Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 12 May 2016 23:53:59 -0400 (EDT)
From: cve-assign@...re.org
To: winsonliu@...cent.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request - OpenJPEG: Security Fixes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> 1. Issue 774
> OpenJPEG Heap Buffer Overflow in function color_cmyk_to_rgb of color.c
> Fixed via https://github.com/uclouvain/openjpeg/commit/162f6199c0cd3ec1c6c6dc65e41b2faab92b2d91

Use CVE-2016-4796.


> 3. Issue 733
> OpenJPEG division-by-zero in function opj_tcd_init_tile of tcd.c
> Fixed via https://github.com/uclouvain/openjpeg/commit/8f9cc62b3f9a1da9712329ddcedb9750d585505c

Use CVE-2016-4797. Note that the problematic
"(OPJ_UINT32)-1) / l_data_size" was apparently introduced in a patch
addressing out-of-bounds read (or heap-based buffer over-read)
vulnerabilities. See the pdfium.googlesource.com reference in
CVE-2014-7947. In other words, CVE-2016-4797 exists because of an
incorrect fix for CVE-2014-7947.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXNU9PAAoJEHb/MwWLVhi28X4QAIGR60vQpZzIhEywfDxkjIBR
dSoym8oeHcYmXJ3ss2YRbh7+SWIstc3gu9cM3BXTuvyIQqsjN0uMf4/GOYanYUe4
5BtBptTnJlZW+mR+SfZ3Q/ykY3ysTgQMx93114gSj+5+JPS22rb3SM9PiaofeMgh
1NMGfI91bpp/KotoChumac2ySmA6ozyPXitOhBcu/fYipJAAnymxg0msmXqemjY8
HC9yjamL5RxvNSl8ljJsB67A7HJ9tvW8zvDUv6w6Q7s6LvbnCdQKJi62gj8/s+u4
bPP5KlfFdqDSVmQuMbhFwC+g1LfH5wPzjeKo9B2HFZnXPU/MMlHiTLM+Sw2ZPaAK
y1iZiHJWgoVcgEWRDmBim698GqITbkvkIuIhr/Wwr5JG9VogTmwkEyoHsSUpvybh
0xtT9po9hyWpli0pzCrEVMOEhg3IIa8l2HY7QK0QwpQgIiOS5FqoDQGx+rE257zX
ycEjCotU9ut0x9NvuoEZ4Vcij9uuN4LOq936TwbDCL7Mrl2+/sKzUggl9NdiwLOz
zulrm15VG76PcyrdlBxg5Mz+T3jKnGeASvuIFGvFNAqgDbo1a9aNPsqZqt9PQGms
tYOD46BI1j04y0lO0+0kzuKM6KQD2I5P481mlxwNkpak8ZbYh2nk+v+sbtE6mQh/
f76PMrF6mhLea5mECvFK
=0Yri
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ