CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
96.4%
Some versions of JasPer contain multiple vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code.
JasPer fails to properly decode marker segments and other sections in malformed JPEG2000 files. Malformed inputs can cause heap buffer overflows which in turn may result in execution of attacker-controlled code.
CVE-2011-4516: src/libjasper/jpc/jpc_cs.c: jpc_cox_getcompparms
jpc_cox_getcomparms
is called as part of the decoding of a coding style default (COD) marker segment. The function populates a parameter struct (jpc_msparms_t
) that is contained in a marker segment struct (jpc_ms_t
). jpc_cox_getcompparms
contains a loop that copies data from the input file to the jpc_msparms_t
struct. The loop terminates on a value (numrlvls
) derived from the input file:
for (i = 0; i < compparms->numrlvls; ++i) {
if (jpc_getuint8(in, &tmp)) {
jpc_cox_destroycompparms(compparms);
return -1;
}
compparms->rlvls[i].parwidthval = tmp & 0xf;
compparms->rlvls[i].parheightval = (tmp >> 4) & 0xf;
}
numrlvls
is read from the input file. The attacker can control numrlvls
to overflow the jpc_msparms_t
struct and copy attacker-controlled data from the input file into a struct of callback functions (jpc_msops_s
) that appears in jpc_ms_t
(src/libjasper/jpc/jpc_cs.h
) just after jpc_msparms_t
:
typedef struct {
/* The type of marker segment. */
uint_fast16_t id;
/* The length of the marker segment. */
uint_fast16_t len;
/* The starting offset within the stream. */
uint_fast32_t off;
/* The parameters of the marker segment. */
jpc_msparms_t parms;
/* The marker segment operations. */
struct jpc_msops_s *ops;
} jpc_ms_t;
Any subsequent failures in decoding the marker segment will result in the destroyparms
member of the callback struct being invoked as part of cleanup. If the attacker has overwritten this callback via the loop above, attacker-controlled values can be loaded into the program counter.
CVE-2011-4517: src/libjasper/jpc/jpc_cs.c: jpc_crg_getparms
jpc_crg_getparms
is called as part of the decoding of a component registration (CRG) marker segment. This function populates a heap buffer with data derived from the input file (in
).
The function contains an allocation size/type error. The heap buffer size is calculated using sizeof(uint_fast16_t)
but the rest of the function assumes sizeof(jpc_crgcomp_t)
.
jpc_crgcomp_t *comp;
...
if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) {
return -1;
}
...
for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
++compno, ++comp) {
if (jpc_getuint16(in, &comp->hoff) ||
jpc_getuint16(in, &comp->voff)) {
jpc_crg_destroyparms(ms);
return -1;
}
}
The attacker can overwrite the bytes after crg->comp
in memory with arbitrary data. This is a heap buffer overflow, which is generally considered exploitable.
There are additional security implications here as well, however. The loop above is controlled by cstate->numcomps
(cstate
as one member: numcomps
). cstate
is allocated in a calling function, and is often allocated just before crg->comp
. On some platforms the heap chunk allocated for cstate
is located just after the heap chunk allocated for crg->comp
, separated by only 4 bytes of heap accounting info. The accounting info + cstate
(8 bytes after crg->comp
) can be overwritten with bytes from the input file via the loop above. In these cases, the attacker can place a large number in cstate->numcomps
to make the loop above iterate past the expected bound of crg->comps
and copy an arbitrary number of bytes from the input file into heap (a heap buffer overflow). This enables the attacker to perform well-known heap exploitations, as well as allowing the attacker to overwrite other active heap allocations such as the callback pointers referenced in the previous bug description.
By tricking a user into opening or previewing an image file in an application that decodes images with the JasPer library, an attacker can execute arbitrary code or cause a denial-of-service crash.
Apply an update
Users who obtain JasPer from a third-party vendor, such as their operating system vendor, should see the vendor information portion of this document for a partial list of affected vendors.
Please consider the following workarounds:
Avoid processing malicious image files
Turn off image preview features in file browsers and other applications that use the JasPer library. Avoid opening image attachments from untrusted or unrecognized sources.
887409
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: June 14, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: June 14, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: December 08, 2011
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: June 14, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: March 02, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: December 08, 2011
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: December 08, 2011
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: December 08, 2011
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: December 08, 2011
Statement Date: October 22, 2011
Not Affected
The library in question is not used in any version of OS X or iOS.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: December 08, 2011
Statement Date: December 02, 2011
Not Affected
Juniper Networks products are not susceptible to this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: December 08, 2011
Statement Date: December 05, 2011
Not Affected
Our products do not use JasPer.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2011 Updated: October 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 43 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 9 | AV:N/AC:M/Au:N/C:C/I:C/A:P |
Temporal | 7 | E:POC/RL:OF/RC:C |
Environmental | 7.1 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
These vulnerabilities were discovered by Jonathan Foote of the CERT/CC.
This document was written by Jonathan Foote.
CVE IDs: | CVE-2011-4516, CVE-2011-4517 |
---|---|
Severity Metric: | 3.58 Date Public: |