Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu,  8 Sep 2016 02:54:34 -0400 (EDT)
From: cve-assign@...re.org
To: winsonliu@...cent.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: OpenJPEG Integer Overflow Issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I reported a security issue of OpenJPEG some days ago and it has been
> fixed now. The fix is available at
> https://github.com/uclouvain/openjpeg/commit/c16bc057ba3f125051c9966cf1f5b68a05681de4
> and
> https://github.com/uclouvain/openjpeg/commit/ef01f18dfc6780b776d0674ed3e7415c6ef54d24
> 
> An integer overflow issue exists in function opj_pi_create_decode of
> pi.c. It can lead to Out-Of-Bounds Read and Out-Of-Bounds Write in
> function opj_pi_next_cprl of pi.c (function opj_pi_next_lrcp,
> opj_pi_next_rlcp, opj_pi_next_rpcl, opj_pi_next_pcrl may also be
> vulnerable). This vulnerability allows remote attackers to execute
> arbitrary code on vulnerable installations of OpenJPEG.
> 
> AddressSanitizer: heap-buffer-overflow
> READ of size 2

Use CVE-2016-7163.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX0QmeAAoJEHb/MwWLVhi2SEUQAJvisRFvAjK9IUHMHU4aRkbn
q9iW+T0WKW0ZcuUphsFfVdRy6UiTwabpTmv7G+QVP5f94PJeRtJLld+1KhC/WuGA
YFI6njO+oyFQZUfn6NUGN+tpeTKiggsqSNftQk1TI7UYa7s9pmVxnZCqBSm4Wv3p
+sknI6512MXWiaIEffk4yGMwZpjdeNquGfxWh6xVin3IE1e65xcpJEvZ9wvvFS34
y8EixiRrC0pryN9eEcmfat2yZCMdHzuCPVk1rvUfVrTIqVxTWg2pNyCfCx3eMdk+
y55TvqFA2D6f/Es8njxPQlxO1c8XIAqnlX6FnUWI9T+doEpKzBlQGjlUq0Pigwty
OsiKMKGyYc3GV2+FJwFWbb1Iwap4jJdjta5pqBPLOMaiun44euOeDIkjBaPCqYYG
m17WNAlt87rwaynbcEMf7DnStQRRstD98invsCDMScar5H/iVYjun2Vga+6Kjj4Z
ZyqKH0frrW6tMYRA2jQw8G7N8zejfAjzAy+sFPhQkQBWybHYVL4tQNaETaQ+DGWb
7Q22gSQnGZD8P4YozJaSOxbVsU7NKFeEHPlS3VWDmiXCwARJz4WpFRb+OhZLO8O9
ZIbDkOXK6fJnZA/UKximUSpi6tYyWebjB6ObLB0n3EIbmXo8dQj9hYU3IW6d6DTA
KQcQYU4f5/THNjpi6MnK
=Hb3K
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ