Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Sep 2016 10:54:00 +0930
From: Doran Moppert <>
To: oss-security <>
Subject: openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045

First, CVE-2016-3181 and CVE-2016-3182 have been identified by upstream as the
same underlying issue.

> Origin of the issue is the same as #725

Original requests:

.. it gets more interesting.  The reproducer on issue 725 happens to tickle
a flaw in a patch for CVE-2013-6045 that was posted here back when:

segfault-1.patch uses:

+		tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));

which should have used compcsize instead of comp0size.

Upstream never included this patch - deeper work went into eliminating this and
other issues in openjpeg-1.5.2.  The patch that addresses this particular issue
seems to be 69cd4f92 (hunk starting /* testcase 1336.pdf.asan.47.376 */).

This hasn't been an issue in upstream openjpeg releases for a long time ...
but there are LTS distributions around still shipping 1.5.1 (or 1.3) with the
patches from here applied.  Those should preferably upgrade to 1.5.2:  changing
comp0size to compcsize eliminates this particular crash, but the upstream fixes
that got into 1.5.2 seem to more thoroughly address some of the underlying

Doran Moppert
Red Hat Product Security

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.