Bug 1905762 (CVE-2020-27823) - CVE-2020-27823 openjpeg: heap-buffer-overflow write in opj_tcd_dc_level_shift_encode()
Summary: CVE-2020-27823 openjpeg: heap-buffer-overflow write in opj_tcd_dc_level_shift...
Alias: CVE-2020-27823
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1906219 1906220 1906221 1906222
Blocks: 1902194 1939847
TreeView+ depends on / blocked
Reported: 2020-12-09 01:53 UTC by Todd Cullum
Modified: 2021-11-09 17:56 UTC (History)
6 users (show)

Fixed In Version: openjpeg 2.4.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Last Closed: 2021-11-02 18:21:56 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4251 0 None None None 2021-11-09 17:56:26 UTC

Description Todd Cullum 2020-12-09 01:53:56 UTC
In openjpeg v2.3.1 and prior, there's a heap buffer overflow in opj_tcd_dc_level_shift_encode() causing an out-of-bounds WRITE when crafted input is processed by the encoder and -d option is used.

Reference: https://github.com/uclouvain/openjpeg/issues/1284
Upstream patch: https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919

Comment 1 Todd Cullum 2020-12-09 01:53:59 UTC

Name: zodf0055980 (SQLab NCTU Taiwan)

Comment 4 Todd Cullum 2020-12-09 23:39:20 UTC

Red Hat Product Security has rated this flaw with Moderate severity because it affects the encoder functionality specifically when performing an image conversion and not general reading of image files.

Comment 5 Todd Cullum 2020-12-09 23:40:08 UTC

This flaw can be mitigated by not using openjpeg to convert untrusted image files.

Comment 6 Todd Cullum 2020-12-09 23:40:58 UTC
Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1906221]

Created openjpeg2 tracking bugs for this issue:

Affects: epel-all [bug 1906219]
Affects: fedora-all [bug 1906220]

Comment 8 errata-xmlrpc 2021-11-09 17:56:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4251 https://access.redhat.com/errata/RHSA-2021:4251

Note You need to log in before you can comment on or make changes to this bug.