Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 22 Aug 2017 12:57:09 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com,
        winsonliu(刘科)
 <winsonliu@...cent.com>
Cc: cve-assign <cve-assign@...re.org>
Subject: Re: CVE Request: Multiple security issues in OpenJPEG

Most of these seem to be fixed now in OpenJPEG's recent 2.2.0 release.
Did CVE id's ever get assigned for them?

	-Alan Coopersmith-               alan.coopersmith@...cle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc

On 09/18/16 07:00 PM, winsonliu(刘科) wrote:
> Hi,
> 
> This is Ke Liu of Tencent's Xuanwu LAB. I reported some security issues to OpenJPEG some months ago. Could you please assign some CVE numbers for them? Thanks.
> 
> The memory issues may lead to code execution, other issues may simply lead to DoS problems.
> 
> BTW, proof-of-concept files for all issues were supplied. For more details, please click the issue links below.
> 
> 1. Out-of-Bounds Write in opj_mqc_byteout of mqc.c
> 
> An Out-of-Bounds Write issue can be triggered in function opj_mqc_byteout of mqc.c during executing opj_compress. This issue was caused by a malformed BMP file.
> 
> AddressSanitizer: heap-buffer-overflow, WRITE of size 1
> Report date: 2016/09/12
> Status: Not fixed
> Url: https://github.com/uclouvain/openjpeg/issues/835
> Root cause: not clear
> Patch: no patch supplied
> 
> 2. Out-of-Bounds Read in function bmp24toimage of convertbmp.c
> 
> An Out-of-Bounds Read issue was found in function bmp24toimage of convertbmp.c during executing opj_compress. The root cause of this issue was an Integer Overflow issue. This issue was caused by a malformed BMP file.
> 
> AddressSanitizer: heap-buffer-overflow, READ of size 1
> Report date: 2016/09/12
> Status: Not fixed
> Url: https://github.com/uclouvain/openjpeg/issues/833
> Root cause: integer overflow
> Patch: https://github.com/uclouvain/openjpeg/pull/834
> 
> 3. Null Pointer Access in function sycc422_to_rgb of color.c
> A null pointer access issue was found in function sycc422_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file.
> 
> AddressSanitizer: SEGV on unknown address 0x00000000
> Report date: 2016/06/28
> Status: Not fixed
> Url: https://github.com/uclouvain/openjpeg/issues/792
> Root cause: null pointer dereference
> Patch: easy to fix, check before accessing
> 
> 4. Null Pointer Access in function color_esycc_to_rgb of color.c
> A null pointer access issue was found in function color_esycc_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file.
> 
> AddressSanitizer: SEGV on unknown address 0x00000000
> Report date: 2016/05/25
> Status: Not fixed
> Url: https://github.com/uclouvain/openjpeg/issues/785
> Root cause: null pointer dereference
> Patch: easy to fix, check before accessing
> 
> 5. Null Pointer Access in function sycc444_to_rgb of color.c
> A null pointer access issue was found in function sycc444_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file.
> 
> AddressSanitizer: SEGV on unknown address 0x00000000
> Report date: 2016/05/25
> Status: Not fixed
> Url: https://github.com/uclouvain/openjpeg/issues/784
> Root cause: null pointer dereference
> Patch: easy to fix, check before accessing
> 
> 6. Null Pointer Access in function imagetopnm of convert.c
> A null pointer access issue was found in function imagetopnm of convert.c during executing opj_decompress. This issue was caused by a malformed J2K file.
> 
> AddressSanitizer: SEGV on unknown address 0x00000000
> Report date: 2016/05/06
> Status: Not fixed
> Url: https://github.com/uclouvain/openjpeg/issues/776
> Root cause: null pointer dereference
> Patch: easy to fix, check before accessing
> 
> 7. Multiple division-by-zero issues in function opj_pi_next_rpcl of pi.c
> Multiple division-by-zero issues were found in function opj_pi_next_rpcl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files.
> 
> AddressSanitizer: SIGFPE, Arithmetic exception
> Report date: 2016/05/06
> Status: Not fixed
> Url1: https://github.com/uclouvain/openjpeg/issues/780
> Url2: https://github.com/uclouvain/openjpeg/issues/779
> Root cause: division-by-zero
> Patch: easy to fix, check before dividing
> 
> 8. Multiple division-by-zero issues in function opj_pi_next_pcrl of pi.c
> Multiple division-by-zero issues were found in function opj_pi_next_pcrl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files.
> 
> AddressSanitizer: SIGFPE, Arithmetic exception
> Report date: 2016/05/06
> Status: Not fixed
> Url1: https://github.com/uclouvain/openjpeg/issues/777
> Url2: https://github.com/uclouvain/openjpeg/issues/778
> Root cause: division-by-zero
> Patch: easy to fix, check before dividing
> 
> 9. Multiple division-by-zero issues in function opj_pi_next_cprl of pi.c
> Multiple division-by-zero issues were found in function opj_pi_next_cprl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files.
> 
> AddressSanitizer: SIGFPE, Arithmetic exception
> Report date: 2016/03/28
> Status: Not fixed
> Url1: https://github.com/uclouvain/openjpeg/issues/731
> Url2: https://github.com/uclouvain/openjpeg/issues/732
> Root cause: division-by-zero
> Patch: easy to fix, check before dividing
> 
> Regards,
> Ke
> Tencent's Xuanwu LAB
> 


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ