Bug 25769

Summary: openjpeg2 new security issue CVE-2019-12973
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: openjpeg2-2.3.1-1.mga7.src.rpm CVE: CVE-2019-12973
Status comment:

Description David Walser 2019-11-26 23:12:53 CET 
openSUSE has issued an advisory on September 30:
https://lists.opensuse.org/opensuse-updates/2019-09/msg00177.html
Comment 1 Nicolas Salguero 2019-11-27 09:36:23 CET 
This CVE is for openjpeg2, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12973:
"""
In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616.
"""

Since we remove internal openjpeg2 and use the system one when we build ghostscript the problem is not with ghostscript but with openjpeg2 so I change the bug report.

Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron
Source RPM: ghostscript-9.27-1.4.mga7.src.rpm => openjpeg2-2.3.1-1.mga7.src.rpm
CVE: (none) => CVE-2019-12973
Summary: ghostscript new security issue CVE-2019-12973 => openjpeg2 new security issue CVE-2019-12973

Comment 2 Nicolas Salguero 2019-11-27 10:18:04 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616. (CVE-2019-12973)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12973
https://lists.opensuse.org/opensuse-updates/2019-09/msg00177.html
========================

Updated packages in core/updates_testing:
========================
openjpeg2-2.3.1-1.1.mga7
lib(64)openjp2_7-2.3.1-1.1.mga7
lib(64)openjpeg2-devel-2.3.1-1.1.mga7

from SRPMS:
openjpeg2-2.3.1-1.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 7

Comment 3 Thomas Andrews 2019-12-04 02:13:08 CET 
64-bit Plasma system, Intel graphics.

urpmq --whatrequires lib64openjp2_7 indicates the package is used by both ImageMagick and The GIMP. Downloaded a sample jp2 image, and attempted to load it into both apps, both before and after updating.

ImageMagick loaded and displayed the image correctly in both instances, while The GIMP did not. A little research on the Web indicated that The GIMP switched to using openjpeg2-2 starting with version 2.10, using jasper in previous versions. Since ImageMagick works OK, the fault with The GIMP would seem to rest within The GIMP, which is beyond the scope of this bug. A separate bug is needed for that.

Giving this a 64-bit OK, and Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2019-12-06 14:16:41 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 4 Mageia Robot 2019-12-06 15:17:29 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0365.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED