1905762 – (CVE-2020-27823) CVE-2020-27823 openjpeg: heap-buffer-overflow write in opj_tcd_dc_level_shift_encode()

Bug 1905762 (CVE-2020-27823) - CVE-2020-27823 openjpeg: heap-buffer-overflow write in opj_tcd_dc_level_shift_encode()

Summary: CVE-2020-27823 openjpeg: heap-buffer-overflow write in opj_tcd_dc_level_shift...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-27823
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1906219 1906220 1906221 1906222
Blocks:	1902194 1939847
TreeView+	depends on / blocked

Reported:	2020-12-09 01:53 UTC by Todd Cullum
Modified:	2024-03-25 17:27 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openjpeg 2.4.0
Clone Of:
Environment:
Last Closed:	2021-11-02 18:21:56 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4251	0	None	None	None	2021-11-09 17:56:26 UTC

Description Todd Cullum 2020-12-09 01:53:56 UTC

In openjpeg v2.3.1 and prior, there's a heap buffer overflow in opj_tcd_dc_level_shift_encode() causing an out-of-bounds WRITE when crafted input is processed by the encoder and -d option is used.

Reference: https://github.com/uclouvain/openjpeg/issues/1284
Upstream patch: https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919

Comment 1 Todd Cullum 2020-12-09 01:53:59 UTC

Acknowledgments:

Name: zodf0055980 (SQLab NCTU Taiwan)

Comment 4 Todd Cullum 2020-12-09 23:39:20 UTC

Statement:

Red Hat Product Security has rated this flaw with Moderate severity because it affects the encoder functionality specifically when performing an image conversion and not general reading of image files.

Comment 5 Todd Cullum 2020-12-09 23:40:08 UTC

Mitigation:

This flaw can be mitigated by not using openjpeg to convert untrusted image files.

Comment 6 Todd Cullum 2020-12-09 23:40:58 UTC

Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1906221]


Created openjpeg2 tracking bugs for this issue:

Affects: epel-all [bug 1906219]
Affects: fedora-all [bug 1906220]

Comment 8 errata-xmlrpc 2021-11-09 17:56:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4251 https://access.redhat.com/errata/RHSA-2021:4251

Note You need to log in before you can comment on or make changes to this bug.