Bug 1007531 - (CVE-2013-4289) CVE-2013-4289 openjpeg: multiple heap-based buffer overflows
CVE-2013-4289 openjpeg: multiple heap-based buffer overflows
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130911,repo...
: Security
Depends On:
Blocks: 1007534
  Show dependency treegraph
 
Reported: 2013-09-12 13:06 EDT by Vincent Danen
Modified: 2016-03-04 05:57 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-26 02:00:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-09-12 13:06:08 EDT
Seth Arnold reported [1] a number of integer overflows causing heap-based buffer overflows in openjpeg:

Many instances of malloc() and opj_malloc() using integers multiplied  together or added together without any overflow checks, e.g.:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/jp3d.c#1825
* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/jp3d.c#487

He notes this is not an exhaustive list, but serves as examples.  Upstream has, to this point, not responded so there are currently no patches.


[1] http://www.openwall.com/lists/oss-security/2013/09/12/2
Comment 1 Vincent Danen 2013-09-12 13:10:37 EDT
Acknowledgements:

Red Hat would like to thank Seth Arnold for reporting this issue.
Comment 2 Huzaifa S. Sidhpurwala 2014-03-26 01:59:31 EDT
This flaw exists in the JP3D image handling code of openjpeg. [Part 10 of JPEG20003 (JP3D), which is concerned with volumetric imaging, aims to provide the same functionality and efficiency for 3D data sets as for its 2D counterparts.]

The above code is not present in the version of openjpeg shipped with Red Hat Enterprise Linux 6.

Statement:

Not vulnerable. This issue does not affect the version of openjpeg as shipped with Red Hat Enterprise Linux 6.
Comment 3 Huzaifa S. Sidhpurwala 2014-03-26 02:00:04 EDT
This issue does not affect the version of openjpeg as shipped with Fedora 19 and Fedora 20.

Note You need to log in before you can comment on or make changes to this bug.