Bug 1418147 (CVE-2016-9112)

Summary:	CVE-2016-9112 openjpeg2: Floating point exception vulnerability in openjpeg2 when processing untrusted images
Product:	[Other] Security Response	Reporter:	Doran Moppert <dmoppert>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED WONTFIX	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	erik-fedora, hobbes1069, jaromir.capik, manisandro, nforro, oliver, phracek, rdieter
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-02-01 03:11:16 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1418149, 1418150, 1418151, 1418152
Bug Blocks:	1374338

Description Doran Moppert 2017-02-01 02:25:53 UTC

A floating point exception vulnerability was found in the latest openjpeg2.  A maliciously crafted file could cause the application to crash.

This issue has multiple occurrences in the openjpeg2 code.

openjpeg-1 is also affected.

Upstream bug:

https://github.com/uclouvain/openjpeg/issues/855

Comment 1 Doran Moppert 2017-02-01 02:44:12 UTC

Created mingw-openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1418151]


Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1418149]


Created openjpeg2 tracking bugs for this issue:

Affects: epel-all [bug 1418152]
Affects: fedora-all [bug 1418150]

Comment 2 Doran Moppert 2017-02-01 03:10:45 UTC

Statement:

Red Hat Product Security has rated this issue as having Low security
impact. This issue is not currently planned to be addressed in future
updates. For additional information, refer to the Issue Severity
Classification: https://access.redhat.com/security/updates/classification/.