Bug 1335482 (CVE-2016-4796)

Summary: CVE-2016-4796 openjpeg: Heap buffer overflow in function color_cmyk_to_rgb in color.c
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dmoppert, hobbes1069, manisandro, phracek, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-31 05:28:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1335484, 1335485, 1335486    
Bug Blocks: 1335487    

Description Adam Mariš 2016-05-12 10:06:49 UTC 
A heap buffer overflow in function color_cmyk_to_rgb in color.c.

Upstream patch:

https://github.com/uclouvain/openjpeg/commit/162f6199c0cd3ec1c6c6dc65e41b2faab92b2d91

CVE request:

http://seclists.org/oss-sec/2016/q2/327
Comment 1 Adam Mariš 2016-05-12 10:11:53 UTC 
Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1335485]
Comment 2 Adam Mariš 2016-05-12 10:11:59 UTC 
Created openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1335484]
Affects: epel-all [bug 1335486]
Comment 3 Andrej Nemec 2016-05-13 08:15:17 UTC 
CVE assignment:

http://seclists.org/oss-sec/2016/q2/342
Comment 4 Doran Moppert 2016-05-30 06:45:47 UTC 
Versions of openjpeg in rhel are too old to be affected by this issue.
Comment 5 Doran Moppert 2016-05-31 01:55:13 UTC 
Adjusted cvss2 score.  The overflow area is written with data computed using an OOB read and then manipulated through colourspace conversion (i goes out of bounds in the below loop), so successfully achieving C/I compromise is high complexity.

https://github.com/uclouvain/openjpeg/blob/162f6199c0cd3ec1c6c6dc65e41b2faab92b2d91/src/bin/common/color.c#L874-L892

NVD gives this a much higher score, but I don't think that's reasonable in this case:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4796

CIA=PPP and AC=M to reflect that DoS is low complexity, but C/I is high.
Comment 6 Fedora Update System 2016-07-14 14:51:55 UTC 
openjpeg2-2.1.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-07-16 21:21:02 UTC 
openjpeg2-2.1.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-07-18 18:26:56 UTC 
mingw-openjpeg2-2.1.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2016-07-18 20:53:43 UTC 
mingw-openjpeg2-2.1.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.