Bug 812317 (CVE-2009-5030)

Summary: CVE-2009-5030 openjpeg: Heap memory corruption leading to invalid free by processing certain Gray16 TIFF images
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adam, erik-fedora, jcapik, oliver, rdieter, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20090731,reported=20120413,source=oss-security,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,rhel-6/openjpeg=affected,fedora-all/openjpeg=affected,fedora-all/mingw32-openjpeg=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-11 13:02:51 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 812318, 812319, 831561, 831562    
Bug Blocks: 812327    

Description Jan Lieskovsky 2012-04-13 07:24:09 EDT
An out-of heap-based buffer bounds read and write flaw, leading to invalid free, was found in the way a tile coder / decoder (TCD) implementation of OpenJPEG, an open-source JPEG 2000 codec written in C language, performed releasing of previously allocated memory for the TCD encoder handle by processing certain Gray16 TIFF images. A remote attacker could provide a specially-crafted TIFF image file, which once converted into the JPEG 2000 file format with an application linked against OpenJPEG (such as 'image_to_j2k'), would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application.

Upstream ticket:
http://code.google.com/p/openjpeg/issues/detail?id=5

Reproducer:
http://openjpeg.googlecode.com/issues/attachment?aid=-3765789821971534182&name=random.tif&token=yuNnyJfWKmzzoKRYSCAI763B8Dk%3A1334312139415

CVE Request:
http://www.openwall.com/lists/oss-security/2012/04/13/1
Comment 1 Jan Lieskovsky 2012-04-13 07:26:35 EDT
This issue affects the version of the openjpeg package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the openjpeg and mingw32-openjpeg packages, as shipped with Fedora release of 15 and 16. Please schedule an update once there is final upstream patch available (doesn't seem to be as of right now).
Comment 3 Jan Lieskovsky 2012-04-13 07:29:18 EDT
Created openjpeg tracking bugs for this issue

Affects: fedora-all [bug 812318]
Comment 4 Jan Lieskovsky 2012-04-13 07:30:16 EDT
Created mingw32-openjpeg tracking bugs for this issue

Affects: fedora-all [bug 812319]
Comment 8 Kurt Seifried 2012-04-13 12:47:02 EDT
Added CVE as per http://www.openwall.com/lists/oss-security/2012/04/13/5
Comment 9 Huzaifa S. Sidhpurwala 2012-06-13 05:58:07 EDT
Patch available at:

http://code.google.com/p/openjpeg/source/detail?r=1703
Comment 11 Fedora Update System 2012-06-27 23:21:08 EDT
openjpeg-1.4-13.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-06-27 23:53:34 EDT
openjpeg-1.4-13.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2012-07-11 12:42:09 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1068 https://rhn.redhat.com/errata/RHSA-2012-1068.html