[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045
From:       Doran Moppert <dmoppert () redhat ! com>
Date:       2016-09-27 1:36:00
Message-ID: 20160927012359.GA30247 () sin ! redhat ! com
[Download RAW message or body]


First, CVE-2016-3181 and CVE-2016-3182 have been identified by upstream as the
same underlying issue.

https://github.com/uclouvain/openjpeg/issues/724

> Origin of the issue is the same as #725

https://github.com/uclouvain/openjpeg/issues/725

Original requests:

http://seclists.org/oss-sec/2016/q1/630
http://seclists.org/oss-sec/2016/q1/631


.. it gets more interesting.  The reproducer on issue 725 happens to tickle
a flaw in a patch for CVE-2013-6045 that was posted here back when:

http://seclists.org/oss-sec/2013/q4/412

segfault-1.patch uses:

+		tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));

which should have used compcsize instead of comp0size.

Upstream never included this patch - deeper work went into eliminating this and
other issues in openjpeg-1.5.2.  The patch that addresses this particular issue
seems to be 69cd4f92 (hunk starting /* testcase 1336.pdf.asan.47.376 */).

https://github.com/uclouvain/openjpeg/commit/69cd4f92
https://github.com/uclouvain/openjpeg/issues/297

This hasn't been an issue in upstream openjpeg releases for a long time ...
but there are LTS distributions around still shipping 1.5.1 (or 1.3) with the
patches from here applied.  Those should preferably upgrade to 1.5.2:  changing
comp0size to compcsize eliminates this particular crash, but the upstream fixes
that got into 1.5.2 seem to more thoroughly address some of the underlying
problems.



-- 
Doran Moppert
Red Hat Product Security

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]