1950101 – (CVE-2021-29338) CVE-2021-29338 openjpeg: out-of-bounds write due to an integer overflow in opj_compress.c

Bug 1950101 (CVE-2021-29338) - CVE-2021-29338 openjpeg: out-of-bounds write due to an integer overflow in opj_compress.c

Summary: CVE-2021-29338 openjpeg: out-of-bounds write due to an integer overflow in op...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-29338
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1950102 1950103 1950104 1950105 Red Hat1951332 Red Hat1951333 Red Hat1951697 Red Hat1951698
Blocks:	Embargoed1943659
TreeView+	depends on / blocked

Reported:	2021-04-15 18:28 UTC by Guilherme de Almeida Suckevicz
Modified:	2022-04-17 21:18 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	There is a flaw in the opj2_compress program in openjpeg2. An attacker who is able to submit a large number of image files to be processed in a directory by opj2_compress, could trigger a heap out-of-bounds write due to an integer overflow, which is caused by the large number of image files. The greatest threat posed by this flaw is to confidentiality, integrity, and availability.
Clone Of:
Environment:
Last Closed:	2021-11-02 23:29:11 UTC

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4251	0	None	None	None	2021-11-09 17:56:44 UTC

Description Guilherme de Almeida Suckevicz 2021-04-15 18:28:11 UTC

Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.

Reference:
https://github.com/uclouvain/openjpeg/issues/1338

Comment 1 Guilherme de Almeida Suckevicz 2021-04-15 18:28:41 UTC

Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1950103]


Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1950104]


Created openjpeg2 tracking bugs for this issue:

Affects: epel-7 [bug 1950102]
Affects: fedora-all [bug 1950105]

Comment 4 Todd Cullum 2021-04-19 22:58:53 UTC

This is not a "remote" attack because the opj2_compress tool is not bound to the network. If someone or script is taking remotely-retrieved files and then running them against opj2_compress, it should not be considered a remote attack from the aspect of the opj2_compress tool itself.

Comment 6 Todd Cullum 2021-04-19 23:06:29 UTC

Statement:

This flaw affects the opj2_compress utility but is not in the openjpeg2 library. Therefore, the attack vector is local to the opj2_compress utility and would require an attacker to convince a user to open a directory with an extremely large number of files using opj2_compress, or a script to be feeding such arbitrary, untrusted files to opj2_compress.

Comment 9 errata-xmlrpc 2021-11-09 17:56:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4251 https://access.redhat.com/errata/RHSA-2021:4251

Note You need to log in before you can comment on or make changes to this bug.