Bug 1007533 (CVE-2013-4290)

Summary: CVE-2013-4290 openjpeg: multiple stack-based buffer overflows
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ender, jcapik, jkurik, oliver, pfrields, phracek, rdieter, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-26 06:00:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1007534    

Description Vincent Danen 2013-09-12 17:10:52 UTC 
Seth Arnold reported [1] a number of stack-based buffer overflows in openjpeg:

Several incorrect uses of strncpy() with data that may not have a NUL terminating byte within the indicated space, e.g.:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/opj_jp3d_compress.c#260
* http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/opj_jp3d_compress.c#279

Several incorect uses of strcpy() with data that may be longer than expected, e.g.:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/convert.c#188
* http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/convert.c#192

Several incorrect uses of strcat() before accounting for the lengths, e.g.:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/event.c#118
* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/event.c#132

An incorrect use of sprintf() which can overflow a stack-based buffer:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/event.c#158

He notes this is not an exhaustive list, but serves as examples.  Upstream has, to this point, not responded so there are currently no patches.


[1] http://www.openwall.com/lists/oss-security/2013/09/12/2
Comment 1 Vincent Danen 2013-09-12 17:11:36 UTC 
Acknowledgements:

Red Hat would like to thank Seth Arnold for reporting this issue.
Comment 2 Huzaifa S. Sidhpurwala 2014-03-26 06:00:33 UTC 
This flaw exists in the JP3D image handling code of openjpeg. [Part 10 of JPEG20003 (JP3D), which is concerned with volumetric imaging, aims to provide the same functionality and efficiency for 3D data sets as for its 2D counterparts.]

The above code is not present in the version of openjpeg shipped with Red Hat Enterprise Linux 6.

Statement:

Not vulnerable. This issue does not affect the version of openjpeg as shipped with Red Hat Enterprise Linux 6.
Comment 3 Huzaifa S. Sidhpurwala 2014-03-26 06:00:50 UTC 
This issue does not affect the version of openjpeg as shipped with Fedora 19 and Fedora 20.
Comment 4 Ender 2015-12-01 21:14:48 UTC 
RHEL 7 still carries openjpeg 1.5.1, so this makes this security advisory also valid for that distribution.  Could you please make a change in the advisory to reflect that?

Thanks!
Comment 5 Kurt Seifried 2015-12-01 21:46:08 UTC 
(In reply to Ender from comment #4)
> RHEL 7 still carries openjpeg 1.5.1, so this makes this security advisory
> also valid for that distribution.  Could you please make a change in the
> advisory to reflect that?
> 
> Thanks!

We don't ship the affected code, e.g. in openjpeg-1.5.1-10.el7.src.rpm the affected files/code aren't included.