Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 19 Sep 2016 02:00:55 +0000
From: winsonliu(刘科) <winsonliu@...cent.com>
To: oss-security <oss-security@...ts.openwall.com>
CC: cve-assign <cve-assign@...re.org>
Subject: CVE Request: Multiple security issues in OpenJPEG

Hi,

This is Ke Liu of Tencent's Xuanwu LAB. I reported some security issues to OpenJPEG some months ago. Could you please assign some CVE numbers for them? Thanks.

The memory issues may lead to code execution, other issues may simply lead to DoS problems.

BTW, proof-of-concept files for all issues were supplied. For more details, please click the issue links below.

1. Out-of-Bounds Write in opj_mqc_byteout of mqc.c

An Out-of-Bounds Write issue can be triggered in function opj_mqc_byteout of mqc.c during executing opj_compress. This issue was caused by a malformed BMP file.

AddressSanitizer: heap-buffer-overflow, WRITE of size 1
Report date: 2016/09/12
Status: Not fixed
Url: https://github.com/uclouvain/openjpeg/issues/835
Root cause: not clear
Patch: no patch supplied

2. Out-of-Bounds Read in function bmp24toimage of convertbmp.c

An Out-of-Bounds Read issue was found in function bmp24toimage of convertbmp.c during executing opj_compress. The root cause of this issue was an Integer Overflow issue. This issue was caused by a malformed BMP file.

AddressSanitizer: heap-buffer-overflow, READ of size 1
Report date: 2016/09/12
Status: Not fixed
Url: https://github.com/uclouvain/openjpeg/issues/833
Root cause: integer overflow
Patch: https://github.com/uclouvain/openjpeg/pull/834

3. Null Pointer Access in function sycc422_to_rgb of color.c
A null pointer access issue was found in function sycc422_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file.

AddressSanitizer: SEGV on unknown address 0x00000000
Report date: 2016/06/28
Status: Not fixed
Url: https://github.com/uclouvain/openjpeg/issues/792
Root cause: null pointer dereference
Patch: easy to fix, check before accessing

4. Null Pointer Access in function color_esycc_to_rgb of color.c
A null pointer access issue was found in function color_esycc_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file.

AddressSanitizer: SEGV on unknown address 0x00000000
Report date: 2016/05/25
Status: Not fixed
Url: https://github.com/uclouvain/openjpeg/issues/785
Root cause: null pointer dereference
Patch: easy to fix, check before accessing

5. Null Pointer Access in function sycc444_to_rgb of color.c
A null pointer access issue was found in function sycc444_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file.

AddressSanitizer: SEGV on unknown address 0x00000000
Report date: 2016/05/25
Status: Not fixed
Url: https://github.com/uclouvain/openjpeg/issues/784
Root cause: null pointer dereference
Patch: easy to fix, check before accessing

6. Null Pointer Access in function imagetopnm of convert.c
A null pointer access issue was found in function imagetopnm of convert.c during executing opj_decompress. This issue was caused by a malformed J2K file.

AddressSanitizer: SEGV on unknown address 0x00000000
Report date: 2016/05/06
Status: Not fixed
Url: https://github.com/uclouvain/openjpeg/issues/776
Root cause: null pointer dereference
Patch: easy to fix, check before accessing

7. Multiple division-by-zero issues in function opj_pi_next_rpcl of pi.c
Multiple division-by-zero issues were found in function opj_pi_next_rpcl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files.

AddressSanitizer: SIGFPE, Arithmetic exception
Report date: 2016/05/06
Status: Not fixed
Url1: https://github.com/uclouvain/openjpeg/issues/780
Url2: https://github.com/uclouvain/openjpeg/issues/779
Root cause: division-by-zero
Patch: easy to fix, check before dividing

8. Multiple division-by-zero issues in function opj_pi_next_pcrl of pi.c
Multiple division-by-zero issues were found in function opj_pi_next_pcrl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files.

AddressSanitizer: SIGFPE, Arithmetic exception
Report date: 2016/05/06
Status: Not fixed
Url1: https://github.com/uclouvain/openjpeg/issues/777
Url2: https://github.com/uclouvain/openjpeg/issues/778
Root cause: division-by-zero
Patch: easy to fix, check before dividing

9. Multiple division-by-zero issues in function opj_pi_next_cprl of pi.c
Multiple division-by-zero issues were found in function opj_pi_next_cprl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files.

AddressSanitizer: SIGFPE, Arithmetic exception
Report date: 2016/03/28
Status: Not fixed
Url1: https://github.com/uclouvain/openjpeg/issues/731
Url2: https://github.com/uclouvain/openjpeg/issues/732
Root cause: division-by-zero
Patch: easy to fix, check before dividing

Regards,
Ke
Tencent's Xuanwu LAB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.