Bug 27822

Done for both Cauldron and mga7! fixes CVE-2020-27814 and CVE-2020-2782[34]

CC: (none) => geiger.david68210

Suggested Advisory:
========================

Updated openjpeg2 packages fix security vulnerabilities

Heap-buffer-overflow in lib(64)openjp2/mqc.c could result in DoS 
(CVE-2020-27814).

Heap-buffer-overflow write in lib(64)openjp2 (CVE-2020-27823).

Global-buffer-overflow read in lib(64)openjp2 (CVE-2020-27824).

references:
 - https://bugzilla.redhat.com/show_bug.cgi?id=1902001
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IT4DFBK3FQCB3UOEAZ4XYIDFSWQRMNDX/
 - https://security-tracker.debian.org/tracker/CVE-2020-27823
 - https://security-tracker.debian.org/tracker/CVE-2020-27824
========================

Updated packages in core/updates_testing:
========================
lib(64)openjp2_7-2.3.1-1.5.mga7
lib(64)openjpeg2-devel-2.3.1-1.5.mga7
openjpeg2-2.3.1-1.5.mga7

from SRPM
openjpeg2-2.3.1-1.5.mga7.src.rpm

CC: (none) => ouaurelien
Whiteboard: MGA7TOO => (none)
CVE: (none) => CVE-2020-27814, CVE-2020-27823, CVE-2020-27824
Source RPM: openjpeg2-2.3.1-6.mga8.src.rpm => openjpeg2-2.3.1-1.4.mga7.src.rpm
Version: Cauldron => 7
Assignee: bugsquad => qa-bugs

RedHat has more fleshed out CVE descriptions.

Suggested Advisory:
========================

Updated openjpeg2 packages fix security vulnerabilities:

A heap-buffer overwrites error was discovered in lib/openjp2/mqc.c in OpenJPEG
2.3.1. The vulnerability causes an out-of-bounds write, which may lead to
remote denial of service or possibly remote code execution (CVE-2020-27814).

A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass
specially crafted x,y offset input to OpenJPEG to use during encoding. The
highest threat from this vulnerability is to confidentiality, integrity, as
well as system availability (CVE-2020-27823).

There is a flaw in openjpeg's encoder in the opj_dwt_calc_explicit_stepsizes()
function. An attacker who is able to supply crafted input to decomposition
levels could cause a buffer overflow, potentially causing an impact to
application availability (CVE-2020-27824).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27824
https://bugzilla.redhat.com/show_bug.cgi?id=1905762
https://bugzilla.redhat.com/show_bug.cgi?id=1905723
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IT4DFBK3FQCB3UOEAZ4XYIDFSWQRMNDX/

Summary: openjpeg2 new security issue CVE-2020-27814 => openjpeg2 new security issues CVE-2020-27814 and CVE-2020-2782[34]

Fedora has issued an advisory for the newer CVEs today (December 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OQR4EWRFFZQDMFPZKFZ6I3USLMW6TKTP/

Suggested Advisory:
========================

Updated openjpeg2 packages fix security vulnerabilities:

A heap-buffer overwrites error was discovered in lib/openjp2/mqc.c in OpenJPEG
2.3.1. The vulnerability causes an out-of-bounds write, which may lead to
remote denial of service or possibly remote code execution (CVE-2020-27814).

A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass
specially crafted x,y offset input to OpenJPEG to use during encoding. The
highest threat from this vulnerability is to confidentiality, integrity, as
well as system availability (CVE-2020-27823).

There is a flaw in openjpeg's encoder in the opj_dwt_calc_explicit_stepsizes()
function. An attacker who is able to supply crafted input to decomposition
levels could cause a buffer overflow, potentially causing an impact to
application availability (CVE-2020-27824).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27824
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IT4DFBK3FQCB3UOEAZ4XYIDFSWQRMNDX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OQR4EWRFFZQDMFPZKFZ6I3USLMW6TKTP/

mga7, x86_64

CVE-2020-27814
CVE-2020-27823
CVE-2020-27824
No reproducers found.

Updated the three packages.
Exercized some of the library tools.

$ opj_compress -i ikapati.ppm -o ikapati.jp2
[INFO] tile number 1 / 1
[INFO] Generated outfile ikapati.jp2
encode time: 280 ms 
Looks fine using ImageMagick to display.

$ opj_dump -i ikapati.jp2
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
Image info {
	 x0=0, y0=0
	 x1=1434, y1=717
[...]
		 type=0xff5c, pos=150, len=21
		 type=0xff64, pos=171, len=39
	 }
}

$ file ikapati.jp2
ikapati.jp2: JPEG 2000 Part 1 (JP2)
$ identify ikapati.jp2
ikapati.jp2 JP2 1434x717 1434x717+0+0 8-bit sRGB 0.000u 0:00.000

$ opj_decompress -i ikapati.jp2 -o ikapati.bmp
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[INFO] Stream reached its end !
[INFO] Generated Outfile ikapati.bmp
decode time: 107 ms
$ display ikapati.bmp
Looks identical to original file.

It is still true that the likes of eom, ristretto, gwenview and gthumb do not deal with openjpeg2 images.

This can be sent on.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Validating. Best advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Advisory pushed to SVN.

Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0464.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED