1007533 – (CVE-2013-4290) CVE-2013-4290 openjpeg: multiple stack-based buffer overflows

Bug 1007533 (CVE-2013-4290) - CVE-2013-4290 openjpeg: multiple stack-based buffer overflows

Summary: CVE-2013-4290 openjpeg: multiple stack-based buffer overflows

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2013-4290
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1007534
TreeView+	depends on / blocked

Reported:	2013-09-12 17:10 UTC by Vincent Danen
Modified:	2023-05-12 12:42 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-03-26 06:00:50 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2013-09-12 17:10:52 UTC

Seth Arnold reported [1] a number of stack-based buffer overflows in openjpeg:

Several incorrect uses of strncpy() with data that may not have a NUL terminating byte within the indicated space, e.g.:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/opj_jp3d_compress.c#260
* http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/opj_jp3d_compress.c#279

Several incorect uses of strcpy() with data that may be longer than expected, e.g.:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/convert.c#188
* http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/convert.c#192

Several incorrect uses of strcat() before accounting for the lengths, e.g.:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/event.c#118
* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/event.c#132

An incorrect use of sprintf() which can overflow a stack-based buffer:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/event.c#158

He notes this is not an exhaustive list, but serves as examples.  Upstream has, to this point, not responded so there are currently no patches.


[1] http://www.openwall.com/lists/oss-security/2013/09/12/2

Comment 1 Vincent Danen 2013-09-12 17:11:36 UTC

Acknowledgements:

Red Hat would like to thank Seth Arnold for reporting this issue.

Comment 2 Huzaifa S. Sidhpurwala 2014-03-26 06:00:33 UTC

This flaw exists in the JP3D image handling code of openjpeg. [Part 10 of JPEG20003 (JP3D), which is concerned with volumetric imaging, aims to provide the same functionality and efficiency for 3D data sets as for its 2D counterparts.]

The above code is not present in the version of openjpeg shipped with Red Hat Enterprise Linux 6.

Statement:

Not vulnerable. This issue does not affect the version of openjpeg as shipped with Red Hat Enterprise Linux 6.

Comment 3 Huzaifa S. Sidhpurwala 2014-03-26 06:00:50 UTC

This issue does not affect the version of openjpeg as shipped with Fedora 19 and Fedora 20.

Comment 4 Ender 2015-12-01 21:14:48 UTC

RHEL 7 still carries openjpeg 1.5.1, so this makes this security advisory also valid for that distribution.  Could you please make a change in the advisory to reflect that?

Thanks!

Comment 5 Kurt Seifried 2015-12-01 21:46:08 UTC

(In reply to Ender from comment #4)
> RHEL 7 still carries openjpeg 1.5.1, so this makes this security advisory
> also valid for that distribution.  Could you please make a change in the
> advisory to reflect that?
> 
> Thanks!

We don't ship the affected code, e.g. in openjpeg-1.5.1-10.el7.src.rpm the affected files/code aren't included.

Note You need to log in before you can comment on or make changes to this bug.