Date: Tue, 27 Sep 2016 10:54:00 +0930 From: Doran Moppert <dmoppert@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045 First, CVE-2016-3181 and CVE-2016-3182 have been identified by upstream as the same underlying issue. https://github.com/uclouvain/openjpeg/issues/724 > Origin of the issue is the same as #725 https://github.com/uclouvain/openjpeg/issues/725 Original requests: http://seclists.org/oss-sec/2016/q1/630 http://seclists.org/oss-sec/2016/q1/631 .. it gets more interesting. The reproducer on issue 725 happens to tickle a flaw in a patch for CVE-2013-6045 that was posted here back when: http://seclists.org/oss-sec/2013/q4/412 segfault-1.patch uses: + tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int)); which should have used compcsize instead of comp0size. Upstream never included this patch - deeper work went into eliminating this and other issues in openjpeg-1.5.2. The patch that addresses this particular issue seems to be 69cd4f92 (hunk starting /* testcase 1336.pdf.asan.47.376 */). https://github.com/uclouvain/openjpeg/commit/69cd4f92 https://github.com/uclouvain/openjpeg/issues/297 This hasn't been an issue in upstream openjpeg releases for a long time ... but there are LTS distributions around still shipping 1.5.1 (or 1.3) with the patches from here applied. Those should preferably upgrade to 1.5.2: changing comp0size to compcsize eliminates this particular crash, but the upstream fixes that got into 1.5.2 seem to more thoroughly address some of the underlying problems. -- Doran Moppert Red Hat Product Security Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.