|
Message-ID: <1F2D4DA31CA62740BFF46830A0E6A4F7066F14D7@EXMBX-TJ002.tencent.com> Date: Mon, 19 Sep 2016 02:00:55 +0000 From: winsonliu(刘科) <winsonliu@...cent.com> To: oss-security <oss-security@...ts.openwall.com> CC: cve-assign <cve-assign@...re.org> Subject: CVE Request: Multiple security issues in OpenJPEG Hi, This is Ke Liu of Tencent's Xuanwu LAB. I reported some security issues to OpenJPEG some months ago. Could you please assign some CVE numbers for them? Thanks. The memory issues may lead to code execution, other issues may simply lead to DoS problems. BTW, proof-of-concept files for all issues were supplied. For more details, please click the issue links below. 1. Out-of-Bounds Write in opj_mqc_byteout of mqc.c An Out-of-Bounds Write issue can be triggered in function opj_mqc_byteout of mqc.c during executing opj_compress. This issue was caused by a malformed BMP file. AddressSanitizer: heap-buffer-overflow, WRITE of size 1 Report date: 2016/09/12 Status: Not fixed Url: https://github.com/uclouvain/openjpeg/issues/835 Root cause: not clear Patch: no patch supplied 2. Out-of-Bounds Read in function bmp24toimage of convertbmp.c An Out-of-Bounds Read issue was found in function bmp24toimage of convertbmp.c during executing opj_compress. The root cause of this issue was an Integer Overflow issue. This issue was caused by a malformed BMP file. AddressSanitizer: heap-buffer-overflow, READ of size 1 Report date: 2016/09/12 Status: Not fixed Url: https://github.com/uclouvain/openjpeg/issues/833 Root cause: integer overflow Patch: https://github.com/uclouvain/openjpeg/pull/834 3. Null Pointer Access in function sycc422_to_rgb of color.c A null pointer access issue was found in function sycc422_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file. AddressSanitizer: SEGV on unknown address 0x00000000 Report date: 2016/06/28 Status: Not fixed Url: https://github.com/uclouvain/openjpeg/issues/792 Root cause: null pointer dereference Patch: easy to fix, check before accessing 4. Null Pointer Access in function color_esycc_to_rgb of color.c A null pointer access issue was found in function color_esycc_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file. AddressSanitizer: SEGV on unknown address 0x00000000 Report date: 2016/05/25 Status: Not fixed Url: https://github.com/uclouvain/openjpeg/issues/785 Root cause: null pointer dereference Patch: easy to fix, check before accessing 5. Null Pointer Access in function sycc444_to_rgb of color.c A null pointer access issue was found in function sycc444_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file. AddressSanitizer: SEGV on unknown address 0x00000000 Report date: 2016/05/25 Status: Not fixed Url: https://github.com/uclouvain/openjpeg/issues/784 Root cause: null pointer dereference Patch: easy to fix, check before accessing 6. Null Pointer Access in function imagetopnm of convert.c A null pointer access issue was found in function imagetopnm of convert.c during executing opj_decompress. This issue was caused by a malformed J2K file. AddressSanitizer: SEGV on unknown address 0x00000000 Report date: 2016/05/06 Status: Not fixed Url: https://github.com/uclouvain/openjpeg/issues/776 Root cause: null pointer dereference Patch: easy to fix, check before accessing 7. Multiple division-by-zero issues in function opj_pi_next_rpcl of pi.c Multiple division-by-zero issues were found in function opj_pi_next_rpcl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files. AddressSanitizer: SIGFPE, Arithmetic exception Report date: 2016/05/06 Status: Not fixed Url1: https://github.com/uclouvain/openjpeg/issues/780 Url2: https://github.com/uclouvain/openjpeg/issues/779 Root cause: division-by-zero Patch: easy to fix, check before dividing 8. Multiple division-by-zero issues in function opj_pi_next_pcrl of pi.c Multiple division-by-zero issues were found in function opj_pi_next_pcrl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files. AddressSanitizer: SIGFPE, Arithmetic exception Report date: 2016/05/06 Status: Not fixed Url1: https://github.com/uclouvain/openjpeg/issues/777 Url2: https://github.com/uclouvain/openjpeg/issues/778 Root cause: division-by-zero Patch: easy to fix, check before dividing 9. Multiple division-by-zero issues in function opj_pi_next_cprl of pi.c Multiple division-by-zero issues were found in function opj_pi_next_cprl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files. AddressSanitizer: SIGFPE, Arithmetic exception Report date: 2016/03/28 Status: Not fixed Url1: https://github.com/uclouvain/openjpeg/issues/731 Url2: https://github.com/uclouvain/openjpeg/issues/732 Root cause: division-by-zero Patch: easy to fix, check before dividing Regards, Ke Tencent's Xuanwu LAB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.