|
Message-ID: <20160927012359.GA30247@sin.redhat.com>
Date: Tue, 27 Sep 2016 10:54:00 +0930
From: Doran Moppert <dmoppert@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045
First, CVE-2016-3181 and CVE-2016-3182 have been identified by upstream as the
same underlying issue.
https://github.com/uclouvain/openjpeg/issues/724
> Origin of the issue is the same as #725
https://github.com/uclouvain/openjpeg/issues/725
Original requests:
http://seclists.org/oss-sec/2016/q1/630
http://seclists.org/oss-sec/2016/q1/631
.. it gets more interesting. The reproducer on issue 725 happens to tickle
a flaw in a patch for CVE-2013-6045 that was posted here back when:
http://seclists.org/oss-sec/2013/q4/412
segfault-1.patch uses:
+ tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));
which should have used compcsize instead of comp0size.
Upstream never included this patch - deeper work went into eliminating this and
other issues in openjpeg-1.5.2. The patch that addresses this particular issue
seems to be 69cd4f92 (hunk starting /* testcase 1336.pdf.asan.47.376 */).
https://github.com/uclouvain/openjpeg/commit/69cd4f92
https://github.com/uclouvain/openjpeg/issues/297
This hasn't been an issue in upstream openjpeg releases for a long time ...
but there are LTS distributions around still shipping 1.5.1 (or 1.3) with the
patches from here applied. Those should preferably upgrade to 1.5.2: changing
comp0size to compcsize eliminates this particular crash, but the upstream fixes
that got into 1.5.2 seem to more thoroughly address some of the underlying
problems.
--
Doran Moppert
Red Hat Product Security
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.