Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 Sep 2016 15:23:32 +0200
From: Robert Święcki <robert@...ecki.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request - openjpeg null ptr dereference

Hi,

2016-09-18 14:41 GMT+02:00 vul@...safe <vul@...safe.com>:
> # Vulnerability

Would you have an idea who (and how) is exactly *vulnerable* to this
specific vulnerability?

> openjpeg null ptr dereference in convert.c:1331
>
> # Version
> 2.1.1  ( http://www.openjpeg.org/ )
>
> # Address Sanitizer Output
> ASAN:SIGSEGV
> =================================================================
> ==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc
> 0x0815d204 bp 0xff846938 sp 0xff846380 T0)
>     #0 0x815d203 in skip_white
> /home/starlab/fuzzing/openjpeg/src/bin/jp2/convert.c:1331
>     #1 0x8135d81 in main
> /home/starlab/fuzzing/openjpeg/src/bin/jp2/opj_compress.c:1723
>     #2 0xf7343636 in __libc_start_main ??:?
>     #3 0x807a31b in _start ??:?
>
> # PoC
> See poc.ppm
>
> # Analysis
> In convert.c:1483 and convert.c:1485, variable s is uncheck after
> skip_int is called.
> A null ptr will be passed to skip_int again and will cause a null ptr
> dereference.
>
> # Report Timeline
> 2016-09-16: FB3F15 of STARLAB discovered this issue
> 2016-09-18:Patch released
>
> # Credit
> FB3F15 of STARLAB
>
> # PoC
> https://github.com/STARLABSEC/pocs/raw/master/openjpeg-nullptr-github-issue-842.ppm
>
> # External link
> https://github.com/uclouvain/openjpeg/issues/843

-- 
Robert Święcki

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.