|
oss-sec
mailing list archives
openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045
From: Doran Moppert <dmoppert () redhat com>
Date: Tue, 27 Sep 2016 10:54:00 +0930
First, CVE-2016-3181 and CVE-2016-3182 have been identified by upstream as the
same underlying issue.
https://github.com/uclouvain/openjpeg/issues/724
Origin of the issue is the same as #725
https://github.com/uclouvain/openjpeg/issues/725
Original requests:
http://seclists.org/oss-sec/2016/q1/630
http://seclists.org/oss-sec/2016/q1/631
.. it gets more interesting. The reproducer on issue 725 happens to tickle
a flaw in a patch for CVE-2013-6045 that was posted here back when:
http://seclists.org/oss-sec/2013/q4/412
segfault-1.patch uses:
+ tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));
which should have used compcsize instead of comp0size.
Upstream never included this patch - deeper work went into eliminating this and
other issues in openjpeg-1.5.2. The patch that addresses this particular issue
seems to be 69cd4f92 (hunk starting /* testcase 1336.pdf.asan.47.376 */).
https://github.com/uclouvain/openjpeg/commit/69cd4f92
https://github.com/uclouvain/openjpeg/issues/297
This hasn't been an issue in upstream openjpeg releases for a long time ...
but there are LTS distributions around still shipping 1.5.1 (or 1.3) with the
patches from here applied. Those should preferably upgrade to 1.5.2: changing
comp0size to compcsize eliminates this particular crash, but the upstream fixes
that got into 1.5.2 seem to more thoroughly address some of the underlying
problems.
--
Doran Moppert
Red Hat Product Security
Attachment:
_bin
Description:
 By Date 
By Thread
Current thread:
- openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045 Doran Moppert (Sep 26)
| 
