Skip to content

[AutoPR- Security] Patch jasper for CVE-2025-8837, CVE-2025-8836 [MEDIUM] #14499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[AutoPR- Security] Patch jasper for CVE-2025-8837, CVE-2025-8836 [MEDIUM] #14499

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6ba0e87
Patch jasper for CVE-2025-8837, CVE-2025-8836
azurelinux-security Aug 12, 2025
04d16f2
Update jasper.spec
kgodara912 Aug 13, 2025
5ae8d44
Sort patch order
kevin-b-lockwood Aug 13, 2025
cb37989
Backport `jas_logerrorf` use to older `jas_eprintf`
kevin-b-lockwood Aug 13, 2025
5ddadb2
Remove binary test data (unsupported format)
kevin-b-lockwood Aug 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions SPECS/jasper/CVE-2025-8836.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
From 4ced19ffd2d1d1ce63baa9be551f789a4927c37e Mon Sep 17 00:00:00 2001
From: Michael Adams <mdadams@ece.uvic.ca>
Date: Sat, 2 Aug 2025 18:00:39 -0700
Subject: [PATCH] Fixes #401.

JPEG-2000 (JPC) Encoder:
- Added some missing range checking on several coding parameters
(e.g., precint width/height and codeblock width/height).

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/jasper-software/jasper/commit/79185d32d7a444abae441935b20ae4676b3513d4.patch
---
src/libjasper/jpc/jpc_enc.c | 30 ++++++++++++++++++++++++------
src/libjasper/jpc/jpc_t2dec.c | 3 ++-
2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
index 93013f9..c957e3f 100644
--- a/src/libjasper/jpc/jpc_enc.c
+++ b/src/libjasper/jpc/jpc_enc.c
@@ -474,18 +474,36 @@ static jpc_enc_cp_t *cp_create(const char *optstr, jas_image_t *image)
cp->tileheight = atoi(jas_tvparser_getval(tvp));
break;
case OPT_PRCWIDTH:
- prcwidthexpn = jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
+ i = atoi(jas_tvparser_getval(tvp));
+ if (i <= 0) {
+ jas_eprintf("invalid precinct width (%d)\n", i);
+ goto error;
+ }
+ prcwidthexpn = jpc_floorlog2(i);
break;
case OPT_PRCHEIGHT:
- prcheightexpn = jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
+ i = atoi(jas_tvparser_getval(tvp));
+ if (i <= 0) {
+ jas_eprintf("invalid precinct height (%d)\n", i);
+ goto error;
+ }
+ prcheightexpn = jpc_floorlog2(i);
break;
case OPT_CBLKWIDTH:
- tccp->cblkwidthexpn =
- jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
+ i = atoi(jas_tvparser_getval(tvp));
+ if (i <= 0) {
+ jas_eprintf("invalid code block width (%d)\n", i);
+ goto error;
+ }
+ tccp->cblkwidthexpn = jpc_floorlog2(i);
break;
case OPT_CBLKHEIGHT:
- tccp->cblkheightexpn =
- jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
+ i = atoi(jas_tvparser_getval(tvp));
+ if (i <= 0) {
+ jas_eprintf("invalid code block height (%d)\n", i);
+ goto error;
+ }
+ tccp->cblkheightexpn = jpc_floorlog2(i);
break;
case OPT_MODE:
if ((tagid = jas_taginfo_nonull(jas_taginfos_lookup(modetab,
diff --git a/src/libjasper/jpc/jpc_t2dec.c b/src/libjasper/jpc/jpc_t2dec.c
index e52b549..6e1f1f7 100644
--- a/src/libjasper/jpc/jpc_t2dec.c
+++ b/src/libjasper/jpc/jpc_t2dec.c
@@ -337,7 +337,8 @@ static int jpc_dec_decodepkt(jpc_dec_t *dec, jas_stream_t *pkthdrstream, jas_str
const unsigned n = JAS_MIN((unsigned)numnewpasses, maxpasses);
mycounter += n;
numnewpasses -= n;
- if ((len = jpc_bitstream_getbits(inb, cblk->numlenbits + jpc_floorlog2(n))) < 0) {
+ if ((len = jpc_bitstream_getbits(inb,
+ cblk->numlenbits + jpc_floorlog2(n))) < 0) {
jpc_bitstream_close(inb);
return -1;
}
--
2.45.4

64 changes: 64 additions & 0 deletions SPECS/jasper/CVE-2025-8837.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
From 3e063893dc0bc44d22f1eabbf10dc7f06ee95aca Mon Sep 17 00:00:00 2001
From: Michael Adams <mdadams@ece.uvic.ca>
Date: Tue, 5 Aug 2025 20:46:48 -0700
Subject: [PATCH] Fixes #402, #403.

JPEG-2000 (JPC) Decoder:
- Added the setting of several pointers to null in some cleanup code
after the pointed-to memory was freed. This pointer nulling is not
needed normally, but it is needed when certain debugging logs are
enabled (so that the debug code understands that the memory associated
with the aforementioned pointers has been freed).

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/jasper-software/jasper/commit/8308060d3fbc1da10353ac8a95c8ea60eba9c25a.patch
---
src/libjasper/jpc/jpc_dec.c | 13 ++++++++-----
3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/libjasper/jpc/jpc_dec.c b/src/libjasper/jpc/jpc_dec.c
index 2553696..c2600c4 100644
--- a/src/libjasper/jpc/jpc_dec.c
+++ b/src/libjasper/jpc/jpc_dec.c
@@ -1107,23 +1107,23 @@ static int jpc_dec_tilefini(jpc_dec_t *dec, jpc_dec_tile_t *tile)

if (tile->cp) {
jpc_dec_cp_destroy(tile->cp);
- //tile->cp = 0;
+ tile->cp = 0;
}
if (tile->tcomps) {
jas_free(tile->tcomps);
- //tile->tcomps = 0;
+ tile->tcomps = 0;
}
if (tile->pi) {
jpc_pi_destroy(tile->pi);
- //tile->pi = 0;
+ tile->pi = 0;
}
if (tile->pkthdrstream) {
jas_stream_close(tile->pkthdrstream);
- //tile->pkthdrstream = 0;
+ tile->pkthdrstream = 0;
}
if (tile->pptstab) {
jpc_ppxstab_destroy(tile->pptstab);
- //tile->pptstab = 0;
+ tile->pptstab = 0;
}

tile->state = JPC_TILE_DONE;
@@ -2259,6 +2259,9 @@ static int jpc_dec_dump(const jpc_dec_t *dec, FILE *out)
const jpc_dec_tile_t *tile;
for (tileno = 0, tile = dec->tiles; tileno < dec->numtiles;
++tileno, ++tile) {
+ if (!tile->tcomps) {
+ continue;
+ }
assert(!dec->numcomps || tile->tcomps);
unsigned compno;
const jpc_dec_tcomp_t *tcomp;
--
2.45.4

9 changes: 8 additions & 1 deletion SPECS/jasper/jasper.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: Implementation of the JPEG-2000 standard, Part 1
Name: jasper
Version: 2.0.32
Release: 4%{?dist}
Release: 5%{?dist}
License: JasPer
Vendor: Microsoft Corporation
Distribution: Mariner
Expand All @@ -13,6 +13,8 @@ Patch2: jasper-2.0.14-rpath.patch
Patch100: jasper-2.0.2-test-ppc64-disable.patch
Patch101: jasper-2.0.2-test-ppc64le-disable.patch
Patch102: CVE-2023-51257.patch
Patch103: CVE-2025-8836.patch
Patch104: CVE-2025-8837.patch
# autoreconf
BuildRequires: cmake
BuildRequires: gcc
Expand Down Expand Up @@ -75,6 +77,8 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%endif

%patch102 -p1 -b .cve-2023-51257.patch
%patch 103 -p1
%patch 104 -p1

%build
mkdir builder
Expand Down Expand Up @@ -116,6 +120,9 @@ make test -C builder
%{_libdir}/libjasper.so.4*

%changelog
* Tue Aug 12 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.0.32-5
- Patch for CVE-2025-8837, CVE-2025-8836

* Fri Aug 23 2024 Sumedh Sharma <sumsharma@microsoft.com> - 2.0.32-4
- Add patch to resolve CVE-2023-51257

Expand Down
Loading