Bug 26162

Summary: openjpeg2 new security issue CVE-2020-8112
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: openjpeg2-2.3.1-1.2.mga7.src.rpm CVE: CVE-2020-8112
Status comment:

Description David Walser 2020-02-02 00:55:50 CET 
Debian-LTS has issued an advisory on January 31:
https://www.debian.org/lts/security/2020/dla-2089

Mageia 7 is also affected.
David Walser 2020-02-02 00:55:57 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Salguero 2020-02-02 11:09:36 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a different issue than CVE-2020-6851. (CVE-2020-8112)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8112
https://www.debian.org/lts/security/2020/dla-2089
========================

Updated packages in core/updates_testing:
========================
openjpeg2-2.3.1-1.3.mga7
lib(64)openjp2_7-2.3.1-1.3.mga7
lib(64)openjpeg2-devel-2.3.1-1.3.mga7

from SRPMS:
openjpeg2-2.3.1-1.3.mga7.src.rpm

Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA7TOO => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-8112
Version: Cauldron => 7

Comment 2 Len Lawrence 2020-02-03 16:17:20 CET 
Mageia7, x86_64

CVE-2020-8112
https://github.com/uclouvain/openjpeg/issues/1231
$ opj_decompress -i openjpeg_poc2 -o verification.pgm
===========================================
The extension of this file is incorrect.
FOUND poc2. SHOULD BE .jp2
===========================================
[INFO] Start to read j2k main header (884).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
Segmentation fault (core dumped)

Updated the three packages and tried the PoC.

$ opj_decompress -i openjpeg_poc2 -o verification.pgm
===========================================
The extension of this file is incorrect.
FOUND poc2. SHOULD BE .jp2
===========================================
[INFO] Start to read j2k main header (884).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[ERROR] Integer overflow
[ERROR] Cannot decode tile, memory error
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

That seems to have trapped the problem - the heap buffer overflow seems to have triggered an integer overflow.  Shall assume that this is within the range of expected outcomes.

Ran a quick series of tests on images following the procedure in https://bugs.mageia.org/show_bug.cgi?id=26141
No regressions encountered.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 3 Thomas Andrews 2020-02-04 00:18:21 CET 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-02-04 11:21:49 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 4 Mageia Robot 2020-02-04 12:08:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0074.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED