Debian has issued an advisory today (December 3): http://www.debian.org/security/2013/dsa-2808 It lists several CVEs that they have fixed for openjpeg 1.3 (but not yet for 1.5.1, which is the version we have). They posted a bug after posting the advisory that says there are a couple of other CVEs that only affect 1.5.1 (and not 1.3), and that details should be coming to the oss-sec list soon: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731237 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Here's the aforementioned post on oss-sec: http://openwall.com/lists/oss-security/2013/12/04/6
Blocks: (none) => 11726
Fedora has issued an advisory for this on December 7: https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124072.html LWN reference for CVE-2013-6053: http://lwn.net/Vulnerabilities/577186/
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6053 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6887
CC: (none) => oe
====================================================== Name: CVE-2013-1447 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1447 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130126 Category: Reference: DEBIAN:DSA-2808 Reference: URL:http://www.debian.org/security/2013/dsa-2808 OpenJPEG 1.3 and earlier allows remote attackers to cause a denial of service (memory consumption or crash) via unspecified vectors. ====================================================== Name: CVE-2013-6045 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6045 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131008 Category: Reference: DEBIAN:DSA-2808 Reference: URL:http://www.debian.org/security/2013/dsa-2808 Multiple heap-based buffer overflows in OpenJPEG 1.3 and earlier might allow remote attackers to execute arbitrary code via unspecified vectors. ====================================================== Name: CVE-2013-6052 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6052 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131008 Category: Reference: DEBIAN:DSA-2808 Reference: URL:http://www.debian.org/security/2013/dsa-2808 OpenJPEG 1.3 and earlier allows remote attackers to obtain sensitive information via unspecified vectors. ====================================================== Name: CVE-2013-6054 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6054 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131008 Category: Reference: DEBIAN:DSA-2808 Reference: URL:http://www.debian.org/security/2013/dsa-2808 Heap-based buffer overflow in OpenJPEG 1.3 has unspecified impact and remote vectors, a different vulnerability than CVE-2013-6045.
I'm not quite sure what to do with this. According to the oss-sec post, openjpeg 1.5.1 has five security issues, CVE-2013-6052, CVE-2013-6053, CVE-2013-6045, CVE-2013-1447, and CVE-2013-6887. Fedora has fixed the first three only, and only in mingw-openjpeg, not openjpeg. RedHat has fixed the ones relevant to openjpeg 1.3 in RHEL6. RedHat's bugs for CVE-2013-6053 and CVE-2013-6887, the only ones only affecting openjpeg 1.5.1 and not 1.3, were closed as NOTABUG, but is that just because they don't affect RHEL? What about Fedora? Do they not intend to fix them for openjpeg 1.5.1 in Fedora? I don't see any statement about that anywhere, and don't know why that would be the case. I also haven't seen any other distros release updates for openjpeg 1.5.1 thus far.
The maintainer of mingw-openjpeg in Fedora has added patches to fix CVE-2013-1447 and CVE-2013-6887 as well. It appears that the maintainer of the openjpeg package just hasn't addressed these issues as of yet, but is expected to at some point. Thanks to Oden for contacting Fedora's mingw-openjpeg maintainer for clarification.
Patched packages uploaded for Mageia 3 and Cauldron. Advisory: ======================== Updated openjpeg packages fix security vulnerabilities: Multiple heap-based buffer overflow flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2013-6045). Multiple denial of service flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash (CVE-2013-1447, CVE-2013-6052, CVE-2013-6053, CVE-2013-6887). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6045 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6887 http://openwall.com/lists/oss-security/2013/12/04/6 https://rhn.redhat.com/errata/RHSA-2013-1850.html ======================== Updated packages in core/updates_testing: ======================== openjpeg-1.5.1-3.1.mga3 libopenjpeg5-1.5.1-3.1.mga3 libopenjpeg-devel-1.5.1-3.1.mga3 from openjpeg-1.5.1-3.1.mga3.src.rpm
Version: Cauldron => 3Blocks: 11726 => (none)Whiteboard: MGA3TOO => (none)Severity: normal => critical
Assignee: bugsquad => qa-bugs
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
In VirtualBox, M3, KDE, 32-bit Package(s) under test: openjpeg install openjpeg [root@localhost wilcal]# urpmi openjpeg Package openjpeg-1.5.1-3.mga3.i586 is already installed Download Bretagne1.ppm sample from openjpeg.org to /Pictures Run in terminal: [wilcal@localhost Pictures]$ image_to_j2k -i Bretagne1.ppm -o Bretagne1.j2k -r 200,50,10 [INFO] tile number 1 / 1 [INFO] - tile encoded in 0.168000 s Generated outfile Bretagne1.j2k /Pictures: Bretagne1.ppm 900.0KiB Bretagne1.j2k 89.5KiB Both files can be opened with GIMP Delete Bretagne1.j2k install openjpeg from updates_testing [root@localhost wilcal]# urpmi openjpeg Package openjpeg-1.5.1-3.1.mga3.i586 is already installed Run in terminal: [wilcal@localhost Pictures]$ image_to_j2k -i Bretagne1.ppm -o Bretagne1.j2k -r 200,50,10 [INFO] tile number 1 / 1 [INFO] - tile encoded in 0.175000 s Generated outfile Bretagne1.j2k /Pictures: Bretagne1.ppm 900.0KiB Bretagne1.j2k 89.5KiB Both files can be opened with GIMP Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
CC: (none) => wilcal.int
In VirtualBox, M3, KDE, 64-bit Package(s) under test: openjpeg install openjpeg [root@localhost wilcal]# urpmi openjpeg Package openjpeg-1.5.1-3.mga3.x86_64 is already installed Download Bretagne1.ppm sample from openjpeg.org to /Pictures Run in terminal: [wilcal@localhost Pictures]$ image_to_j2k -i Bretagne1.ppm -o Bretagne1.j2k -r 200,50,10 [INFO] tile number 1 / 1 [INFO] - tile encoded in 0.155000 s Generated outfile Bretagne1.j2k /Pictures: Bretagne1.ppm 900.0KiB Bretagne1.j2k 89.5KiB Both files can be opened with GIMP Delete Bretagne1.j2k install openjpeg from updates_testing [root@localhost wilcal]# urpmi openjpeg Package openjpeg-1.5.1-3.1.mga3.x86_64 is already installed Run in terminal: [wilcal@localhost Pictures]$ image_to_j2k -i Bretagne1.ppm -o Bretagne1.j2k -r 200,50,10 [INFO] tile number 1 / 1 [INFO] - tile encoded in 0.148000 s Generated outfile Bretagne1.j2k /Pictures: Bretagne1.ppm 900.0KiB Bretagne1.j2k 89.5KiB Both files can be opened with GIMP Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
(In reply to David Walser from comment #7) > Patched packages uploaded for Mageia 3 and Cauldron. Are you comfortable with my testing success to push this one David?
(In reply to William Kenney from comment #10) > (In reply to David Walser from comment #7) > > > Patched packages uploaded for Mageia 3 and Cauldron. > > Are you comfortable with my testing success to push > this one David? Yep, you can validate this one. Thanks.
Testing complete for mga3 32 & 64 Validating the update. Could someone from the sysadmin team push xxxx.adv to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA3-32-OK MGA3-64-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0005.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
LWN reference for CVE-2013-6887: http://lwn.net/Vulnerabilities/579344/
Note that the CVE-2013-6045 fix caused a regression and therefore wasn't included when Fedora finally updated their openjpeg package. More info on their bug and the Debian bug in the RH bug's see also field. Hopefully there will be an updated fix soon: https://bugzilla.redhat.com/show_bug.cgi?id=1047494