Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 Sep 2016 15:23:32 +0200
From: Robert Święcki <robert@...ecki.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request - openjpeg null ptr dereference

Hi,

2016-09-18 14:41 GMT+02:00 vul@...safe <vul@...safe.com>:
> # Vulnerability

Would you have an idea who (and how) is exactly *vulnerable* to this
specific vulnerability?

> openjpeg null ptr dereference in convert.c:1331
>
> # Version
> 2.1.1  ( http://www.openjpeg.org/ )
>
> # Address Sanitizer Output
> ASAN:SIGSEGV
> =================================================================
> ==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc
> 0x0815d204 bp 0xff846938 sp 0xff846380 T0)
>     #0 0x815d203 in skip_white
> /home/starlab/fuzzing/openjpeg/src/bin/jp2/convert.c:1331
>     #1 0x8135d81 in main
> /home/starlab/fuzzing/openjpeg/src/bin/jp2/opj_compress.c:1723
>     #2 0xf7343636 in __libc_start_main ??:?
>     #3 0x807a31b in _start ??:?
>
> # PoC
> See poc.ppm
>
> # Analysis
> In convert.c:1483 and convert.c:1485, variable s is uncheck after
> skip_int is called.
> A null ptr will be passed to skip_int again and will cause a null ptr
> dereference.
>
> # Report Timeline
> 2016-09-16: FB3F15 of STARLAB discovered this issue
> 2016-09-18:Patch released
>
> # Credit
> FB3F15 of STARLAB
>
> # PoC
> https://github.com/STARLABSEC/pocs/raw/master/openjpeg-nullptr-github-issue-842.ppm
>
> # External link
> https://github.com/uclouvain/openjpeg/issues/843

-- 
Robert Święcki

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ