Bug 19921

Summary: openjpeg2 new security issues CVE-2016-957[23] and CVE-2016-958[01]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/708875/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: openjpeg2-2.1.2-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-12-09 18:22:28 CET 
Two security issues in openjpeg2 have been announced:
http://openwall.com/lists/oss-security/2016/12/09/4

Fedora also has a patch for two more recently committed in git (fixed by the same author).

Patched packages uploaded for Mageia 5 and Cauldron.

I don't have CVE descriptions yet, so advisory to come later.

Updated packages in core/updates_testing:
========================
openjpeg2-2.1.2-1.1.mga5
libopenjp2_7-2.1.2-1.1.mga5
libopenjpeg2-devel-2.1.2-1.1.mga5

from openjpeg2-2.1.2-1.1.mga5.src.rpm
Comment 1 David Walser 2016-12-12 20:30:45 CET 
Fedora has issued an advisory for CVE-2016-957[23] on December 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G3C7U32IFCUOTSYNRT6QD5AFHWZ2ELHE/

URL: (none) => https://lwn.net/Vulnerabilities/708875/

Comment 2 David Walser 2016-12-22 00:40:09 CET 
LWN reference for CVE-2016-958[01]:
https://lwn.net/Vulnerabilities/709745/

Fedora has issued an advisory for this on December 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FBFRC3OO5376WRT5PO5VE2JL6UB3NBO7/
Comment 3 Herman Viaene 2016-12-23 16:36:02 CET 
MGA5-32 on Acer D620 Xfce
No installation issues
mupdf is dependent, so used
$ strace -o openjpeg.txt mupdf /home/tester5/Afbeeldingen/IMG_0013.jpg 
and I find in the trace file a.o.
open("/lib/libopenjp2.so.7", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300K\0\0004\0\0\0"..., 512) = 512
So OK for me

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 4 Len Lawrence 2016-12-26 19:35:24 CET 
x86_64 test

PoCs have been found but analysis depends on address sanitizer support which would have to be specified on a local build.  Given the frustrating efforts in the past to use libasan we should try an image conversion and compare the error messages before and after updates.

Before:
--------------------------------
CVE-2016-9580
Integer overflow in tiftoimage
https://github.com/uclouvain/openjpeg/issues/871
poc1.analysis1
1_000007.tif

$ opj_compress -i 1_000007.tif -o test1.jp2
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored.
_TIFFVSetField: 1_000007.tif: Null count for "ICC Profile" (type 7, writecount -3, passcount 1).
TIFFFillStrip: Invalid strip byte count 0, strip 1.
Segmentation fault

CVE-2016-9581
Infinite loop in tiftoimage
https://github.com/uclouvain/openjpeg/issues/872
poc2.analysis2f
$ opj_compress -i 1_000009.tif -o test2.jp2
TIFFOpen: 1_000009.tif: No such file or directory.
tiftoimage:Failed to open 1_000009.tif for reading
Unable to load tiff file

Afterwards:
------------------------------
$ opj_compress -i 1_000007.tif -o test1.jp2
Unable to load file: got no image
$ opj_compress -i 1_000009.tif -o test2.jp2
Unable to load file: got no image

That shows that the patches are doing something and correctly rejecting the files.

And using Herman's command from comment 3:
$ strace -o pdf.txt mupdf africa.jpg
$ grep openj pdf.txt
open("/lib64/libopenjp2.so.7", O_RDONLY|O_CLOEXEC) = 3

CC: (none) => tarazed25

Len Lawrence 2016-12-26 19:35:59 CET

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 5 Lewis Smith 2016-12-28 10:27:16 CET 
Validating. Comment 0: advisory to come.

CC: (none) => lewyssmith

Lewis Smith 2016-12-28 10:27:35 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 David Walser 2016-12-28 18:45:39 CET 
Advisory:
========================

Updated openjpeg2 packages fix security vulnerabilities:

A NULL pointer dereference flaw was found in the way openjpeg decoded certain
input images. Due to a logic error in the code responsible for decoding the
input image, an application using openjpeg to process image data could crash
when processing a crafted image (CVE-2016-9572).

A heap buffer overflow flaw was found in the way openjpeg decompressed certain
input images. Due to an insufficient check in the imagetopnm() function, an
application using openjpeg to process image data could crash when processing a
crafted image (CVE-2016-9573).

An integer overflow vulnerability was found in tiftoimage function resulting
into heap buffer overflow (CVE-2016-9580).

An infinite loop vulnerability in tiftoimage that results into heap buffer
overflow in convert_32s_C1P1 was found (CVE-2016-9581).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9581
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G3C7U32IFCUOTSYNRT6QD5AFHWZ2ELHE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FBFRC3OO5376WRT5PO5VE2JL6UB3NBO7/
Comment 7 Lewis Smith 2016-12-29 10:23:34 CET 
Thanks David. Advisory ex Comments 6 & 0.

Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 8 Mageia Robot 2016-12-29 11:30:13 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0426.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED