oss-sec mailing list archives
Re: openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045
From: Raphael Geissert <geissert () debian org>
Date: Wed, 5 Oct 2016 13:06:03 +0200
Hi, On 27 September 2016 at 03:24, Doran Moppert <dmoppert () redhat com> wrote:
First, CVE-2016-3181 and CVE-2016-3182 have been identified by upstream as the same underlying issue. https://github.com/uclouvain/openjpeg/issues/724Origin of the issue is the same as #725https://github.com/uclouvain/openjpeg/issues/725
[...]
.. it gets more interesting. The reproducer on issue 725 happens to tickle a flaw in a patch for CVE-2013-6045 that was posted here back when: http://seclists.org/oss-sec/2013/q4/412 segfault-1.patch uses: + tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int)); which should have used compcsize instead of comp0size.
Yes, indeed. This patch also introduced a regression in the processing of some images. Cf. https://bugs.debian.org/734238
This hasn't been an issue in upstream openjpeg releases for a long time ... but there are LTS distributions around still shipping 1.5.1 (or 1.3) with the patches from here applied. Those should preferably upgrade to 1.5.2: changing comp0size to compcsize eliminates this particular crash, but the upstream fixes that got into 1.5.2 seem to more thoroughly address some of the underlying problems.
Do you specifically know of a distribution that still has that patch? If I remember the context correctly, the use of comp0size could then lead to a heap buffer overflow later on. Was that what you noticed? In any case, the patch should indeed better be replaced by the one provided upstream (cf. the Debian bug report). Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- Re: openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045 Raphael Geissert (Oct 05)
- CVE request: openjpeg: incorrect fix for CVE-2013-6045 (was Re: openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045) Doran Moppert (Oct 05)
- <Possible follow-ups>
- Re: openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045 cve-assign (Nov 29)