Bug 1905762 (CVE-2020-27823)

Summary: CVE-2020-27823 openjpeg: heap-buffer-overflow write in opj_tcd_dc_level_shift_encode()
Product: [Other] Security Response Reporter: Todd Cullum <tcullum>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jaromir.capik, manisandro, nforro, oliver, rdieter, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openjpeg 2.4.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 18:21:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1906219, 1906220, 1906221, 1906222    
Bug Blocks: 1902194, 1939847    

Description Todd Cullum 2020-12-09 01:53:56 UTC
In openjpeg v2.3.1 and prior, there's a heap buffer overflow in opj_tcd_dc_level_shift_encode() causing an out-of-bounds WRITE when crafted input is processed by the encoder and -d option is used.

Reference: https://github.com/uclouvain/openjpeg/issues/1284
Upstream patch: https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919

Comment 1 Todd Cullum 2020-12-09 01:53:59 UTC
Acknowledgments:

Name: zodf0055980 (SQLab NCTU Taiwan)

Comment 4 Todd Cullum 2020-12-09 23:39:20 UTC
Statement:

Red Hat Product Security has rated this flaw with Moderate severity because it affects the encoder functionality specifically when performing an image conversion and not general reading of image files.

Comment 5 Todd Cullum 2020-12-09 23:40:08 UTC
Mitigation:

This flaw can be mitigated by not using openjpeg to convert untrusted image files.

Comment 6 Todd Cullum 2020-12-09 23:40:58 UTC
Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1906221]


Created openjpeg2 tracking bugs for this issue:

Affects: epel-all [bug 1906219]
Affects: fedora-all [bug 1906220]

Comment 8 errata-xmlrpc 2021-11-09 17:56:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4251 https://access.redhat.com/errata/RHSA-2021:4251