Bug 1390231 (CVE-2016-9113, CVE-2016-9114, CVE-2016-9115, CVE-2016-9116, CVE-2016-9117, CVE-2016-9118)

Summary: CVE-2016-9113 CVE-2016-9114 CVE-2016-9115 CVE-2016-9116 CVE-2016-9117 CVE-2016-9118 openjpeg2: Multiple security issues
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmoppert, erik-fedora, hobbes1069, jaromir.capik, manisandro, nforro, oliver, phracek, rdieter, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-01 03:09:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1381271, 1390234, 1390235    
Bug Blocks: 1374338    

Description Andrej Nemec 2016-10-31 14:34:06 UTC 
Multiple issues in openjpeg2 were discovered by fuzzing. An attacker could create a malicious file that, when processed by openjpeg2 command line tools, could cause a crash or, potentially, code execution.

See comment 4 for individual details.
Comment 1 Andrej Nemec 2016-10-31 14:34:42 UTC 
Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1390235]
Comment 2 Andrej Nemec 2016-10-31 14:34:48 UTC 
Created openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1390234]
Comment 3 Andrej Nemec 2016-10-31 14:35:25 UTC 
Created openjpeg2 tracking bugs for this issue:

Affects: epel-all [bug 1381271]
Comment 4 Andrej Nemec 2016-10-31 15:33:03 UTC 
Adding multiple other issues which received CVEs.

CVE-2016-9113: NULL pointer dereference in function imagetobmp

https://github.com/uclouvain/openjpeg/issues/856

CVE-2016-9114: NULL pointer access in function imagetopnm

https://github.com/uclouvain/openjpeg/issues/857

CVE-2016-9115: Heap-buffer overflow in function imagetotga

https://github.com/uclouvain/openjpeg/issues/858

CVE-2016-9116: NULL pointer access in function imagetopnm

https://github.com/uclouvain/openjpeg/issues/859

CVE-2016-9117: NULL pointer access in function imagetopnm

https://github.com/uclouvain/openjpeg/issues/860

CVE-2016-9118: Heap-buffer overflow in function pnmtoimage

https://github.com/uclouvain/openjpeg/issues/861
Comment 5 Doran Moppert 2016-12-09 05:56:37 UTC 
Some of these flaws may also affect openjpeg-1.

Impact is mostly low:

 - CVE-2016-9112 is a SIGFPE decoding crafted files
 - all but CVE-2016-9112 only affect command-line tools, not openjpeg-libs
 - CVE-2016-9115 and CVE-2016-9118 are heap buffer overflows
 - the rest are NULL pointer exceptions which don't seem (so far) to have any further impact

No patches available upstream yet.
Comment 6 Doran Moppert 2017-02-01 02:32:45 UTC 
CVE-2016-9112 has been moved to bug 1418147, as it has different affects and impact than the rest of the flaws discussed here.