CVE-2014-8137
published 2014-12-24CVE-2014-8137: Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or…
PriorityP341medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
14.55%
96.2th percentile
Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| jasper_project | jasper | <= 1.900.1 | — |
| jasper_project | jasper | >= 0 < 1.900.1-14ubuntu3.2 | 1.900.1-14ubuntu3.2 |
| jasper_project | jasper | >= 0 < 1.900.1-14ubuntu3.3 | 1.900.1-14ubuntu3.3 |
| jasper_project | jasper | >= 0 < 1.900.1-debian1-2.4ubuntu1 | 1.900.1-debian1-2.4ubuntu1 |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w9x9-p92f-4hrr: Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1
ghsa_unreviewed·2022-05-14·CVSS 6.8
CVE-2016-1577 [MEDIUM] GHSA-w9x9-p92f-4hrr: Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1
Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file, a different vulnerability than CVE-2014-8137.
GHSA
GHSA-6c5f-g4r3-q34j: Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1
ghsa_unreviewed·2022-05-14
CVE-2014-8137 [MEDIUM] GHSA-6c5f-g4r3-q34j: Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1
Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file.
OSV
CVE-2016-1577: Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1
osv·2016-03-03·CVSS 6.8
CVE-2016-1577 [MEDIUM] CVE-2016-1577: Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1
Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file, a different vulnerability than CVE-2014-8137.
OSV
jasper vulnerabilities
osv·2015-01-26·CVSS 6.8
CVE-2014-8137 [MEDIUM] jasper vulnerabilities
jasper vulnerabilities
Jose Duart discovered that JasPer incorrectly handled ICC color profiles in
JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash
or possibly execute arbitrary code with user privileges. (CVE-2014-8137)
Jose Duart discovered that JasPer incorrectly decoded certain malformed
JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash
or possibly execute arbitrary code with user privileges. (CVE-2014-8138)
It was discovered that JasPer incorrectly handled certain malformed
JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker
OSV
CVE-2014-8137: Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1
osv·2014-12-24·CVSS 6.8
CVE-2014-8137 [MEDIUM] CVE-2014-8137: Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1
Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file.
Red Hat
jasper: double free issue in jas_iccattrval_destroy()
vendor_redhat·2016-03-03·CVSS 6.8
CVE-2016-1577 [MEDIUM] CWE-416 jasper: double free issue in jas_iccattrval_destroy()
jasper: double free issue in jas_iccattrval_destroy()
Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file, a different vulnerability than CVE-2014-8137.
Package: netpbm (Red Hat Enterprise Linux 5) - Not affected
Package: mingw-virt-viewer (Red Hat Enterprise Virtualization 3) - Will not fix
Ubuntu
Ghostscript vulnerabilities
vendor_ubuntu·2015-01-26·CVSS 6.8
CVE-2014-8137 [MEDIUM] Ghostscript vulnerabilities
Title: Ghostscript vulnerabilities
Summary: Ghostscript could be made to crash or run programs as your login if it
opened a specially crafted file.
USN-2483-1 fixed vulnerabilities in JasPer. This update provides the
corresponding fix for the JasPer library embedded in the Ghostscript
package.
Original advisory details:
Jose Duart discovered that JasPer incorrectly handled ICC color profiles in
JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash
or possibly execute arbitrary code with user privileges. (CVE-2014-8137)
Jose Duart discovered that JasPer incorrectly decoded certain malformed
JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a re
Ubuntu
JasPer vulnerabilities
vendor_ubuntu·2015-01-26·CVSS 6.8
CVE-2014-8137 [MEDIUM] JasPer vulnerabilities
Title: JasPer vulnerabilities
Summary: JasPer could be made to crash or run programs as your login if it
opened a specially crafted file.
Jose Duart discovered that JasPer incorrectly handled ICC color profiles in
JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash
or possibly execute arbitrary code with user privileges. (CVE-2014-8137)
Jose Duart discovered that JasPer incorrectly decoded certain malformed
JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash
or possibly execute arbitrary code with user privileges. (CVE-2014-8138)
It was discovered that JasPer incorrectly handled certain malformed
JP
Red Hat
jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012)
vendor_redhat·2014-12-18·CVSS 6.8
CVE-2014-8137 [MEDIUM] CWE-416 jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012)
jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012)
Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file.
A double free flaw was found in the way JasPer parsed ICC color profiles in JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
Package: netpbm (Red Hat Enterprise Linux 5) - Not affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-8138 CVE-2014-8137 jasper: various flaws [epel-5]
bugzilla·2014-12-18·CVSS 6.8
CVE-2014-8138 [MEDIUM] CVE-2014-8138 CVE-2014-8137 jasper: various flaws [epel-5]
CVE-2014-8138 CVE-2014-8137 jasper: various flaws [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-5 tracking bug for jasper: see blocks bug list for full details o
Bugzilla
CVE-2014-8138 CVE-2014-8137 jasper: various flaws [fedora-all]
bugzilla·2014-12-18·CVSS 6.8
CVE-2014-8138 [MEDIUM] CVE-2014-8138 CVE-2014-8137 jasper: various flaws [fedora-all]
CVE-2014-8138 CVE-2014-8137 jasper: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While o
Bugzilla
CVE-2014-8138 CVE-2014-8137 mingw-jasper: various flaws [epel-7]
bugzilla·2014-12-18·CVSS 6.8
CVE-2014-8138 [MEDIUM] CVE-2014-8138 CVE-2014-8137 mingw-jasper: various flaws [epel-7]
CVE-2014-8138 CVE-2014-8137 mingw-jasper: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for mingw-jasper: see blocks bug list for fu
Bugzilla
CVE-2014-8138 CVE-2014-8137 mingw-jasper: various flaws [fedora-all]
bugzilla·2014-12-18·CVSS 6.8
CVE-2014-8138 [MEDIUM] CVE-2014-8138 CVE-2014-8137 mingw-jasper: various flaws [fedora-all]
CVE-2014-8138 CVE-2014-8137 mingw-jasper: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. W
Bugzilla
CVE-2014-8137 jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012)
bugzilla·2014-12-11·CVSS 6.8
CVE-2014-8137 [MEDIUM] CVE-2014-8137 jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012)
CVE-2014-8137 jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012)
oCERT reports a double-free issue in jas_iccattrval_destroy() in jasper:
In jas_icctxt_input() if there's an error, there's a call to
jas_free(txt->string) which is freeing attrval->data.txt, but later on
jas_iccattrval_destroy it tries to call free on it again.
Acknowledgements:
Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter.
Discussion:
Created attachment 967282
Possible patch - variant 1
This uses somewhat conservative approach. It changes iccattrvalinfo destroy ops functions to set variables to NULL after free(), so even if called repeatedly, double-free is avoided. It also changes jas_icctxt_input() t
http://advisories.mageia.org/MGASA-2014-0539.htmlhttp://lists.opensuse.org/opensuse-updates/2015-01/msg00013.htmlhttp://lists.opensuse.org/opensuse-updates/2015-01/msg00014.htmlhttp://lists.opensuse.org/opensuse-updates/2015-01/msg00017.htmlhttp://packetstormsecurity.com/files/129660/JasPer-1.900.1-Double-Free-Heap-Overflow.htmlhttp://rhn.redhat.com/errata/RHSA-2014-2021.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0698.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1713.htmlhttp://secunia.com/advisories/61747http://secunia.com/advisories/62311http://secunia.com/advisories/62615http://secunia.com/advisories/62619http://www.debian.org/security/2014/dsa-3106http://www.mandriva.com/security/advisories?name=MDVSA-2015:012http://www.mandriva.com/security/advisories?name=MDVSA-2015:159http://www.securityfocus.com/bid/71742http://www.securitytracker.com/id/1033459http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.538606http://www.ubuntu.com/usn/USN-2483-1http://www.ubuntu.com/usn/USN-2483-2https://www.ocert.org/advisories/ocert-2014-012.htmlhttp://advisories.mageia.org/MGASA-2014-0539.htmlhttp://lists.opensuse.org/opensuse-updates/2015-01/msg00013.htmlhttp://lists.opensuse.org/opensuse-updates/2015-01/msg00014.htmlhttp://lists.opensuse.org/opensuse-updates/2015-01/msg00017.htmlhttp://packetstormsecurity.com/files/129660/JasPer-1.900.1-Double-Free-Heap-Overflow.htmlhttp://rhn.redhat.com/errata/RHSA-2014-2021.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0698.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1713.htmlhttp://secunia.com/advisories/61747http://secunia.com/advisories/62311http://secunia.com/advisories/62615http://secunia.com/advisories/62619http://www.debian.org/security/2014/dsa-3106http://www.mandriva.com/security/advisories?name=MDVSA-2015:012http://www.mandriva.com/security/advisories?name=MDVSA-2015:159http://www.securityfocus.com/bid/71742http://www.securitytracker.com/id/1033459http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.538606http://www.ubuntu.com/usn/USN-2483-1http://www.ubuntu.com/usn/USN-2483-2https://www.ocert.org/advisories/ocert-2014-012.html
2014-12-24
Published