Bug 812317 - (CVE-2009-5030) CVE-2009-5030 openjpeg: Heap memory corruption leading to invalid free by processing certain Gray16 TIFF images
CVE-2009-5030 openjpeg: Heap memory corruption leading to invalid free by pro...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20090731,repo...
: Security
Depends On: 812318 812319 831561 831562
Blocks: 812327
  Show dependency treegraph
 
Reported: 2012-04-13 07:24 EDT by Jan Lieskovsky
Modified: 2015-11-24 10:04 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-11 13:02:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 672455 None None None 2012-06-13 05:56:19 EDT

  None (edit)
Description Jan Lieskovsky 2012-04-13 07:24:09 EDT
An out-of heap-based buffer bounds read and write flaw, leading to invalid free, was found in the way a tile coder / decoder (TCD) implementation of OpenJPEG, an open-source JPEG 2000 codec written in C language, performed releasing of previously allocated memory for the TCD encoder handle by processing certain Gray16 TIFF images. A remote attacker could provide a specially-crafted TIFF image file, which once converted into the JPEG 2000 file format with an application linked against OpenJPEG (such as 'image_to_j2k'), would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application.

Upstream ticket:
http://code.google.com/p/openjpeg/issues/detail?id=5

Reproducer:
http://openjpeg.googlecode.com/issues/attachment?aid=-3765789821971534182&name=random.tif&token=yuNnyJfWKmzzoKRYSCAI763B8Dk%3A1334312139415

CVE Request:
http://www.openwall.com/lists/oss-security/2012/04/13/1
Comment 1 Jan Lieskovsky 2012-04-13 07:26:35 EDT
This issue affects the version of the openjpeg package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the openjpeg and mingw32-openjpeg packages, as shipped with Fedora release of 15 and 16. Please schedule an update once there is final upstream patch available (doesn't seem to be as of right now).
Comment 3 Jan Lieskovsky 2012-04-13 07:29:18 EDT
Created openjpeg tracking bugs for this issue

Affects: fedora-all [bug 812318]
Comment 4 Jan Lieskovsky 2012-04-13 07:30:16 EDT
Created mingw32-openjpeg tracking bugs for this issue

Affects: fedora-all [bug 812319]
Comment 8 Kurt Seifried 2012-04-13 12:47:02 EDT
Added CVE as per http://www.openwall.com/lists/oss-security/2012/04/13/5
Comment 9 Huzaifa S. Sidhpurwala 2012-06-13 05:58:07 EDT
Patch available at:

http://code.google.com/p/openjpeg/source/detail?r=1703
Comment 11 Fedora Update System 2012-06-27 23:21:08 EDT
openjpeg-1.4-13.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-06-27 23:53:34 EDT
openjpeg-1.4-13.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2012-07-11 12:42:09 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1068 https://rhn.redhat.com/errata/RHSA-2012-1068.html

Note You need to log in before you can comment on or make changes to this bug.