Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 26 Aug 2015 23:01:28 +0200
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Multiple memory corruptions caused by uninitialized values in JasPer 1.900

Hi,

Following Raphael's advice, i found some memory corruptions in JasPer 1.900
after a quick round of fuzzing of the regression tests of Openjpeg. A few
interesting test cases are available here:

https://zimbra.imag.fr/home/gustavo.grieco@...g.fr/Briefcase/Public/cases.tar.gz

They are compressed to avoid easily crash programs like Nautilus and
Firefox. All them can be verified using:

jasper --input $filename --output-format pnm

(tested in Ubuntu 14.04, 32-bit but it should work in other configurations)

Additionally. sigsegv.jp2 crashes most of the programs using gdk-pixbuf
like Firefox and Chrome (!). I report them this issue a few days ago and
advise them to disable preview of jpeg images since Jasper is unmaintained
and vulnerable. Mozilla developers are working hard trying to find a
workaround to avoid use vulnerable code.
On the other hand, Chromium developers dismissed this issue saying that
they will wait the "upstream fix".

I think the cause of such memory corruptions is uninitialized values, taken
from the heap, as valgrind reports:


==15417== Memcheck, a memory error detector
==15417== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==15417== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
info
==15417== Command: jasper --input sigsegv.jp2 --output-format pnm
==15417==
==15417== Conditional jump or move depends on uninitialised value(s)
==15417==    at 0x405EE3F: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405F110: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x8048D78: ??? (in /usr/bin/jasper)
==15417==    by 0x40B1A82: (below main) (libc-start.c:287)
==15417==  Uninitialised value was created by a heap allocation
==15417==    at 0x402A17C: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==15417==    by 0x405127A: jas_malloc (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x4051323: jas_alloc2 (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405C926: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x8048D78: ??? (in /usr/bin/jasper)
==15417==    by 0x40B1A82: (below main) (libc-start.c:287)
==15417==
==15417== Conditional jump or move depends on uninitialised value(s)
==15417==    at 0x405F06C: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405F110: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x8048D78: ??? (in /usr/bin/jasper)
==15417==    by 0x40B1A82: (below main) (libc-start.c:287)
==15417==  Uninitialised value was created by a heap allocation
==15417==    at 0x402A17C: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==15417==    by 0x405127A: jas_malloc (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x4051323: jas_alloc2 (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405C826: ??? (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x405E6FC: jpc_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x4057805: jp2_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x404BDAB: jas_image_decode (in
/usr/lib/i386-linux-gnu/libjasper.so.1.0.0)
==15417==    by 0x8048D78: ??? (in /usr/bin/jasper)
==15417==    by 0x40B1A82: (below main) (libc-start.c:287)
==15417==

Regards,
Gustavo.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ