1755769 – (CVE-2018-21010) CVE-2018-21010 openjpeg: heap buffer overflow in color_apply_icc_profile in bin/common/color.c

Bug 1755769 (CVE-2018-21010) - CVE-2018-21010 openjpeg: heap buffer overflow in color_apply_icc_profile in bin/common/color.c

Summary: CVE-2018-21010 openjpeg: heap buffer overflow in color_apply_icc_profile in b...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-21010
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1755770 1755771 1755772 1755773 1758238
Blocks:	1755775
TreeView+	depends on / blocked

Reported:	2019-09-26 07:57 UTC by Dhananjay Arunesh
Modified:	2021-10-27 10:48 UTC (History)
CC List:	12 users (show)
Fixed In Version:	openjpeg 2.3.1
Doc Type:	If docs needed, set a value
Doc Text:	A heap-based buffer overflow has been discovered in OpenJPEG in the function color_apply_icc_profile, while applying the color transformation. An application that uses OpenJPEG to parse untrusted images may be vulnerable to this flaw, which would allow an attacker to crash the application or potentially execute code.
Clone Of:
Environment:
Last Closed:	2021-10-27 10:48:52 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2019-09-26 07:57:26 UTC

A vulnerability was found in OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_icc_profile in bin/common/color.c.

Reference:
https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea

Comment 1 Dhananjay Arunesh 2019-09-26 07:58:19 UTC

Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1755772]


Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1755770]


Created openjpeg2 tracking bugs for this issue:

Affects: epel-all [bug 1755773]
Affects: fedora-all [bug 1755771]

Comment 2 Riccardo Schirone 2019-10-02 14:07:38 UTC

openjpeg2 in rhel-7 and rhel-8 does not include function color_apply_icc_profile() because it is built only if `defined(OPJ_HAVE_LIBLCMS2) || defined(OPJ_HAVE_LIBLCMS1)`, but even if the lib lcms2-devel is in the BuildRequires of the spec file, the library is not found by the cmake build system, because the thirdparty directory is removed (the code that defines OPJ_HAVE_LIBLCMS is there).

Comment 5 Riccardo Schirone 2019-10-03 16:27:45 UTC

Function color_apply_icc_profile() does not properly check whether the width/height values of the image components are all the same for the first three components, but it makes this assumption for the rest of the code. If the second or the third components have a width/height less than the first, an heap-based buffer overflow is possible while writing the transformed data back into the components' data.

Comment 7 Riccardo Schirone 2019-10-04 08:59:58 UTC

Mitigation:

If the application accepts untrusted images there is no known mitigation apart from applying the patch.

Note You need to log in before you can comment on or make changes to this bug.