Bug 1037948 (CVE-2013-6887)

Summary: CVE-2013-6887 openjpeg: multiple denial of service flaws in version 1.5.1
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pfrields, phracek, security-response-team, vdanen
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-06 09:53:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1038409, 1038981    
Bug Blocks: 1036502    
Attachments:
Description Flags
proposed patch none

Description Murray McAllister 2013-12-04 06:23:55 UTC 
Raphael Geissert discovered multiple denial of service flaws in OpenJPEG. If a specially-crafted image were opened by an application linked against OpenJPEG, it could cause the application to crash.

These issues only affected the version of OpenJPEG as shipped in Fedora (version 1.5.1).

Acknowledgements:

Red Hat would like to thank Raphael Geissert for reporting these issues during a review for EDF.
Comment 3 Huzaifa S. Sidhpurwala 2013-12-06 09:49:38 UTC 
Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1038409]
Comment 4 Huzaifa S. Sidhpurwala 2013-12-06 09:49:41 UTC 
Created mingw-openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1038981]
Comment 5 Murray McAllister 2013-12-11 07:40:58 UTC 
Created attachment 835153 [details]
proposed patch