[3.6] openjpeg: Multiple vulnerabilities (CVE-2017-14039, CVE-2017-14040, CVE-2017-14041, CVE-2017-14151, CVE-2017-14152, CVE-2017-14164)
CVE-2017-14039: heap-based buffer overflow in opj_t2_encode_packet
A heap-based buffer overflow was discovered in the
opj_t2_encode_packet function in lib/openjp2/t2.c in OpenJPEG
2.2.0.
The vulnerability causes an out-of-bounds write, which may lead to
remote denial of service or possibly unspecified other impact.
References:
https://github.com/uclouvain/openjpeg/issues/992
https://nvd.nist.gov/vuln/detail/CVE-2017-14039
Patch:
https://github.com/uclouvain/openjpeg/commit/c535531f03369623b9b833ef41952c62257b507e
CVE-2017-14040: invalid memory write in tgatoimage
An invalid write access was discovered in bin/jp2/convert.c in OpenJPEG
2.2.0, triggering a crash in the tgatoimage function.
The vulnerability may lead to remote denial of service or possibly
unspecified other impact.
References:
https://github.com/uclouvain/openjpeg/issues/995
https://blogs.gentoo.org/ago/2017/08/28/openjpeg-invalid-memory-write-in-tgatoimage-convert-c/
Patch:
https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281
CVE-2017-14041: Stack-based buffer over-write in pgxtoimage function in bin/jp2/convert.c
A stack-based buffer overflow was discovered in the pgxtoimage
function
in bin/jp2/convert.c in OpenJPEG 2.2.0. The vulnerability causes an
out-of-bounds write, which may lead to remote denial of service or
possibly remote code execution.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-14041
https://blogs.gentoo.org/ago/2017/08/28/openjpeg-stack-based-buffer-overflow-write-in-pgxtoimage-convert-c/
Patch:
https://github.com/uclouvain/openjpeg/commit/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9
CVE-2017-14151: heap-based buffer overflow in opj_mqc_flush
An off-by-one error was discovered in
opj_tcd_code_block_enc_allocate_data in lib/openjp2/tcd.c in
OpenJPEG 2.2.0.
The vulnerability causes an out-of-bounds write, which may lead to
remote denial of service (heap-based buffer overflow
affecting opj_mqc_flush in lib/openjp2/mqc.c and opj_t1_encode_cblk
in lib/openjp2/t1.c) or possibly remote code execution.
References:
http://openwall.com/lists/oss-security/2017/09/06/1
Patch:
https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9
CVE-2017-14152: heap-based buffer overflow in opj_write_bytes_LE
A mishandled zero case was discovered in
opj_j2k_set_cinema_parameters in lib/openjp2/j2k.c in OpenJPEG
2.2.0.
The vulnerability causes an out-of-bounds write, which may lead to
remote denial of service (heap-based buffer overflow
affecting opj_write_bytes_LE in lib/openjp2/cio.c and
opj_j2k_write_sot in lib/openjp2/j2k.c) or possibly remote code
execution.
References:
http://openwall.com/lists/oss-security/2017/09/06/2
Patch:
https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154
CVE-2017-14164: heap-based buffer overflow in opj_write_bytes_LE (cio.c)
A size-validation issue was discovered in opj_j2k_write_sot in
lib/openjp2/j2k.c in OpenJPEG 2.2.0.
The vulnerability causes an out-of-bounds write, which may lead to
remote denial of service (heap-based buffer
overflow affecting opj_write_bytes_LE in lib/openjp2/cio.c) or
possibly remote code execution.
NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-14152.
References:
http://openwall.com/lists/oss-security/2017/09/06/3
Patch:
https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a
(from redmine: issue id 7826, created on 2017-09-14, closed on 2019-05-04)
- Relations:
- parent #7824 (closed)