An out-of heap-based buffer bounds read and write flaw, leading to invalid free, was found in the way a tile coder / decoder (TCD) implementation of OpenJPEG, an open-source JPEG 2000 codec written in C language, performed releasing of previously allocated memory for the TCD encoder handle by processing certain Gray16 TIFF images. A remote attacker could provide a specially-crafted TIFF image file, which once converted into the JPEG 2000 file format with an application linked against OpenJPEG (such as 'image_to_j2k'), would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application.
This issue affects the version of the openjpeg package, as shipped with Red Hat Enterprise Linux 6.
This issue affects the versions of the openjpeg and mingw32-openjpeg packages, as shipped with Fedora release of 15 and 16. Please schedule an update once there is final upstream patch available (doesn't seem to be as of right now).
Created openjpeg tracking bugs for this issue
Affects: fedora-all [bug 812318]
Created mingw32-openjpeg tracking bugs for this issue
Affects: fedora-all [bug 812319]
Added CVE as per http://www.openwall.com/lists/oss-security/2012/04/13/5
Patch available at:
openjpeg-1.4-13.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
openjpeg-1.4-13.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2012:1068 https://rhn.redhat.com/errata/RHSA-2012-1068.html