Bug 1950101 (CVE-2021-29338) - CVE-2021-29338 openjpeg: out-of-bounds write due to an integer overflow in opj_compress.c
Summary: CVE-2021-29338 openjpeg: out-of-bounds write due to an integer overflow in op...
Alias: CVE-2021-29338
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1950102 1950103 1950104 1950105 Red Hat1951332 Red Hat1951333 Red Hat1951697 Red Hat1951698
Blocks: Embargoed1943659
TreeView+ depends on / blocked
Reported: 2021-04-15 18:28 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:18 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
There is a flaw in the opj2_compress program in openjpeg2. An attacker who is able to submit a large number of image files to be processed in a directory by opj2_compress, could trigger a heap out-of-bounds write due to an integer overflow, which is caused by the large number of image files. The greatest threat posed by this flaw is to confidentiality, integrity, and availability.
Clone Of:
Last Closed: 2021-11-02 23:29:11 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4251 0 None None None 2021-11-09 17:56:44 UTC

Description Guilherme de Almeida Suckevicz 2021-04-15 18:28:11 UTC
Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.


Comment 1 Guilherme de Almeida Suckevicz 2021-04-15 18:28:41 UTC
Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1950103]

Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1950104]

Created openjpeg2 tracking bugs for this issue:

Affects: epel-7 [bug 1950102]
Affects: fedora-all [bug 1950105]

Comment 4 Todd Cullum 2021-04-19 22:58:53 UTC
This is not a "remote" attack because the opj2_compress tool is not bound to the network. If someone or script is taking remotely-retrieved files and then running them against opj2_compress, it should not be considered a remote attack from the aspect of the opj2_compress tool itself.

Comment 6 Todd Cullum 2021-04-19 23:06:29 UTC

This flaw affects the opj2_compress utility but is not in the openjpeg2 library. Therefore, the attack vector is local to the opj2_compress utility and would require an attacker to convince a user to open a directory with an extremely large number of files using opj2_compress, or a script to be feeding such arbitrary, untrusted files to opj2_compress.

Comment 9 errata-xmlrpc 2021-11-09 17:56:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4251 https://access.redhat.com/errata/RHSA-2021:4251

Note You need to log in before you can comment on or make changes to this bug.