Bug 842918 (CVE-2012-3535)

Summary: CVE-2012-3535 openjpeg: heap-based buffer overflow when decoding jpeg2000 files
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: fweimer, security-response-team, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 17:56:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 851955, 856048, 856049    
Bug Blocks: 842919    

Description Vincent Danen 2012-07-24 22:31:21 UTC 
A heap-based buffer overflow was found in the way OpenJPEG, an open-source JPEG 2000 codec written in C language, performed parsing of JPEG2000 image files. A remote attacker could provide a specially crafted JPEG 2000 file, which when opened in an application linked against openjpeg would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application.

Acknowledgements:

This issue was discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team.
Comment 7 Huzaifa S. Sidhpurwala 2012-08-27 06:23:22 UTC 
Upstream bug:

http://code.google.com/p/openjpeg/issues/detail?id=170
Comment 8 Huzaifa S. Sidhpurwala 2012-08-27 06:45:13 UTC 
This has been assigned CVE-2012-3535 via:

http://seclists.org/oss-sec/2012/q3/300
Comment 9 Huzaifa S. Sidhpurwala 2012-08-27 06:50:50 UTC 
Created openjpeg tracking bugs for this issue

Affects: fedora-all [bug 851955]
Comment 10 Huzaifa S. Sidhpurwala 2012-09-03 06:37:48 UTC 
Analysis of the issue: (Applicable to openjpeg-1.3 and openjpeg-1.4)

The cause of crash while decoding JPEG2000 files is user controlled invalid memory write while decoding (atleast partly user-controlled in this case).

In j2k.c:j2k_read_cox(), tccp->numresolutions (1 byte) is read from the file via:

648         tccp->numresolutions = cio_read(cio, 1) + 1;    /* SPcox (D) */

This number is not validated, and later in the code is directly used as an index when writing to the tccp->prcw array. The size of the tccp->prcw array is J2K_MAXRLVLS, which is defined in openjpeg.h as:

#define J2K_MAXRLVLS 33

The following simple patch should fix this issue for openjpeg 1.3 and 1.4:

-               for (i = 0; i < tccp->numresolutions; i++) {
+               for (i = 0; i < tccp->numresolutions && i < J2K_MAXRLVLS; i++) {
Comment 11 Huzaifa S. Sidhpurwala 2012-09-03 07:31:04 UTC 
Upstream patch at:
http://code.google.com/p/openjpeg/issues/detail?id=170#c6
Comment 13 Huzaifa S. Sidhpurwala 2012-09-10 14:28:35 UTC 
Final upstream patches:

Trunk: http://code.google.com/p/openjpeg/source/detail?r=1918
1.5 branch: http://code.google.com/p/openjpeg/source/detail?r=1919
Comment 18 errata-xmlrpc 2012-09-17 16:54:11 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1283 https://rhn.redhat.com/errata/RHSA-2012-1283.html