Closed pip-izony closed 9 months ago
@mdadams Thanks for handling this so fast!
Fix confirmed:
jasper -f PoC -T jp2
warning: skipping unknown tag type
error: failed to parse ICC profile
jas_image_decode: decode operation failed
error: cannot load image data
@pip-izony did you request a CVE for this, or do you plan to request one? Otherwise we'll do that.
@pip-izony did you request a CVE for this, or do you plan to request one? Otherwise we'll do that.
I want to report it to CVE. But if you reported this bug, do I have something to do?
I want to report it to CVE.
Ok, then I'll wait :) Please comment the assigned CVE here once you have it.
If you report this bug, do I need to do it myself?
I didn't do it yet. I thought I'll ask you first whether you prefer to do it yourself.
Ok then I will report the bug. Thank you for your reply:)
This issue has been assigned CVE-2023-51257
@jubalh I updated the NEWS file to mention this CVE.
Could you add further info of the impact this bug has? Is there a possibility to leverage this into a RCE condition?
Could you add further info of the impact this bug has? Is there a possibility to leverage this into a RCE condition?
This is a task for security researchers. We are upstream writing and maintaining an image library.
Affected people can update to the latest version. Distributions already started backporting the fix into released versions.
Environment
Ubuntu 22.04.3 LTS
Compiler
clang version 11.0.0 Target: x86_64-unknown-linux-gnu Thread model: posix
Affected Version
jasper 4.1.1
Step to reproduce
Contents of PoCfile
PoC.zip
Expected behavior
Print error or warning messages handled within jasper.
Current behavior