| Summary: | openjpeg2 new security issues fixed upstream in 2.4.0 (including CVE-2020-27844) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | openjpeg2-2.3.1-1.6.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-12-30 04:34:22 CET
openjpeg2-2.4.0-1.mga8 uploaded for Cauldron by David. We'll probably want to update it for Mageia 7 too. Version:
Cauldron =>
7 We may have most of the security fixes already (or at least the more serious ones), but it's hard to tell with them not labeling things consistently with CVEs in the changelog. At the very least we've missed on security issue, CVE-2020-27844. Debian-LTS has issued an advisory for this on February 9: https://www.debian.org/lts/security/2021/dla-2550 Severity:
normal =>
critical Done for mga7! Package list: openjpeg2-2.4.0-1.mga7 libopenjp2_7-2.4.0-1.mga7 libopenjpeg2-devel-2.4.0-1.mga7 from openjpeg2-2.4.0-1.mga7.src.rpm CC:
(none) =>
geiger.david68210 The Debian advisory lists the four CVEs which were probably covered in the update under bug 27903 so you are probably right about the fixes having been done except for the "missing" CVE-2020-27844. Unfortunately there seem to be no PoC for any openjpeg2 issues going back to bug 26953 exclusive. Shall run the usual tests. CC:
(none) =>
tarazed25 mga7, x64
Decompressed a JP2 image before updating.
Clean install for the three packages.
$ opj_decompress -i Ikapati.jp2 -o Ikapati.bmp
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[INFO] Stream reached its end !
[INFO] Generated Outfile Ikapati.bmp
decode time: 38 ms
The BMP file displayed correctly with display, eom and gthumb.
$ opj_dump -i Ikapati.jp2
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
Image info {
x0=0, y0=0
x1=614, y1=614
[...]
Codestream index from main header: {
Main header start position=85
Main header end position=204
Marker list: {
type=0xff4f, pos=85, len=2
....
$ opj_compress -i sunset_1.bmp -o sunset.jp2
[INFO] tile number 1 / 1
[INFO] Generated outfile sunset.jp2
encode time: 484 ms
$ display sunset.jp2
<OK>
According to help the utilities recognize *.pnm, *.pgm, *.ppm, *.pgx, *png, *.bmp, *.tif, *.raw or *.tga.
Picking a few at random confirmed that PNM, TGA, PPM files can be compressed to JP2 format. Could not find any PNG or TIFF files which could be converted to JP2. They all come back with the message "Unable to load file: got no image".
This is not a regression - it has been noted before and may indicate a project still in progress.
As far as these local tests go it continues to work.Whiteboard:
(none) =>
MGA7-64-OK Rider to comment 6: There may well be some PNG images which can be compressed, because they come in several flavours with different levels of compression IIRC. Validating. Keywords:
(none) =>
validated_update So we have previous fixes done, adding an adv for CVE-2020-27844: Advisory: ======================== Updated openjpeg2 packages fix security vulnerability: A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-27844). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27844 https://www.debian.org/lts/security/2021/dla-2550 ======================== Updated packages in core/updates_testing: ======================== openjpeg2-2.4.0-1.mga7 libopenjp2_7-2.4.0-1.mga7 libopenjpeg2-devel-2.4.0-1.mga7 from openjpeg2-2.4.0-1.mga7.src.rpm This his commited to SVN. CC:
(none) =>
ouaurelien An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0093.html Status:
NEW =>
RESOLVED |