Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 2 Apr 2014 10:31:52 +0200
From: Raphael Geissert <>
Subject: Information on CVE-2014-0158, openjpeg


I just became aware of CVE-2014-0158[1], which was recently assigned
to openjpeg.
Looking at the proposed patch (as the description is rather brief), it
seems to me that it is a dup of one of the bugs covered by

Quoting from my post to oss-security:
> 5. null pointer dereferences, division by zero, and anything that
would just fit as DoS (CVE-2013-1447)

> [listing the group of issues and attachments]
> 5.
> [...]
> segfault6.patch

Which is exactly what is being commented about in [2], a copy of which
is also available at [3].

IIRC without that patch some of the structures were not initialized
and applications (like the ones shipped by openjpeg itself) would try
to dereference NULL pointers, and just crash - no memory write was

Or is there more into CVE-2014-0158 that I might be missing?

P.S. testing the encoding functions would probably be like opening
another can of worms, if anyone is interested in that.


Raphael Geissert - Debian Developer -

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ