Date: Wed, 5 Oct 2016 13:06:03 +0200 From: Raphael Geissert <geissert@...ian.org> To: Open Source Security <oss-security@...ts.openwall.com> Subject: Re: openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045 Hi, On 27 September 2016 at 03:24, Doran Moppert <dmoppert@...hat.com> wrote: > First, CVE-2016-3181 and CVE-2016-3182 have been identified by upstream as the > same underlying issue. > > https://github.com/uclouvain/openjpeg/issues/724 > >> Origin of the issue is the same as #725 > > https://github.com/uclouvain/openjpeg/issues/725 [...] > .. it gets more interesting. The reproducer on issue 725 happens to tickle > a flaw in a patch for CVE-2013-6045 that was posted here back when: > > http://seclists.org/oss-sec/2013/q4/412 > > segfault-1.patch uses: > > + tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int)); > > which should have used compcsize instead of comp0size. Yes, indeed. This patch also introduced a regression in the processing of some images. Cf. https://bugs.debian.org/734238 > This hasn't been an issue in upstream openjpeg releases for a long time ... > but there are LTS distributions around still shipping 1.5.1 (or 1.3) with the > patches from here applied. Those should preferably upgrade to 1.5.2: changing > comp0size to compcsize eliminates this particular crash, but the upstream fixes > that got into 1.5.2 seem to more thoroughly address some of the underlying > problems. Do you specifically know of a distribution that still has that patch? If I remember the context correctly, the use of comp0size could then lead to a heap buffer overflow later on. Was that what you noticed? In any case, the patch should indeed better be replaced by the one provided upstream (cf. the Debian bug report). Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ