Bug 1381268 (CVE-2016-8332)

Summary: CVE-2016-8332 openjpeg2: JPEG2000 mcc record Code Execution Vulnerability
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: erik-fedora, hobbes1069, jaromir.capik, jwildman, manisandro, nforro, oliver, phracek, rdieter, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-09 05:36:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1381269, 1381270, 1381271, 1381460    
Bug Blocks: 1374338    

Description Andrej Nemec 2016-10-03 14:23:21 UTC 
An exploitable code execution vulnerability exists in the jpeg2000 image file format parser as implemented in the OpenJpeg library. A specially crafted jpeg2000 file can cause an out of bound heap write resulting in heap corruption leading to arbitrary code execution. For a successful attack, the target user needs to open a malicious jpeg2000 file. The jpeg2000 image file format is mostly used for embedding images inside PDF documents and the OpenJpeg library is used by a number of popular PDF renderers making PDF documents a likely attack vector.

External References:

http://www.talosintelligence.com/reports/TALOS-2016-0193/
Comment 1 Andrej Nemec 2016-10-03 14:23:55 UTC 
Created openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1381269]
Affects: fedora-all [bug 1381270]
Affects: epel-all [bug 1381271]
Comment 2 Andrej Nemec 2016-10-04 07:41:21 UTC 
Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1381460]
Comment 3 Doran Moppert 2016-12-09 05:35:29 UTC 
openjpeg-1 is not affected by this issue, as it does not attempt to parse MCC records.