Bug 29127

Summary:	openjpeg2 new security issue CVE-2021-3575
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	geiger.david68210, ouaurelien, sysadmin-bugs, tarazed25
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM:	openjpeg2-2.4.0-1.1.mga8.src.rpm	CVE:	CVE-2021-3575
Status comment:

Description David Walser 2021-06-14 00:16:27 CEST

Fedora has issued advisories on June 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BCRXAQJZ7774QPW344OO7IBQX5PPDZ7O/

Mageia 7 and Mageia 8 are also affected.

David Walser 2021-06-14 00:16:45 CEST

Status comment: (none) => Patch available from Fedora
CC: (none) => geiger.david68210
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-06-14 21:17:25 CEST

Another one for you, David. You are even the registered (as well as actual) maintainer of this!

CC: geiger.david68210 => (none)
Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2021-06-27 22:50:46 CEST

Advisory:
========================

Updated openjpeg2 packages fix security vulnerability:

A heap-based buffer overflow was found in openjpeg. An attacker could use this
to execute arbitrary code with the permissions of the application compiled
against openjpeg (CVE-2021-3575).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3575
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BCRXAQJZ7774QPW344OO7IBQX5PPDZ7O/
========================

Updated packages in core/updates_testing:
========================
openjpeg2-2.4.0-1.2.mga7
libopenjp2_7-2.4.0-1.2.mga7
libopenjpeg2-devel-2.4.0-1.2.mga7
openjpeg2-2.4.0-1.2.mga8
libopenjp2_7-2.4.0-1.2.mga8
libopenjpeg2-devel-2.4.0-1.2.mga8

from SRPMS:
openjpeg2-2.4.0-1.2.mga7.src.rpm
openjpeg2-2.4.0-1.2.mga8.src.rpm

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
CC: (none) => geiger.david68210
Version: Cauldron => 8
Status comment: Patch available from Fedora => (none)
Assignee: geiger.david68210 => qa-bugs

Comment 3 Len Lawrence 2021-06-28 18:20:27 CEST

mga8, x86_64

Could not find anything useful for the CVE.
Updated the three packages and ran some of the utilities.

$ opj_compress -i Ikapati.bmp -o ikapati.jp2
[INFO] tile number 1 / 1
[INFO] Generated outfile ikapati.jp2
encode time: 86 ms 

The output file displayed correctly.

$ opj_dump -i ikapati.jp2 -o imagedata
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
$ less imagedata
Image info {
         x0=0, y0=0
         x1=614, y1=614
         numcomps=1
[...]
Codestream index from main header: {
         Main header start position=85
         Main header end position=204
         Marker list: {
                 type=0xff4f, pos=85, len=2
                 type=0xff51, pos=87, len=43
                 type=0xff52, pos=130, len=14
                 type=0xff5c, pos=144, len=21
                 type=0xff64, pos=165, len=39
         }
}

$ opj_decompress -i ikapati.jp2 -o ikapati.bmp
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[INFO] Stream reached its end !
[INFO] Generated Outfile ikapati.bmp
decode time: 64 ms
$ file *.bmp
ikapati.bmp: PC bitmap, Windows 3.x format, 614 x 614 x 8, image size 376996, resolution 7834 x 7834 px/m, 256 important colors, cbSize 378074, bits offset 1078
Ikapati.bmp: PC bitmap, Windows 3.x format, 614 x 614 x 8, image size 376996, resolution 7834 x 7834 px/m, 256 important colors, cbSize 378074, bits offset 1078

The doubly converted file matches the original perfectly.

A number of applications may require lib64openjp2_7 including darktable, blender and the GIMP.
Pointed darktable at an image and examined it in the darkroom.  Applied velvia to amplify the mid-tone bias (?) which generated a warmer, brighter image.
$ grep jp2 darktable.trace | grep -v jessica
openat(AT_FDCWD, "/lib64/libopenjp2.so.7", O_RDONLY|O_CLOEXEC) = 3
read(14, "ibopenjp2.so.2.4.0\n7fc1ba374000-"..., 1024) = 1024

Giving this an OK.

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Len Lawrence 2021-06-28 19:54:26 CEST

mga7, x64

Updated the three packages and ran similar tests to those in comment 3 and saw the same sort of results.
Used gimp on another jp2 image, scaled it and sheared it and saved it to xcf format which displayed correctly using ImageMagick.

$ grep jp2 gimp.trace | grep -v piuva
openat(AT_FDCWD, "/lib64/libopenjp2.so.7", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/lib64/libopenjp2.so.7", O_RDONLY|O_CLOEXEC) = 4
stat("/usr/lib64/gegl-0.4/jp2-load.so", {st_mode=S_IFREG|0755, st_size=24064, ...}) = 0
stat("/usr/lib64/gegl-0.4/jp2-load.so", {st_mode=S_IFREG|0755, st_size=24064, ...}) = 0
openat(AT_FDCWD, "/usr/lib64/gegl-0.4/jp2-load.so", O_RDONLY|O_CLOEXEC) = 4

$ file piuva.xcf
piuva.xcf: GIMP XCF image data, version 011, 640 x 680, RGB Color


Looks good for Mageia 7 as well.

Len Lawrence 2021-06-28 19:54:41 CEST

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 5 Aurelien Oudelet 2021-06-28 20:54:13 CEST

Validating.
Advisory comment 2.

Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2021-3575
Source RPM: openjpeg2-2.4.0-2.mga9.src.rpm => openjpeg2-2.4.0-1.1.mga8.src.rpm
CC: (none) => ouaurelien, sysadmin-bugs

Comment 6 Mageia Robot 2021-06-28 23:18:26 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0292.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED