oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CVE Request: Multiple security issues in OpenJPEG

From: winsonliu(刘科) <winsonliu () tencent com>
Date: Wed, 30 Aug 2017 07:33:28 +0000
Hello,

CVE-2016-10504 ~ 10507 have been assigned to these issues.

Regards,
Ke


[Suggested description]
Heap-based buffer overflow vulnerability in the opj_mqc_byteout 
function in mqc.c in OpenJPEG before 2.2.0 allows remote attackers to 
cause a denial of service (application crash) via a crafted bmp file.

------------------------------------------

[Vulnerability Type]
Buffer Overflow

------------------------------------------

[Vendor of Product]
OpenJPEG

------------------------------------------

[Affected Product Code Base]
OpenJPEG - before 2.2.0

------------------------------------------

[Affected Component]
executable file: opj_compress, function: opj_mqc_byteout, file: mqc.c

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Attack Vectors]
via a crafted bmp file

------------------------------------------

[Reference]
https://github.com/uclouvain/openjpeg/issues/835
https://github.com/uclouvain/openjpeg/commit/397f62c0a838e15d667ef50e2
7d5d011d2c79c04

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?] true

------------------------------------------

[Discoverer]
Ke Liu of Tencent's Xuanwu LAB


Use CVE-2016-10504.



[Suggested description]
NULL pointer dereference vulnerabilities in the imagetopnm function in 
convert.c, sycc444_to_rgb function in color.c, color_esycc_to_rgb 
function in color.c, and sycc422_to_rgb function in color.c in 
OpenJPEG before 2.2.0 allow remote attackers to cause a denial of 
service (application crash) via crafted j2k files.

------------------------------------------

[VulnerabilityType Other]
Null pointer dereference

------------------------------------------

[Vendor of Product]
OpenJPEG

------------------------------------------

[Affected Product Code Base]
OpenJPEG - before 2.2.0

------------------------------------------

[Affected Component]
executable file: opj_decompress, function: imagetopnm, sycc444_to_rgb, 
color_esycc_to_rgb, sycc422_to_rgb, file: color.c, convert.c

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Attack Vectors]
via crafted j2k files

------------------------------------------

[Reference]
https://github.com/uclouvain/openjpeg/issues/776
https://github.com/uclouvain/openjpeg/issues/784
https://github.com/uclouvain/openjpeg/issues/785
https://github.com/uclouvain/openjpeg/issues/792

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?] true

------------------------------------------

[Discoverer]
Ke Liu of Tencent's Xuanwu LAB


Use CVE-2016-10505.



[Suggested description]
Division-by-zero vulnerabilities in the functions opj_pi_next_cprl, 
opj_pi_next_pcrl, and opj_pi_next_rpcl in pi.c in OpenJPEG before
2.2.0 allow remote attackers to cause a denial of service (application 
crash) via crafted j2k files.

------------------------------------------

[VulnerabilityType Other]
division-by-zero

------------------------------------------

[Vendor of Product]
OpenJPEG

------------------------------------------

[Affected Product Code Base]
OpenJPEG - before 2.2.0

------------------------------------------

[Affected Component]
executable file: opj_decompress, function: opj_pi_next_cprl, 
opj_pi_next_pcrl, opj_pi_next_rpcl, file: pi.c

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Attack Vectors]
via crafted j2k files

------------------------------------------

[Reference]
https://github.com/uclouvain/openjpeg/issues/731
https://github.com/uclouvain/openjpeg/issues/732
https://github.com/uclouvain/openjpeg/issues/777
https://github.com/uclouvain/openjpeg/issues/778
https://github.com/uclouvain/openjpeg/issues/779
https://github.com/uclouvain/openjpeg/issues/780
https://github.com/uclouvain/openjpeg/commit/d27ccf01c68a31ad62b33d2dc
1ba2bb1eeaafe7b

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?] true

------------------------------------------

[Discoverer]
Ke Liu of Tencent's Xuanwu LAB


Use CVE-2016-10506.



[Suggested description]
Integer overflow vulnerability in the bmp24toimage function in 
convertbmp.c in OpenJPEG before 2.2.0 allows remote attackers to cause 
a denial of service (heap-based buffer over-read and application crash) via a crafted bmp file.

------------------------------------------

[Vulnerability Type]
Integer Overflow

------------------------------------------

[Vendor of Product]
OpenJPEG

------------------------------------------

[Affected Product Code Base]
OpenJPEG - before 2.2.0

------------------------------------------

[Affected Component]
executable file: opj_compress, function: bmp24toimage, file: 
convertbmp.c

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Attack Vectors]
via a crafted bmp file

------------------------------------------

[Reference]
https://github.com/uclouvain/openjpeg/issues/833
https://github.com/uclouvain/openjpeg/commit/da940424816e11d624362ce08
0bc026adffa26e8

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?] true

------------------------------------------

[Discoverer]
Ke Liu of Tencent's Xuanwu LAB


Use CVE-2016-10507.

-----Original Message-----
From: winsonliu
Sent: 2017年8月30日 10:48
To: 'Vladis Dronov' <vdronov () redhat com>; 'oss-security () lists openwall com' <oss-security () lists openwall com>; 
'Alan Coopersmith' <alan.coopersmith () oracle com>
Cc: 'cve-assign' <cve-assign () mitre org>
Subject: RE: [oss-security] CVE Request: Multiple security issues in OpenJPEG

Hello,

I've already submitted these issues to https://cveform.mitre.org/ . As expected, four CVE numbers will be assigned 
since some of them have the same root cause.

Regards,
Ke

-----Original Message-----
From: winsonliu
Sent: 2017年8月25日 20:16
To: 'Vladis Dronov' <vdronov () redhat com>; 'oss-security () lists openwall com' <oss-security () lists openwall com>; 
'Alan Coopersmith' <alan.coopersmith () oracle com>
Cc: 'cve-assign' <cve-assign () mitre org>
Subject: RE: [oss-security] CVE Request: Multiple security issues in OpenJPEG

Hello,

I'll submit them to cveform next week. And I'll update this thread when more information is available.

Regards,
Ke

-----Original Message-----
From: winsonliu 
Sent: 2017年8月24日 9:26
To: 'Vladis Dronov' <vdronov () redhat com>; oss-security () lists openwall com; 'Alan Coopersmith' <alan.coopersmith 
() oracle com>
Cc: cve-assign <cve-assign () mitre org>
Subject: RE: [oss-security] CVE Request: Multiple security issues in OpenJPEG

I'm afraid no CVEs were assigned. At least I did not submit these issues to https://cveform.mitre.org/ 

Regards,
Ke

-----Original Message-----
From: Vladis Dronov [mailto:vdronov () redhat com] 
Sent: 2017年8月23日 19:53
To: oss-security () lists openwall com
Cc: winsonliu <winsonliu () tencent com>; cve-assign <cve-assign () mitre org>
Subject: Re: [oss-security] CVE Request: Multiple security issues inOpenJPEG(Internet mail)


Most of these seem to be fixed now in OpenJPEG's recent 2.2.0 release.
Did CVE id's ever get assigned for them?


If no one reported them and requested CVE-ids via https://cveform.mitre.org/ then I suppose not, no CVE-ids were 
assigned.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Previous By Date Next
Previous By Thread Next

Current thread: