jasper: input sanitization errors (CVE-2014-8137, CVE-2014-8138, CVE-2014-8157, CVE-2014-8158)
CVE-2014-8137:
Double free vulnerability in the jas_iccattrval_destroy function in
JasPer 1.900.1 and earlier allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via a crafted ICC
color profile in a JPEG 2000 image file.
CVE-2014-8138:
Heap-based buffer overflow in the jp2_decode function in JasPer 1.900.1
and earlier allows remote attackers to cause a denial of service (crash)
or possibly execute arbitrary code via a crafted JPEG 2000 file.
References:
http://seclists.org/oss-sec/2014/q4/1090
•MISC: https://www.ocert.org/advisories/ocert-2014-012.html
•MISC:
http://packetstormsecurity.com/files/129660/JasPer-1.900.1-Double-Free-Heap-Overflow.html
•REDHAT:RHSA-2014:2021
•URL: http://rhn.redhat.com/errata/RHSA-2014-2021.html
•SECUNIA:61747
•URL: http://secunia.com/advisories/61747
•SECUNIA:62311
•URL: http://secunia.com/advisories/62311
CVE-2014-8157 (off-by-one heap buffer overflow) / CVE-2014-8158 (stack
overflow):
The library is affected by an off-by-one error in a buffer boundary
check in jpc_dec_process_sot(), leading to a heap based buffer
overflow, as well as multiple unrestricted stack memory use issues in
jpc_qmfb.c, leading to stack overflow.
A specially crafted JPEG-2000 file can be used to trigger the vulnerabilities.
Affected version: JasPer <= 1.900.1. Fixed version: JasPer, N/A
Credit: vulnerability report received from <pyddeh () gmail com>.
Timeline:
2015-01-06: vulnerability report received
2015-01-06: contacted affected vendors, assigned CVEs
2015-01-21: advisory release
References:
http://seclists.org/oss-sec/2015/q1/210
(from redmine: issue id 3814, created on 2015-01-27, closed on 2015-09-21)
- Relations:
- child #3815 (closed)
- child #3816 (closed)
- child #3817 (closed)
- child #3818 (closed)
- child #4648 (closed)
- Changesets:
- Revision 5cf21c29 by Natanael Copa on 2015-09-21T09:08:50Z:
main/jasper: various security fixes
ref #3814
CVE-2014-8137.patch
CVE-2014-8138.patch
CVE-2014-8157.patch
CVE-2014-8158.patch
- Revision ac8cb8e3 by Natanael Copa on 2015-09-21T09:14:29Z:
main/jasper: security fixes (various)
CVE-2014-8137.patch
CVE-2014-8138.patch
CVE-2014-8157.patch
CVE-2014-8158.patch
ref #3814
fixes #4648
- Revision 68679302 by Natanael Copa on 2015-09-21T09:18:45Z:
main/jasper: security fixes (various)
CVE-2014-8137.patch
CVE-2014-8138.patch
CVE-2014-8157.patch
CVE-2014-8158.patch
ref #3814
fixes #3818
- Revision 5be72100 by Natanael Copa on 2015-09-21T09:21:17Z:
main/jasper: security fixes (various)
CVE-2014-8137.patch
CVE-2014-8138.patch
CVE-2014-8157.patch
CVE-2014-8158.patch
ref #3814
fixes #3817
- Revision b55f9424 by Natanael Copa on 2015-09-21T09:25:45Z:
main/jasper: security fixes (various)
CVE-2014-8137.patch
CVE-2014-8138.patch
CVE-2014-8157.patch
CVE-2014-8158.patch
ref #3814
fixes #3816