Date: Tue, 27 Sep 2016 10:54:00 +0930 From: Doran Moppert <dmoppert@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045 First, CVE-2016-3181 and CVE-2016-3182 have been identified by upstream as the same underlying issue. https://github.com/uclouvain/openjpeg/issues/724 > Origin of the issue is the same as #725 https://github.com/uclouvain/openjpeg/issues/725 Original requests: http://seclists.org/oss-sec/2016/q1/630 http://seclists.org/oss-sec/2016/q1/631 .. it gets more interesting. The reproducer on issue 725 happens to tickle a flaw in a patch for CVE-2013-6045 that was posted here back when: http://seclists.org/oss-sec/2013/q4/412 segfault-1.patch uses: + tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int)); which should have used compcsize instead of comp0size. Upstream never included this patch - deeper work went into eliminating this and other issues in openjpeg-1.5.2. The patch that addresses this particular issue seems to be 69cd4f92 (hunk starting /* testcase 1336.pdf.asan.47.376 */). https://github.com/uclouvain/openjpeg/commit/69cd4f92 https://github.com/uclouvain/openjpeg/issues/297 This hasn't been an issue in upstream openjpeg releases for a long time ... but there are LTS distributions around still shipping 1.5.1 (or 1.3) with the patches from here applied. Those should preferably upgrade to 1.5.2: changing comp0size to compcsize eliminates this particular crash, but the upstream fixes that got into 1.5.2 seem to more thoroughly address some of the underlying problems. -- Doran Moppert Red Hat Product Security [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ