Bug 1950101 (CVE-2021-29338)

Summary: CVE-2021-29338 openjpeg: out-of-bounds write due to an integer overflow in opj_compress.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hobbes1069, jaromir.capik, manisandro, nforro, oliver, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
There is a flaw in the opj2_compress program in openjpeg2. An attacker who is able to submit a large number of image files to be processed in a directory by opj2_compress, could trigger a heap out-of-bounds write due to an integer overflow, which is caused by the large number of image files. The greatest threat posed by this flaw is to confidentiality, integrity, and availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 23:29:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1950102, 1950103, 1950104, 1950105, 1951332, 1951333, 1951697, 1951698    
Bug Blocks: 1943659    

Description Guilherme de Almeida Suckevicz 2021-04-15 18:28:11 UTC 
Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.

Reference:
https://github.com/uclouvain/openjpeg/issues/1338
Comment 1 Guilherme de Almeida Suckevicz 2021-04-15 18:28:41 UTC 
Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1950103]


Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1950104]


Created openjpeg2 tracking bugs for this issue:

Affects: epel-7 [bug 1950102]
Affects: fedora-all [bug 1950105]
Comment 4 Todd Cullum 2021-04-19 22:58:53 UTC 
This is not a "remote" attack because the opj2_compress tool is not bound to the network. If someone or script is taking remotely-retrieved files and then running them against opj2_compress, it should not be considered a remote attack from the aspect of the opj2_compress tool itself.
Comment 6 Todd Cullum 2021-04-19 23:06:29 UTC 
Statement:

This flaw affects the opj2_compress utility but is not in the openjpeg2 library. Therefore, the attack vector is local to the opj2_compress utility and would require an attacker to convince a user to open a directory with an extremely large number of files using opj2_compress, or a script to be feeding such arbitrary, untrusted files to opj2_compress.
Comment 9 errata-xmlrpc 2021-11-09 17:56:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4251 https://access.redhat.com/errata/RHSA-2021:4251