Home page logo
/

oss-sec logo oss-sec mailing list archives

Fwd: [vs] multiple issues in openjpeg
From: Raphael Geissert <atomo64 () gmail com>
Date: Wed, 4 Dec 2013 12:24:31 +0100

Hi,

This was unembargoed yesterday, so here's a copy of the messages sent
to the distros list.
There were no responses, so no messages are missing.

In the meantime I've received a response from one of upstream authors,
Mathieu Malaterre, saying he would be reviewing the patches at a later
time.

This work was done as part of a review of openjpeg for EDF.

Cheers,
Raphael

---------- Forwarded message ----------
From: Raphael Geissert <atomo64 () gmail com>
Date: 1 December 2013 23:42
Subject: Re: [vs] multiple issues in openjpeg
To: distros () vs openwall org


Hi again,

Given that there has been no response whatsoever...

On 26 November 2013 12:04, Raphael Geissert <atomo64 () gmail com> wrote:
[...]
1. heap OOB reads, information leaks

CVE-2013-6052

2. ditto, but only affecting 1.5.1

CVE-2013-6053

3. heap OOB writes (CVE-2013-6045)
4. ditto but only affecting 1.3

CVE-2013-6054

5. null pointer dereferences, division by zero, and anything that
would just fit as DoS (CVE-2013-1447)
6. ditto, but only affecting 1.5.1

CVE-2013-6887

Cheers,
--
Raphael Geissert


---------- Forwarded message ----------
From: Raphael Geissert <atomo64 () gmail com>
Date: 26 November 2013 12:04
Subject: [vs] multiple issues in openjpeg
To: distros () vs openwall org


Hi everyone,

During a review for EDF, I discovered multiple kinds of
vulnerabilities in openjpeg (different than CVE-2013-4289 and
CVE-2013-4290).

Summary:
* multiple denial of service (null ptr deref, high resource
consumption - in the order of 20GBs, division by zero, etc),
* invalid free()s (didn't check impact),
* out of bounds array reads and writes (similar to CVE-2012-3358, so
possibly exploitable to run arbitrary code),
* a format string bug (didn't check impact, at least DoS, ileak), and
* the use of uninitialized memory for all sorts of things.

Notice that this does not constitute a full review and that there
surely are more issues left in the code base.

Versions reviewed:
* 1.3 (with Debian's patches, as found in Debian squeeze and wheezy), and
* 1.5.1 (as found in Debian experimental).
Other versions might also be affected.

Upstream was contacted but got no response.

CVE-wise, I've classified the issues as following:

1. heap OOB reads, information leaks
2. ditto, but only affecting 1.5.1
3. heap OOB writes (CVE-2013-6045)
4. ditto but only affecting 1.3
5. null pointer dereferences, division by zero, and anything that
would just fit as DoS (CVE-2013-1447)
6. ditto, but only affecting 1.5.1

The two CVE ids above come from Debian's pool, but given the above
classification more ids are going to be needed. If there's an
agreement to the above, could somebody please assign some other ids?

Now, as for the vulnerabilities themselves, they are best described by
the attached patches. If details for any specific patch are desired
don't hesitate to ask. They should apply to both versions almost
as-is, if they don't, prod me.

Patches by categories defined above:

1.
shifting_too_much.patch
2.
segfault3.patch
3.
segfault0.patch
segfault1.patch
segfault2.patch
segfault5.patch
segfault7.patch
4.
qcx_backport.patch
5.
bloop1.patch
bloop2.patch
divbyzero.patch
null-ptr-deref.patch
segfault4.patch
segfault6.patch
segfault8.patch
segfault10.patch
uint_overflow.patch
6.
ifree1.patch

The patch that replaces malloc with calloc (segfault4.patch) is surely
enough just a workaround, but there are too many problems with the
code to spend further time on it.

Desired CDR: 3rd of December, 07:00 UTC

Cheers,
--
Raphael Geissert


-- 
Raphael Geissert

Attachment: bloop1.patch
Description:

Attachment: bloop2.patch
Description:

Attachment: divbyzero.patch
Description:

Attachment: ifree1.patch
Description:

Attachment: null-ptr-deref.patch
Description:

Attachment: qcx_backport.patch
Description:

Attachment: segfault0.patch
Description:

Attachment: segfault1.patch
Description:

Attachment: segfault2.patch
Description:

Attachment: segfault3.patch
Description:

Attachment: segfault4.patch
Description:

Attachment: segfault5.patch
Description:

Attachment: segfault6.patch
Description:

Attachment: segfault7.patch
Description:

Attachment: segfault8.patch
Description:

Attachment: segfault10.patch
Description:

Attachment: shifting_too_much.patch
Description:

Attachment: uint_overflow.patch
Description:


  By Date           By Thread  

Current thread:
  • Fwd: [vs] multiple issues in openjpeg Raphael Geissert (Dec 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]