Re: openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045

[Raphael Geissert <geissert () debian org>]

Hi,

On 27 September 2016 at 03:24, Doran Moppert <dmoppert () redhat com> wrote:
> First, CVE-2016-3181 and CVE-2016-3182 have been identified by upstream as the
> same underlying issue.
>
> https://github.com/uclouvain/openjpeg/issues/724
>
> > Origin of the issue is the same as #725
>
> https://github.com/uclouvain/openjpeg/issues/725
[...]
> .. it gets more interesting.  The reproducer on issue 725 happens to tickle
> a flaw in a patch for CVE-2013-6045 that was posted here back when:
>
> http://seclists.org/oss-sec/2013/q4/412
>
> segfault-1.patch uses:
>
> +               tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));
>
> which should have used compcsize instead of comp0size.

Yes, indeed. This patch also introduced a regression in the processing
of some images.
Cf. https://bugs.debian.org/734238

> This hasn't been an issue in upstream openjpeg releases for a long time ...
> but there are LTS distributions around still shipping 1.5.1 (or 1.3) with the
> patches from here applied.  Those should preferably upgrade to 1.5.2:  changing
> comp0size to compcsize eliminates this particular crash, but the upstream fixes
> that got into 1.5.2 seem to more thoroughly address some of the underlying
> problems.

Do you specifically know of a distribution that still has that patch?
If I remember the context correctly, the use of comp0size could then
lead to a heap buffer overflow later on. Was that what you noticed?

In any case, the patch should indeed better be replaced by the one
provided upstream (cf. the Debian bug report).

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net