Bug 1007531 (CVE-2013-4289)

Summary: CVE-2013-4289 openjpeg: multiple heap-based buffer overflows
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jcapik, jkurik, oliver, pfrields, phracek, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-26 06:00:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1007534    

Description Vincent Danen 2013-09-12 17:06:08 UTC 
Seth Arnold reported [1] a number of integer overflows causing heap-based buffer overflows in openjpeg:

Many instances of malloc() and opj_malloc() using integers multiplied  together or added together without any overflow checks, e.g.:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/jp3d.c#1825
* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/jp3d.c#487

He notes this is not an exhaustive list, but serves as examples.  Upstream has, to this point, not responded so there are currently no patches.


[1] http://www.openwall.com/lists/oss-security/2013/09/12/2
Comment 1 Vincent Danen 2013-09-12 17:10:37 UTC 
Acknowledgements:

Red Hat would like to thank Seth Arnold for reporting this issue.
Comment 2 Huzaifa S. Sidhpurwala 2014-03-26 05:59:31 UTC 
This flaw exists in the JP3D image handling code of openjpeg. [Part 10 of JPEG20003 (JP3D), which is concerned with volumetric imaging, aims to provide the same functionality and efficiency for 3D data sets as for its 2D counterparts.]

The above code is not present in the version of openjpeg shipped with Red Hat Enterprise Linux 6.

Statement:

Not vulnerable. This issue does not affect the version of openjpeg as shipped with Red Hat Enterprise Linux 6.
Comment 3 Huzaifa S. Sidhpurwala 2014-03-26 06:00:04 UTC 
This issue does not affect the version of openjpeg as shipped with Fedora 19 and Fedora 20.