Bug 1626095 (CVE-2018-16376)

Summary: CVE-2018-16376 openjpeg: Heap-based buffer overflow in function t2_encode_packet in src/lib/openmj2/t2.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hobbes1069, jaromir.capik, manisandro, nforro, oliver, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:37:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1626322, 1626323, 1626324, 1626325, 1626326    
Bug Blocks: 1626097    

Description Pedro Sampaio 2018-09-06 14:48:09 UTC 
An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact.

Upstream bug:

https://github.com/uclouvain/openjpeg/issues/1127
Comment 1 Huzaifa S. Sidhpurwala 2018-09-07 04:04:38 UTC 
Upstream issue: https://github.com/uclouvain/openjpeg/issues/992
Patch: https://github.com/uclouvain/openjpeg/commit/c535531f03369623b9b833ef41952c62257b507e
Upstream reproducer: https://github.com/asarubbo/poc/blob/master/00322-openjpeg-heapoverflow-opj_t2_encode_packet
Comment 2 Huzaifa S. Sidhpurwala 2018-09-07 04:11:29 UTC 
Analysis: 

This is the classic case in which the length of the array is not checked and out of bounds buffers is written. Though this is a variable on the heap, because data written OOB is first operated on, exploitation is very difficult or even not possible in this case, reducing the impact to only crash. Though in realistic scenarios (when ASAN is not used), it seems like it should overwrite adjacent variables and not crash.
Comment 3 Huzaifa S. Sidhpurwala 2018-09-07 04:13:14 UTC 
Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1626325]


Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1626322]


Created openjpeg2 tracking bugs for this issue:

Affects: epel-all [bug 1626323]
Affects: fedora-all [bug 1626324]