Bug 1335482 (CVE-2016-4796) - CVE-2016-4796 openjpeg: Heap buffer overflow in function color_cmyk_to_rgb in color.c
Summary: CVE-2016-4796 openjpeg: Heap buffer overflow in function color_cmyk_to_rgb in...
Status: CLOSED NOTABUG
Alias: CVE-2016-4796
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20160506,reported=2...
Keywords: Security
Depends On: 1335484 1335485 1335486
Blocks: 1335487
TreeView+ depends on / blocked
 
Reported: 2016-05-12 10:06 UTC by Adam Mariš
Modified: 2019-06-08 21:11 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-05-31 05:28:04 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-05-12 10:06:49 UTC
A heap buffer overflow in function color_cmyk_to_rgb in color.c.

Upstream patch:

https://github.com/uclouvain/openjpeg/commit/162f6199c0cd3ec1c6c6dc65e41b2faab92b2d91

CVE request:

http://seclists.org/oss-sec/2016/q2/327

Comment 1 Adam Mariš 2016-05-12 10:11:53 UTC
Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1335485]

Comment 2 Adam Mariš 2016-05-12 10:11:59 UTC
Created openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1335484]
Affects: epel-all [bug 1335486]

Comment 3 Andrej Nemec 2016-05-13 08:15:17 UTC
CVE assignment:

http://seclists.org/oss-sec/2016/q2/342

Comment 4 Doran Moppert 2016-05-30 06:45:47 UTC
Versions of openjpeg in rhel are too old to be affected by this issue.

Comment 5 Doran Moppert 2016-05-31 01:55:13 UTC
Adjusted cvss2 score.  The overflow area is written with data computed using an OOB read and then manipulated through colourspace conversion (i goes out of bounds in the below loop), so successfully achieving C/I compromise is high complexity.

https://github.com/uclouvain/openjpeg/blob/162f6199c0cd3ec1c6c6dc65e41b2faab92b2d91/src/bin/common/color.c#L874-L892

NVD gives this a much higher score, but I don't think that's reasonable in this case:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4796

CIA=PPP and AC=M to reflect that DoS is low complexity, but C/I is high.

Comment 6 Fedora Update System 2016-07-14 14:51:55 UTC
openjpeg2-2.1.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-07-16 21:21:02 UTC
openjpeg2-2.1.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-07-18 18:26:56 UTC
mingw-openjpeg2-2.1.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2016-07-18 20:53:43 UTC
mingw-openjpeg2-2.1.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.