Bug 1390231 (CVE-2016-9113, CVE-2016-9114, CVE-2016-9115, CVE-2016-9116, CVE-2016-9117, CVE-2016-9118)

Summary: CVE-2016-9113 CVE-2016-9114 CVE-2016-9115 CVE-2016-9116 CVE-2016-9117 CVE-2016-9118 openjpeg2: Multiple security issues
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmoppert, erik-fedora, hobbes1069, jaromir.capik, manisandro, nforro, oliver, phracek, rdieter, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-01 03:09:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1381271, 1390234, 1390235    
Bug Blocks: 1374338    

Description Andrej Nemec 2016-10-31 14:34:06 UTC
Multiple issues in openjpeg2 were discovered by fuzzing. An attacker could create a malicious file that, when processed by openjpeg2 command line tools, could cause a crash or, potentially, code execution.

See comment 4 for individual details.

Comment 1 Andrej Nemec 2016-10-31 14:34:42 UTC
Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1390235]

Comment 2 Andrej Nemec 2016-10-31 14:34:48 UTC
Created openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1390234]

Comment 3 Andrej Nemec 2016-10-31 14:35:25 UTC
Created openjpeg2 tracking bugs for this issue:

Affects: epel-all [bug 1381271]

Comment 4 Andrej Nemec 2016-10-31 15:33:03 UTC
Adding multiple other issues which received CVEs.

CVE-2016-9113: NULL pointer dereference in function imagetobmp

https://github.com/uclouvain/openjpeg/issues/856

CVE-2016-9114: NULL pointer access in function imagetopnm

https://github.com/uclouvain/openjpeg/issues/857

CVE-2016-9115: Heap-buffer overflow in function imagetotga

https://github.com/uclouvain/openjpeg/issues/858

CVE-2016-9116: NULL pointer access in function imagetopnm

https://github.com/uclouvain/openjpeg/issues/859

CVE-2016-9117: NULL pointer access in function imagetopnm

https://github.com/uclouvain/openjpeg/issues/860

CVE-2016-9118: Heap-buffer overflow in function pnmtoimage

https://github.com/uclouvain/openjpeg/issues/861

Comment 5 Doran Moppert 2016-12-09 05:56:37 UTC
Some of these flaws may also affect openjpeg-1.

Impact is mostly low:

 - CVE-2016-9112 is a SIGFPE decoding crafted files
 - all but CVE-2016-9112 only affect command-line tools, not openjpeg-libs
 - CVE-2016-9115 and CVE-2016-9118 are heap buffer overflows
 - the rest are NULL pointer exceptions which don't seem (so far) to have any further impact

No patches available upstream yet.

Comment 6 Doran Moppert 2017-02-01 02:32:45 UTC
CVE-2016-9112 has been moved to bug 1418147, as it has different affects and impact than the rest of the flaws discussed here.