Bug 1626095 – CVE-2018-16376 openjpeg: Heap-based buffer overflow in function t2_encode_packet in src/lib/openmj2/t2.c

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1626095 - (CVE-2018-16376) CVE-2018-16376 openjpeg: Heap-based buffer overflow in function t2_encode_packet in src/lib/openmj2/t2.c

Summary:	CVE-2018-16376 openjpeg: Heap-based buffer overflow in function t2_encode_pac...

Status:	NEW

Aliases:	CVE-2018-16376

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180903,repor...
Keywords:	Security

Depends On:	1626322 1626323 1626324 1626325 1626326
Blocks:	1626097
	Show dependency tree / graph

Reported:	2018-09-06 10:48 EDT by Pedro Sampaio
Modified:	2018-09-07 00:13 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pedro Sampaio 2018-09-06 10:48:09 EDT

An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact.

Upstream bug:

https://github.com/uclouvain/openjpeg/issues/1127

Comment 1 Huzaifa S. Sidhpurwala 2018-09-07 00:04:38 EDT

Upstream issue: https://github.com/uclouvain/openjpeg/issues/992
Patch: https://github.com/uclouvain/openjpeg/commit/c535531f03369623b9b833ef41952c62257b507e
Upstream reproducer: https://github.com/asarubbo/poc/blob/master/00322-openjpeg-heapoverflow-opj_t2_encode_packet

Comment 2 Huzaifa S. Sidhpurwala 2018-09-07 00:11:29 EDT

Analysis: 

This is the classic case in which the length of the array is not checked and out of bounds buffers is written. Though this is a variable on the heap, because data written OOB is first operated on, exploitation is very difficult or even not possible in this case, reducing the impact to only crash. Though in realistic scenarios (when ASAN is not used), it seems like it should overwrite adjacent variables and not crash.

Comment 3 Huzaifa S. Sidhpurwala 2018-09-07 00:13:14 EDT

Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1626325]


Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1626322]


Created openjpeg2 tracking bugs for this issue:

Affects: epel-all [bug 1626323]
Affects: fedora-all [bug 1626324]

Note You need to log in before you can comment on or make changes to this bug.