oss-sec mailing list archives
RE: CVE Request: Multiple security issues in OpenJPEG
From: winsonliu(刘科) <winsonliu () tencent com>
Date: Wed, 30 Aug 2017 07:33:28 +0000
Hello, CVE-2016-10504 ~ 10507 have been assigned to these issues. Regards, Ke
[Suggested description] Heap-based buffer overflow vulnerability in the opj_mqc_byteout function in mqc.c in OpenJPEG before 2.2.0 allows remote attackers to cause a denial of service (application crash) via a crafted bmp file. ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] OpenJPEG ------------------------------------------ [Affected Product Code Base] OpenJPEG - before 2.2.0 ------------------------------------------ [Affected Component] executable file: opj_compress, function: opj_mqc_byteout, file: mqc.c ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] via a crafted bmp file ------------------------------------------ [Reference] https://github.com/uclouvain/openjpeg/issues/835 https://github.com/uclouvain/openjpeg/commit/397f62c0a838e15d667ef50e2 7d5d011d2c79c04 ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Ke Liu of Tencent's Xuanwu LAB
Use CVE-2016-10504.
[Suggested description] NULL pointer dereference vulnerabilities in the imagetopnm function in convert.c, sycc444_to_rgb function in color.c, color_esycc_to_rgb function in color.c, and sycc422_to_rgb function in color.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of service (application crash) via crafted j2k files. ------------------------------------------ [VulnerabilityType Other] Null pointer dereference ------------------------------------------ [Vendor of Product] OpenJPEG ------------------------------------------ [Affected Product Code Base] OpenJPEG - before 2.2.0 ------------------------------------------ [Affected Component] executable file: opj_decompress, function: imagetopnm, sycc444_to_rgb, color_esycc_to_rgb, sycc422_to_rgb, file: color.c, convert.c ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] via crafted j2k files ------------------------------------------ [Reference] https://github.com/uclouvain/openjpeg/issues/776 https://github.com/uclouvain/openjpeg/issues/784 https://github.com/uclouvain/openjpeg/issues/785 https://github.com/uclouvain/openjpeg/issues/792 ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Ke Liu of Tencent's Xuanwu LAB
Use CVE-2016-10505.
[Suggested description] Division-by-zero vulnerabilities in the functions opj_pi_next_cprl, opj_pi_next_pcrl, and opj_pi_next_rpcl in pi.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of service (application crash) via crafted j2k files. ------------------------------------------ [VulnerabilityType Other] division-by-zero ------------------------------------------ [Vendor of Product] OpenJPEG ------------------------------------------ [Affected Product Code Base] OpenJPEG - before 2.2.0 ------------------------------------------ [Affected Component] executable file: opj_decompress, function: opj_pi_next_cprl, opj_pi_next_pcrl, opj_pi_next_rpcl, file: pi.c ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] via crafted j2k files ------------------------------------------ [Reference] https://github.com/uclouvain/openjpeg/issues/731 https://github.com/uclouvain/openjpeg/issues/732 https://github.com/uclouvain/openjpeg/issues/777 https://github.com/uclouvain/openjpeg/issues/778 https://github.com/uclouvain/openjpeg/issues/779 https://github.com/uclouvain/openjpeg/issues/780 https://github.com/uclouvain/openjpeg/commit/d27ccf01c68a31ad62b33d2dc 1ba2bb1eeaafe7b ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Ke Liu of Tencent's Xuanwu LAB
Use CVE-2016-10506.
[Suggested description] Integer overflow vulnerability in the bmp24toimage function in convertbmp.c in OpenJPEG before 2.2.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted bmp file. ------------------------------------------ [Vulnerability Type] Integer Overflow ------------------------------------------ [Vendor of Product] OpenJPEG ------------------------------------------ [Affected Product Code Base] OpenJPEG - before 2.2.0 ------------------------------------------ [Affected Component] executable file: opj_compress, function: bmp24toimage, file: convertbmp.c ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] via a crafted bmp file ------------------------------------------ [Reference] https://github.com/uclouvain/openjpeg/issues/833 https://github.com/uclouvain/openjpeg/commit/da940424816e11d624362ce08 0bc026adffa26e8 ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Ke Liu of Tencent's Xuanwu LAB
Use CVE-2016-10507. -----Original Message----- From: winsonliu Sent: 2017年8月30日 10:48 To: 'Vladis Dronov' <vdronov () redhat com>; 'oss-security () lists openwall com' <oss-security () lists openwall com>; 'Alan Coopersmith' <alan.coopersmith () oracle com> Cc: 'cve-assign' <cve-assign () mitre org> Subject: RE: [oss-security] CVE Request: Multiple security issues in OpenJPEG Hello, I've already submitted these issues to https://cveform.mitre.org/ . As expected, four CVE numbers will be assigned since some of them have the same root cause. Regards, Ke -----Original Message----- From: winsonliu Sent: 2017年8月25日 20:16 To: 'Vladis Dronov' <vdronov () redhat com>; 'oss-security () lists openwall com' <oss-security () lists openwall com>; 'Alan Coopersmith' <alan.coopersmith () oracle com> Cc: 'cve-assign' <cve-assign () mitre org> Subject: RE: [oss-security] CVE Request: Multiple security issues in OpenJPEG Hello, I'll submit them to cveform next week. And I'll update this thread when more information is available. Regards, Ke -----Original Message----- From: winsonliu Sent: 2017年8月24日 9:26 To: 'Vladis Dronov' <vdronov () redhat com>; oss-security () lists openwall com; 'Alan Coopersmith' <alan.coopersmith () oracle com> Cc: cve-assign <cve-assign () mitre org> Subject: RE: [oss-security] CVE Request: Multiple security issues in OpenJPEG I'm afraid no CVEs were assigned. At least I did not submit these issues to https://cveform.mitre.org/ Regards, Ke -----Original Message----- From: Vladis Dronov [mailto:vdronov () redhat com] Sent: 2017年8月23日 19:53 To: oss-security () lists openwall com Cc: winsonliu <winsonliu () tencent com>; cve-assign <cve-assign () mitre org> Subject: Re: [oss-security] CVE Request: Multiple security issues inOpenJPEG(Internet mail)
Most of these seem to be fixed now in OpenJPEG's recent 2.2.0 release. Did CVE id's ever get assigned for them?
If no one reported them and requested CVE-ids via https://cveform.mitre.org/ then I suppose not, no CVE-ids were assigned. Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Current thread:
- Re: CVE Request: Multiple security issues in OpenJPEG Alan Coopersmith (Aug 22)
- Re: CVE Request: Multiple security issues in OpenJPEG Vladis Dronov (Aug 23)
- <Possible follow-ups>
- RE: CVE Request: Multiple security issues in OpenJPEG 刘科 (Aug 25)
- RE: CVE Request: Multiple security issues in OpenJPEG 刘科 (Aug 29)
- RE: CVE Request: Multiple security issues in OpenJPEG 刘科 (Aug 30)
- RE: CVE Request: Multiple security issues in OpenJPEG 刘科 (Aug 29)