Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 13 Apr 2012 10:46:25 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        Huzaifa Sidhpurwala <huzaifas@...hat.com>
Subject: Re: CVE Request: Heap corruption in openjpeg

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/13/2012 05:56 AM, Jan Lieskovsky wrote:
> Thank you for this post, Huzaifa.
> 
> On 04/13/2012 09:29 AM, Huzaifa Sidhpurwala wrote:
>> Hi All,
>> 
>> While looking at openjpeg, i found the following bug in their
>> tracker, which still seems to be un-addressed. 
>> http://code.google.com/p/openjpeg/issues/detail?id=5
>> 
>> I dont think a CVE id has been assigned to this issue yet.
> 
> Yes, doesn't look so one got assigned for this one yet, since: 
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg
> 
> provides just recent CVE-2012-1499. To the:
> 
> http://code.google.com/p/openjpeg/issues/detail?id=5
> 
> issue itself:
> 
> 1) It should get a CVE-2009-* identifier (upstream ticket is public
> from 2009-Jul-31).
> 
> 2) From the issue reasons investigation, it seems to be combination
> of heap-based buffer invalid reads and writes by processing certain
> Gray16 TIFF images, leading to invalid free (when such corrupted
> memory allocated for tile encoder / decoder handle (TCD) is
> attempted to be freed).
> 
> More official description in Red Hat bug: 
> https://bugzilla.redhat.com/show_bug.cgi?id=812317
> 
> Kurt, could you allocate a 2009 CVE id?

Please use CVE-2009-5030 for this issue.

> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 
>> 
>> 
>> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPiFhhAAoJEBYNRVNeJnmTgaMQAK8EzTHu25/+LSXEda8fU4TQ
2GyVi35bcJkBr14tCZoEZWHmDNtNYpE6Z733g31CTBMDFXfh6BuTvA7At/nRrexc
tJFWVQjn2uYybfpU/YQJpUnpHetGl+G6zqNZCMGfcq1u2iYCtLTpMlmfgNRhRamS
Ce2O6WPdROaJB7nJYGh8amEgCsm5pPh/vyObFVsfUnbT0lc5Y9amp82XNdEdfoZ7
sh9rDDWNFuySuc8xv/tL8928riprK5YtGanlL/hQ+vjUzHZ7d5M5iHi1FkjgMDHn
SKoJI7pONYnD/MLh9CyroZG2RLjnSuOWa7LJzPmpHVYY9CUNE8iVAhi4pfCTqPmo
WtuyzVEYr/SQ4I9JOUnDk6/uuejmMShxrmlTLhzqq4OIZfw9O/mk2URqgC6l40s/
eQpXcH0I1+6WJ7TuRejiJnOeNf4cMx05Azb0+j/beP7DSUnbryT5KVRQML6i+MSz
eRXHgIwYnJO/WjJVB9lRNaJaZFcwmk956Zvwe9sFSIKWBV98BCr3z66+nYB/zQVM
7/oIiRyQFkwWs624xOPFEiuMaZB+PdnQdQaNXTmeP4v+BFPQJczCIJnnqnZqMIIQ
bj4xUm63cKPfRldHywuLlXkPxDGzwL6+nNOuRg7RgOdAsL4JBd3yEdR0y2xrd7Q5
JGXzewwr3BTBFp+D+N2+
=mHxC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ