[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: RE: [oss-security] CVE Request: Multiple security issues in OpenJPEG
From: winsonliu(刘科) <winsonliu () tencent ! com>
Date: 2017-08-30 7:33:28
Message-ID: 1F2D4DA31CA62740BFF46830A0E6A4F712D4C54A () EXMBX-TJ002 ! tencent ! com
[Download RAW message or body]
Hello,
CVE-2016-10504 ~ 10507 have been assigned to these issues.
Regards,
Ke
> [Suggested description]
> Heap-based buffer overflow vulnerability in the opj_mqc_byteout
> function in mqc.c in OpenJPEG before 2.2.0 allows remote attackers to
> cause a denial of service (application crash) via a crafted bmp file.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Buffer Overflow
>
> ------------------------------------------
>
> [Vendor of Product]
> OpenJPEG
>
> ------------------------------------------
>
> [Affected Product Code Base]
> OpenJPEG - before 2.2.0
>
> ------------------------------------------
>
> [Affected Component]
> executable file: opj_compress, function: opj_mqc_byteout, file: mqc.c
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> via a crafted bmp file
>
> ------------------------------------------
>
> [Reference]
> https://github.com/uclouvain/openjpeg/issues/835
> https://github.com/uclouvain/openjpeg/commit/397f62c0a838e15d667ef50e2
> 7d5d011d2c79c04
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?] true
>
> ------------------------------------------
>
> [Discoverer]
> Ke Liu of Tencent's Xuanwu LAB
Use CVE-2016-10504.
> [Suggested description]
> NULL pointer dereference vulnerabilities in the imagetopnm function in
> convert.c, sycc444_to_rgb function in color.c, color_esycc_to_rgb
> function in color.c, and sycc422_to_rgb function in color.c in
> OpenJPEG before 2.2.0 allow remote attackers to cause a denial of
> service (application crash) via crafted j2k files.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Null pointer dereference
>
> ------------------------------------------
>
> [Vendor of Product]
> OpenJPEG
>
> ------------------------------------------
>
> [Affected Product Code Base]
> OpenJPEG - before 2.2.0
>
> ------------------------------------------
>
> [Affected Component]
> executable file: opj_decompress, function: imagetopnm, sycc444_to_rgb,
> color_esycc_to_rgb, sycc422_to_rgb, file: color.c, convert.c
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> via crafted j2k files
>
> ------------------------------------------
>
> [Reference]
> https://github.com/uclouvain/openjpeg/issues/776
> https://github.com/uclouvain/openjpeg/issues/784
> https://github.com/uclouvain/openjpeg/issues/785
> https://github.com/uclouvain/openjpeg/issues/792
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?] true
>
> ------------------------------------------
>
> [Discoverer]
> Ke Liu of Tencent's Xuanwu LAB
Use CVE-2016-10505.
> [Suggested description]
> Division-by-zero vulnerabilities in the functions opj_pi_next_cprl,
> opj_pi_next_pcrl, and opj_pi_next_rpcl in pi.c in OpenJPEG before
> 2.2.0 allow remote attackers to cause a denial of service (application
> crash) via crafted j2k files.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> division-by-zero
>
> ------------------------------------------
>
> [Vendor of Product]
> OpenJPEG
>
> ------------------------------------------
>
> [Affected Product Code Base]
> OpenJPEG - before 2.2.0
>
> ------------------------------------------
>
> [Affected Component]
> executable file: opj_decompress, function: opj_pi_next_cprl,
> opj_pi_next_pcrl, opj_pi_next_rpcl, file: pi.c
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> via crafted j2k files
>
> ------------------------------------------
>
> [Reference]
> https://github.com/uclouvain/openjpeg/issues/731
> https://github.com/uclouvain/openjpeg/issues/732
> https://github.com/uclouvain/openjpeg/issues/777
> https://github.com/uclouvain/openjpeg/issues/778
> https://github.com/uclouvain/openjpeg/issues/779
> https://github.com/uclouvain/openjpeg/issues/780
> https://github.com/uclouvain/openjpeg/commit/d27ccf01c68a31ad62b33d2dc
> 1ba2bb1eeaafe7b
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?] true
>
> ------------------------------------------
>
> [Discoverer]
> Ke Liu of Tencent's Xuanwu LAB
Use CVE-2016-10506.
> [Suggested description]
> Integer overflow vulnerability in the bmp24toimage function in
> convertbmp.c in OpenJPEG before 2.2.0 allows remote attackers to cause
> a denial of service (heap-based buffer over-read and application crash) via a crafted bmp \
> file.
> ------------------------------------------
>
> [Vulnerability Type]
> Integer Overflow
>
> ------------------------------------------
>
> [Vendor of Product]
> OpenJPEG
>
> ------------------------------------------
>
> [Affected Product Code Base]
> OpenJPEG - before 2.2.0
>
> ------------------------------------------
>
> [Affected Component]
> executable file: opj_compress, function: bmp24toimage, file:
> convertbmp.c
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> via a crafted bmp file
>
> ------------------------------------------
>
> [Reference]
> https://github.com/uclouvain/openjpeg/issues/833
> https://github.com/uclouvain/openjpeg/commit/da940424816e11d624362ce08
> 0bc026adffa26e8
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?] true
>
> ------------------------------------------
>
> [Discoverer]
> Ke Liu of Tencent's Xuanwu LAB
Use CVE-2016-10507.
-----Original Message-----
From: winsonliu
Sent: 2017年8月30日 10:48
To: 'Vladis Dronov' <vdronov@redhat.com>; 'oss-security@lists.openwall.com' \
<oss-security@lists.openwall.com>; 'Alan Coopersmith' \
<alan.coopersmith@oracle.com>
Cc: 'cve-assign' <cve-assign@mitre.org>
Subject: RE: [oss-security] CVE Request: Multiple security issues in OpenJPEG
Hello,
I've already submitted these issues to https://cveform.mitre.org/ . As expected, four CVE \
numbers will be assigned since some of them have the same root cause.
Regards,
Ke
-----Original Message-----
From: winsonliu
Sent: 2017年8月25日 20:16
To: 'Vladis Dronov' <vdronov@redhat.com>; 'oss-security@lists.openwall.com' \
<oss-security@lists.openwall.com>; 'Alan Coopersmith' \
<alan.coopersmith@oracle.com>
Cc: 'cve-assign' <cve-assign@mitre.org>
Subject: RE: [oss-security] CVE Request: Multiple security issues in OpenJPEG
Hello,
I'll submit them to cveform next week. And I'll update this thread when more information is \
available.
Regards,
Ke
-----Original Message-----
From: winsonliu
Sent: 2017年8月24日 9:26
To: 'Vladis Dronov' <vdronov@redhat.com>; oss-security@lists.openwall.com; 'Alan Coopersmith' \
<alan.coopersmith@oracle.com>
Cc: cve-assign <cve-assign@mitre.org>
Subject: RE: [oss-security] CVE Request: Multiple security issues in OpenJPEG
I'm afraid no CVEs were assigned. At least I did not submit these issues to \
https://cveform.mitre.org/
Regards,
Ke
-----Original Message-----
From: Vladis Dronov [mailto:vdronov@redhat.com]
Sent: 2017年8月23日 19:53
To: oss-security@lists.openwall.com
Cc: winsonliu <winsonliu@tencent.com>; cve-assign <cve-assign@mitre.org>
Subject: Re: [oss-security] CVE Request: Multiple security issues inOpenJPEG(Internet mail)
> Most of these seem to be fixed now in OpenJPEG's recent 2.2.0 release.
> Did CVE id's ever get assigned for them?
If no one reported them and requested CVE-ids via https://cveform.mitre.org/ then I suppose \
not, no CVE-ids were assigned.
Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic