oss-sec mailing list archives
Re: CVE Request: Multiple security issues in OpenJPEG
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Tue, 22 Aug 2017 12:57:09 -0700
Most of these seem to be fixed now in OpenJPEG's recent 2.2.0 release. Did CVE id's ever get assigned for them? -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/alanc On 09/18/16 07:00 PM, winsonliu(刘科) wrote:
Hi, This is Ke Liu of Tencent's Xuanwu LAB. I reported some security issues to OpenJPEG some months ago. Could you please assign some CVE numbers for them? Thanks. The memory issues may lead to code execution, other issues may simply lead to DoS problems. BTW, proof-of-concept files for all issues were supplied. For more details, please click the issue links below. 1. Out-of-Bounds Write in opj_mqc_byteout of mqc.c An Out-of-Bounds Write issue can be triggered in function opj_mqc_byteout of mqc.c during executing opj_compress. This issue was caused by a malformed BMP file. AddressSanitizer: heap-buffer-overflow, WRITE of size 1 Report date: 2016/09/12 Status: Not fixed Url: https://github.com/uclouvain/openjpeg/issues/835 Root cause: not clear Patch: no patch supplied 2. Out-of-Bounds Read in function bmp24toimage of convertbmp.c An Out-of-Bounds Read issue was found in function bmp24toimage of convertbmp.c during executing opj_compress. The root cause of this issue was an Integer Overflow issue. This issue was caused by a malformed BMP file. AddressSanitizer: heap-buffer-overflow, READ of size 1 Report date: 2016/09/12 Status: Not fixed Url: https://github.com/uclouvain/openjpeg/issues/833 Root cause: integer overflow Patch: https://github.com/uclouvain/openjpeg/pull/834 3. Null Pointer Access in function sycc422_to_rgb of color.c A null pointer access issue was found in function sycc422_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file. AddressSanitizer: SEGV on unknown address 0x00000000 Report date: 2016/06/28 Status: Not fixed Url: https://github.com/uclouvain/openjpeg/issues/792 Root cause: null pointer dereference Patch: easy to fix, check before accessing 4. Null Pointer Access in function color_esycc_to_rgb of color.c A null pointer access issue was found in function color_esycc_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file. AddressSanitizer: SEGV on unknown address 0x00000000 Report date: 2016/05/25 Status: Not fixed Url: https://github.com/uclouvain/openjpeg/issues/785 Root cause: null pointer dereference Patch: easy to fix, check before accessing 5. Null Pointer Access in function sycc444_to_rgb of color.c A null pointer access issue was found in function sycc444_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file. AddressSanitizer: SEGV on unknown address 0x00000000 Report date: 2016/05/25 Status: Not fixed Url: https://github.com/uclouvain/openjpeg/issues/784 Root cause: null pointer dereference Patch: easy to fix, check before accessing 6. Null Pointer Access in function imagetopnm of convert.c A null pointer access issue was found in function imagetopnm of convert.c during executing opj_decompress. This issue was caused by a malformed J2K file. AddressSanitizer: SEGV on unknown address 0x00000000 Report date: 2016/05/06 Status: Not fixed Url: https://github.com/uclouvain/openjpeg/issues/776 Root cause: null pointer dereference Patch: easy to fix, check before accessing 7. Multiple division-by-zero issues in function opj_pi_next_rpcl of pi.c Multiple division-by-zero issues were found in function opj_pi_next_rpcl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files. AddressSanitizer: SIGFPE, Arithmetic exception Report date: 2016/05/06 Status: Not fixed Url1: https://github.com/uclouvain/openjpeg/issues/780 Url2: https://github.com/uclouvain/openjpeg/issues/779 Root cause: division-by-zero Patch: easy to fix, check before dividing 8. Multiple division-by-zero issues in function opj_pi_next_pcrl of pi.c Multiple division-by-zero issues were found in function opj_pi_next_pcrl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files. AddressSanitizer: SIGFPE, Arithmetic exception Report date: 2016/05/06 Status: Not fixed Url1: https://github.com/uclouvain/openjpeg/issues/777 Url2: https://github.com/uclouvain/openjpeg/issues/778 Root cause: division-by-zero Patch: easy to fix, check before dividing 9. Multiple division-by-zero issues in function opj_pi_next_cprl of pi.c Multiple division-by-zero issues were found in function opj_pi_next_cprl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files. AddressSanitizer: SIGFPE, Arithmetic exception Report date: 2016/03/28 Status: Not fixed Url1: https://github.com/uclouvain/openjpeg/issues/731 Url2: https://github.com/uclouvain/openjpeg/issues/732 Root cause: division-by-zero Patch: easy to fix, check before dividing Regards, Ke Tencent's Xuanwu LAB
Current thread:
- Re: CVE Request: Multiple security issues in OpenJPEG Alan Coopersmith (Aug 22)
- Re: CVE Request: Multiple security issues in OpenJPEG Vladis Dronov (Aug 23)
- <Possible follow-ups>
- RE: CVE Request: Multiple security issues in OpenJPEG 刘科 (Aug 25)