritten this callback via the loop above, attacker-controlled values can be loaded into the program counter. CVE-2011-4517: src/libjasper/jpc/jpc_cs.c: jpc_crg_getparms jpc_crg_getparms is called as part of the decoding of a component registration (CRG) marker segment. This function populates a heap buffer with data derived from the input file (in). The function contains an allocation size/type error. The heap buffer size is calculated using sizeof(uint_fast16_t) but the rest of the function assumes sizeof(jpc_crgcomp_t).
... if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) { return -1; } ... for (compno = 0, comp = crg->comps; compno < cstate->numcomps; ++compno, ++comp) { if (jpc_getuint16(in, &comp->hoff) || jpc_getuint16(in, &comp->voff)) { jpc_crg_destroyparms(ms); return -1; } } The attacker can overwrite the bytes after crg->comp in memory with arbitrary data. This is a heap buffer overflow, which is generally considered exploitable. There are additional security implications here as well, however. The loop above is controlled by cstate->numcomps (cstate as one member: numcomps). cstate is allocated in a calling function, and is often allocated just before crg->comp. On some platforms the heap chunk allocated for cstate is located just after the heap chunk allocated for crg->comp, separated by only 4 bytes of heap accounting info. The accounting info + cstate (8 bytes after crg->comp) can be overwritten with bytes from the input file via the loop above. In these cases, the attacker can place a large number in cstate->numcomps to make the loop above iterate past the expected bound of crg->comps and copy an arbitrary number of bytes from the input file into heap (a heap buffer overflow). This enables the attacker to perform well-known heap exploitations, as well as allowing the attacker to overwrite other active heap allocations such as the callback pointers referenced in the previous bug description. |
Impact
By tricking a user into opening or previewing an image file in an application that decodes images with the JasPer library, an attacker can execute arbitrary code or cause a denial-of-service crash. |
Solution
Apply an update |
Please consider the following workarounds: |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Artifex Software, Inc. | Affected | - | 14 Jun 2012 |
| Debian GNU/Linux | Affected | 20 Oct 2011 | 14 Jun 2012 |
| Fedora Project | Affected | 20 Oct 2011 | 08 Dec 2011 |
| Gentoo Linux | Affected | 20 Oct 2011 | 14 Jun 2012 |
| Oracle Corporation | Affected | 20 Oct 2011 | 02 Mar 2012 |
| Red Hat, Inc. | Affected | 20 Oct 2011 | 08 Dec 2011 |
| SUSE Linux | Affected | 20 Oct 2011 | 08 Dec 2011 |
| Ubuntu | Affected | 20 Oct 2011 | 08 Dec 2011 |
| Apple Inc. | Not Affected | 20 Oct 2011 | 08 Dec 2011 |
| Juniper Networks, Inc. | Not Affected | 20 Oct 2011 | 08 Dec 2011 |
| Openwall GNU/*/Linux | Not Affected | 20 Oct 2011 | 08 Dec 2011 |
| Cray Inc. | Unknown | 20 Oct 2011 | 20 Oct 2011 |
| DragonFly BSD Project | Unknown | 20 Oct 2011 | 20 Oct 2011 |
| EMC Corporation | Unknown | 20 Oct 2011 | 20 Oct 2011 |
| Engarde Secure Linux | Unknown | 20 Oct 2011 | 20 Oct 2011 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 9.0 | AV:N/AC:M/Au:N/C:C/I:C/A:P |
| Temporal | 7.0 | E:POC/RL:OF/RC:C |
| Environmental | 7.0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- http://www.ece.uvic.ca/~frodo/jasper/
- http://cwe.mitre.org/data/definitions/122.html
- http://cwe.mitre.org/data/definitions/843.html
Credit
These vulnerabilities were discovered by Jonathan Foote of the CERT/CC.
This document was written by Jonathan Foote.
Other Information
- CVE IDs: CVE-2011-4516 CVE-2011-4517
- Date Public: 08 Dec 2011
- Date First Published: 09 Dec 2011
- Date Last Updated: 14 Jun 2012
- Severity Metric: 3.58
- Document Revision: 39
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.