Bug 1755769 (CVE-2018-21010)

Summary: CVE-2018-21010 openjpeg: heap buffer overflow in color_apply_icc_profile in bin/common/color.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jaromir.capik, jjoyce, jschluet, lhh, lpeer, manisandro, mburns, nforro, oliver, rdieter, sclewis, slinaber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openjpeg 2.3.1 Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow has been discovered in OpenJPEG in the function color_apply_icc_profile, while applying the color transformation. An application that uses OpenJPEG to parse untrusted images may be vulnerable to this flaw, which would allow an attacker to crash the application or potentially execute code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:48:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1755770, 1755771, 1755772, 1755773, 1758238    
Bug Blocks: 1755775    

Description Dhananjay Arunesh 2019-09-26 07:57:26 UTC 
A vulnerability was found in OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_icc_profile in bin/common/color.c.

Reference:
https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea
Comment 1 Dhananjay Arunesh 2019-09-26 07:58:19 UTC 
Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1755772]


Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1755770]


Created openjpeg2 tracking bugs for this issue:

Affects: epel-all [bug 1755773]
Affects: fedora-all [bug 1755771]
Comment 2 Riccardo Schirone 2019-10-02 14:07:38 UTC 
openjpeg2 in rhel-7 and rhel-8 does not include function color_apply_icc_profile() because it is built only if `defined(OPJ_HAVE_LIBLCMS2) || defined(OPJ_HAVE_LIBLCMS1)`, but even if the lib lcms2-devel is in the BuildRequires of the spec file, the library is not found by the cmake build system, because the thirdparty directory is removed (the code that defines OPJ_HAVE_LIBLCMS is there).
Comment 5 Riccardo Schirone 2019-10-03 16:27:45 UTC 
Function color_apply_icc_profile() does not properly check whether the width/height values of the image components are all the same for the first three components, but it makes this assumption for the rest of the code. If the second or the third components have a width/height less than the first, an heap-based buffer overflow is possible while writing the transformed data back into the components' data.
Comment 7 Riccardo Schirone 2019-10-04 08:59:58 UTC 
Mitigation:

If the application accepts untrusted images there is no known mitigation apart from applying the patch.