Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Sep 2016 10:54:00 +0930
From: Doran Moppert <dmoppert@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045

First, CVE-2016-3181 and CVE-2016-3182 have been identified by upstream as the
same underlying issue.

https://github.com/uclouvain/openjpeg/issues/724

> Origin of the issue is the same as #725

https://github.com/uclouvain/openjpeg/issues/725

Original requests:

http://seclists.org/oss-sec/2016/q1/630
http://seclists.org/oss-sec/2016/q1/631


.. it gets more interesting.  The reproducer on issue 725 happens to tickle
a flaw in a patch for CVE-2013-6045 that was posted here back when:

http://seclists.org/oss-sec/2013/q4/412

segfault-1.patch uses:

+		tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));

which should have used compcsize instead of comp0size.

Upstream never included this patch - deeper work went into eliminating this and
other issues in openjpeg-1.5.2.  The patch that addresses this particular issue
seems to be 69cd4f92 (hunk starting /* testcase 1336.pdf.asan.47.376 */).

https://github.com/uclouvain/openjpeg/commit/69cd4f92
https://github.com/uclouvain/openjpeg/issues/297

This hasn't been an issue in upstream openjpeg releases for a long time ...
but there are LTS distributions around still shipping 1.5.1 (or 1.3) with the
patches from here applied.  Those should preferably upgrade to 1.5.2:  changing
comp0size to compcsize eliminates this particular crash, but the upstream fixes
that got into 1.5.2 seem to more thoroughly address some of the underlying
problems.



-- 
Doran Moppert
Red Hat Product Security

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ