Skip to content
This repository has been archived by the owner on Jul 29, 2020. It is now read-only.

CVE-2018-20584 #19

Closed
jubalh opened this issue Jun 15, 2020 · 2 comments
Closed

CVE-2018-20584 #19

jubalh opened this issue Jun 15, 2020 · 2 comments
Labels
CVE has-proposal invalid This doesn't seem right

Comments

@jubalh
Copy link
Member

jubalh commented Jun 15, 2020

JasPer 2.0.14 allows remote attackers to cause a denial of service (application hang) via an attempted conversion to the jp2 format.

See: jasper-software/jasper#192
@MaxKellermann
Copy link
Contributor

Can't reproduce, not even with 2.0.14. The program writes lots of null bytes, but terminates after 12 seconds.
This may or may not be a DoS bug (depending on whether you believe writing so many null bytes constitutes a DoS), but not an application hang.

@MaxKellermann MaxKellermann added the invalid This doesn't seem right label Jun 28, 2020
@jubalh
Copy link
Member Author

jubalh commented Jun 29, 2020

Right, https://github.com/mdadams/jasper/files/2716086/poc.tar.gz doesn't trigger from me neither.

@jubalh jubalh mentioned this issue Jun 30, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CVE has-proposal invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MaxKellermann @jubalh