| Summary: | openjpeg several new security issues | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, oe, sysadmin-bugs, tmb, wilcal.int |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/575470/ | ||
| Whiteboard: | advisory MGA3-32-OK MGA3-64-OK | ||
| Source RPM: | openjpeg-1.5.1-2.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-12-03 18:17:54 CET
David Walser
2013-12-03 18:18:01 CET
Whiteboard:
(none) =>
MGA3TOO Here's the aforementioned post on oss-sec: http://openwall.com/lists/oss-security/2013/12/04/6
Dave Hodgins
2013-12-12 22:36:35 CET
Blocks:
(none) =>
11726 Fedora has issued an advisory for this on December 7: https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124072.html LWN reference for CVE-2013-6053: http://lwn.net/Vulnerabilities/577186/ https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6053 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6887 CC:
(none) =>
oe ====================================================== Name: CVE-2013-1447 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1447 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130126 Category: Reference: DEBIAN:DSA-2808 Reference: URL:http://www.debian.org/security/2013/dsa-2808 OpenJPEG 1.3 and earlier allows remote attackers to cause a denial of service (memory consumption or crash) via unspecified vectors. ====================================================== Name: CVE-2013-6045 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6045 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131008 Category: Reference: DEBIAN:DSA-2808 Reference: URL:http://www.debian.org/security/2013/dsa-2808 Multiple heap-based buffer overflows in OpenJPEG 1.3 and earlier might allow remote attackers to execute arbitrary code via unspecified vectors. ====================================================== Name: CVE-2013-6052 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6052 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131008 Category: Reference: DEBIAN:DSA-2808 Reference: URL:http://www.debian.org/security/2013/dsa-2808 OpenJPEG 1.3 and earlier allows remote attackers to obtain sensitive information via unspecified vectors. ====================================================== Name: CVE-2013-6054 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6054 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131008 Category: Reference: DEBIAN:DSA-2808 Reference: URL:http://www.debian.org/security/2013/dsa-2808 Heap-based buffer overflow in OpenJPEG 1.3 has unspecified impact and remote vectors, a different vulnerability than CVE-2013-6045. I'm not quite sure what to do with this. According to the oss-sec post, openjpeg 1.5.1 has five security issues, CVE-2013-6052, CVE-2013-6053, CVE-2013-6045, CVE-2013-1447, and CVE-2013-6887. Fedora has fixed the first three only, and only in mingw-openjpeg, not openjpeg. RedHat has fixed the ones relevant to openjpeg 1.3 in RHEL6. RedHat's bugs for CVE-2013-6053 and CVE-2013-6887, the only ones only affecting openjpeg 1.5.1 and not 1.3, were closed as NOTABUG, but is that just because they don't affect RHEL? What about Fedora? Do they not intend to fix them for openjpeg 1.5.1 in Fedora? I don't see any statement about that anywhere, and don't know why that would be the case. I also haven't seen any other distros release updates for openjpeg 1.5.1 thus far. The maintainer of mingw-openjpeg in Fedora has added patches to fix CVE-2013-1447 and CVE-2013-6887 as well. It appears that the maintainer of the openjpeg package just hasn't addressed these issues as of yet, but is expected to at some point. Thanks to Oden for contacting Fedora's mingw-openjpeg maintainer for clarification. Patched packages uploaded for Mageia 3 and Cauldron. Advisory: ======================== Updated openjpeg packages fix security vulnerabilities: Multiple heap-based buffer overflow flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2013-6045). Multiple denial of service flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash (CVE-2013-1447, CVE-2013-6052, CVE-2013-6053, CVE-2013-6887). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6045 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6887 http://openwall.com/lists/oss-security/2013/12/04/6 https://rhn.redhat.com/errata/RHSA-2013-1850.html ======================== Updated packages in core/updates_testing: ======================== openjpeg-1.5.1-3.1.mga3 libopenjpeg5-1.5.1-3.1.mga3 libopenjpeg-devel-1.5.1-3.1.mga3 from openjpeg-1.5.1-3.1.mga3.src.rpm Version:
Cauldron =>
3
David Walser
2013-12-29 18:27:59 CET
Assignee:
bugsquad =>
qa-bugs
Dave Hodgins
2014-01-02 17:44:40 CET
CC:
(none) =>
davidwhodgins In VirtualBox, M3, KDE, 32-bit Package(s) under test: openjpeg install openjpeg [root@localhost wilcal]# urpmi openjpeg Package openjpeg-1.5.1-3.mga3.i586 is already installed Download Bretagne1.ppm sample from openjpeg.org to /Pictures Run in terminal: [wilcal@localhost Pictures]$ image_to_j2k -i Bretagne1.ppm -o Bretagne1.j2k -r 200,50,10 [INFO] tile number 1 / 1 [INFO] - tile encoded in 0.168000 s Generated outfile Bretagne1.j2k /Pictures: Bretagne1.ppm 900.0KiB Bretagne1.j2k 89.5KiB Both files can be opened with GIMP Delete Bretagne1.j2k install openjpeg from updates_testing [root@localhost wilcal]# urpmi openjpeg Package openjpeg-1.5.1-3.1.mga3.i586 is already installed Run in terminal: [wilcal@localhost Pictures]$ image_to_j2k -i Bretagne1.ppm -o Bretagne1.j2k -r 200,50,10 [INFO] tile number 1 / 1 [INFO] - tile encoded in 0.175000 s Generated outfile Bretagne1.j2k /Pictures: Bretagne1.ppm 900.0KiB Bretagne1.j2k 89.5KiB Both files can be opened with GIMP Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm CC:
(none) =>
wilcal.int In VirtualBox, M3, KDE, 64-bit Package(s) under test: openjpeg install openjpeg [root@localhost wilcal]# urpmi openjpeg Package openjpeg-1.5.1-3.mga3.x86_64 is already installed Download Bretagne1.ppm sample from openjpeg.org to /Pictures Run in terminal: [wilcal@localhost Pictures]$ image_to_j2k -i Bretagne1.ppm -o Bretagne1.j2k -r 200,50,10 [INFO] tile number 1 / 1 [INFO] - tile encoded in 0.155000 s Generated outfile Bretagne1.j2k /Pictures: Bretagne1.ppm 900.0KiB Bretagne1.j2k 89.5KiB Both files can be opened with GIMP Delete Bretagne1.j2k install openjpeg from updates_testing [root@localhost wilcal]# urpmi openjpeg Package openjpeg-1.5.1-3.1.mga3.x86_64 is already installed Run in terminal: [wilcal@localhost Pictures]$ image_to_j2k -i Bretagne1.ppm -o Bretagne1.j2k -r 200,50,10 [INFO] tile number 1 / 1 [INFO] - tile encoded in 0.148000 s Generated outfile Bretagne1.j2k /Pictures: Bretagne1.ppm 900.0KiB Bretagne1.j2k 89.5KiB Both files can be opened with GIMP Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm (In reply to David Walser from comment #7) > Patched packages uploaded for Mageia 3 and Cauldron. Are you comfortable with my testing success to push this one David? (In reply to William Kenney from comment #10) > (In reply to David Walser from comment #7) > > > Patched packages uploaded for Mageia 3 and Cauldron. > > Are you comfortable with my testing success to push > this one David? Yep, you can validate this one. Thanks. Testing complete for mga3 32 & 64 Validating the update. Could someone from the sysadmin team push xxxx.adv to updates. Thanks
William Kenney
2014-01-03 17:09:28 CET
Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0005.html Status:
NEW =>
RESOLVED LWN reference for CVE-2013-6887: http://lwn.net/Vulnerabilities/579344/ Note that the CVE-2013-6045 fix caused a regression and therefore wasn't included when Fedora finally updated their openjpeg package. More info on their bug and the Debian bug in the RH bug's see also field. Hopefully there will be an updated fix soon: https://bugzilla.redhat.com/show_bug.cgi?id=1047494 |