Bug 26141

Patched packages uploaded by Nicolas.

Advisory:
========================

Updated openjpeg2 packages fix security vulnerability:

OpenJPEG through 2.3.1 has a heap-based buffer overflow in
opj_t1_clbl_decode_processor in libopenjp2.so (CVE-2020-6851).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6851
https://access.redhat.com/errata/RHSA-2020:0262
========================

Updated packages in core/updates_testing:
========================
openjpeg2-2.3.1-1.2.mga7
libopenjp2_7-2.3.1-1.2.mga7
libopenjpeg2-devel-2.3.1-1.2.mga7

from openjpeg2-2.3.1-1.2.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
CC: (none) => nicolas.salguero
Version: Cauldron => 7
Assignee: nicolas.salguero => qa-bugs

Mageia7, x86_64

CVE-2020-6851
PoC available.
https://github.com/uclouvain/openjpeg/issues/1228
$ opj_decompress -i openjpeg_poc.jp2 -o image_verification.png[INFO] Start to read j2k main header (1277).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 33 has been read.
free(): invalid pointer
Aborted (core dumped)

That is expected.
Continuing this tomorrow.

CC: (none) => tarazed25

Updated the packages.
$ opj_decompress -i openjpeg_poc.jp2 -o image_verification.png
[INFO] Start to read j2k main header (1277).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[ERROR] Image coordinates above INT_MAX are not supported
ERROR -> opj_decompress: failed to set the decoded area

Looks like it has been caught.

Used the image utilities to transform some files.
$ opj_compress -i piuva.ppm -o piuva.jp2
[INFO] tile number 1 / 1
[INFO] Generated outfile piuva.jp2
encode time: 52 ms 
<The jp2 image displayed correctly>

$ opj_dump -i piuva.jp2
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
Image info {
	 x0=0, y0=0
	 x1=320, y1=340
[...]
		 type=0xff64, pos=171, len=39
	 }
}

No luck trying to convert local PNG files to openjpeg format although PNG is supposed to be supported.  We should probably ignore this because maybe only certain PNG formats are supported.  Some already have built-in compression which would be flagged in the image header.  That is an unknown anyway.

$ opj_compress -i GlenShiel.pnm -o glenshiel.j2k
[INFO] tile number 1 / 1
[INFO] Generated outfile glenshiel.j2k
encode time: 1187 ms 
$ opj_compress -i ikapati.ppm -o ikapati.jp2
[INFO] tile number 1 / 1
[INFO] Generated outfile ikapati.jp2
encode time: 207 ms 
$ opj_compress -i barbara.bmp -o barbara.j2k
[INFO] tile number 1 / 1
[INFO] Generated outfile barbara.j2k
encode time: 48 ms 

`gm display` and `display` show the output images fine but none of the popular image browsers tried have caught up with open jpeg yet.

This looks good for 64-bits.

Whiteboard: (none) => MGA7-64-OK

Sorry, omitted decompress tests in comment 3.

$ opj_decompress -i ikapati.jp2 -o ikapati.bmp
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[INFO] Stream reached its end !
[INFO] Generated Outfile ikapati.bmp
decode time: 105 ms

$ opj_decompress -i piuva.jp2 -o piuva2.pnm
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[INFO] Stream reached its end !
[INFO] Generated Outfile piuva2.pnm
decode time: 30 ms

There are many modifiers for both compress and decompress, which have not been tested.

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Created attachment 11492 [details]
Shortlist of dependent applications

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0071.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED