Fedora has issued an advisory on October 1: https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168012.html The CVE request was never answered: http://openwall.com/lists/oss-security/2015/09/15/4 The patch was added in Cauldron on September 15. Patched package uploaded for Mageia 5. Advisory: ======================== Updated openjpeg2 packages fix security vulnerability: Use-after-free vulnerability was found in j2k.c in opj_j2k_write_mco function (rhbz#1263359). References: https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168012.html ======================== Updated packages in core/updates_testing: ======================== openjpeg2-2.1.0-3.1.mga5 libopenjp2_7-2.1.0-3.1.mga5 libopenjpeg2-devel-2.1.0-3.1.mga5 from openjpeg2-2.1.0-3.1.mga5.src.rpm Reproducible: Steps to Reproduce:
Can be tested with imagemagick, mupdf.. $ urpmq --whatrequires lib64openjp2_7 imagemagick lib64openjp2_7 lib64openjpeg2-devel mupdf openjpeg2 or commands from.. $ urpmf openjpeg2 | grep bin openjpeg2:/usr/bin/opj_compress openjpeg2:/usr/bin/opj_decompress openjpeg2:/usr/bin/opj_dump
Whiteboard: (none) => has_procedure
Fedora has issued an advisory on October 5: https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168736.html This fixes another security issue, double-free issue CVE-2015-6581. Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated openjpeg2 packages fix security vulnerabilities: Use-after-free vulnerability was found in j2k.c in opj_j2k_write_mco function (rhbz#1263359). Double free vulnerability in the opj_j2k_copy_default_tcp_and_create_tcd function in j2k.c in OpenJPEG allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by triggering a memory-allocation failure (CVE-2015-6581). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6581 https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168012.html https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168736.html ======================== Updated packages in core/updates_testing: ======================== openjpeg2-2.1.0-3.2.mga5 libopenjp2_7-2.1.0-3.2.mga5 libopenjpeg2-devel-2.1.0-3.2.mga5 from openjpeg2-2.1.0-3.2.mga5.src.rpm
Summary: openjpeg2 new use-after-free security issue => openjpeg2 new use-after-free and double-free (CVE-2015-6581) security issuesSeverity: major => critical
LWN reference for CVE-2015-6581: http://lwn.net/Vulnerabilities/659565/
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure advisory
In VirtualBox, M5, KDE, 32-bit Package(s) under test: openjpeg2 install openjpeg2 [root@localhost wilcal]# urpmi openjpeg2 Package openjpeg2-2.1.0-3.mga5.i586 is already installed Download bell_206.ppm & blackbuck.ppm samples from: http://people.sc.fsu.edu/~jburkardt/data/ppmb/ppmb.html to /Pictures Run in terminal: [wilcal@localhost Pictures]$ opj_compress -i bell_206.ppm -o bell_206.j2k -r 200,50,10 [INFO] tile number 1 / 1 [INFO] Generated outfile bell_206.j2k in /Pictures: bell_206.j2k 59.9KiB bell_206.ppm 598.7KiB Both files can be opened with GIMP Run in terminal: [wilcal@localhost Pictures]$ opj_decompress -i bell_206.j2k -o bell_206.pgx Generated Outfile bell_206.pgx in /Pictures: bell_206.j2k 59.9KiB bell_206.ppm 598.7KiB bell_206.pgx 199.6KiB Run in terminal: [wilcal@localhost Pictures]$ opj_dump -i bell_206.j2k Displays a whole lotta stuff about bell_206.j2k install openjpeg2 from updates_testing [root@localhost wilcal]# urpmi openjpeg2 Package openjpeg2-2.1.0-3.2.mga5.i586 is already installed Run in terminal: [wilcal@localhost Pictures]$ opj_compress -i blackbuck.ppm -o blackbuck.j2k -r 200,50,10 Results in a Segmentation fault. Sorry. :-((
CC: (none) => wilcal.int
urpmi openjpeg2 Package openjpeg2-2.1.0-3.2.mga5.i586 is already installed I loaded mupdf. Created a PDF file with jpg embedded. displayed the file using: mupdf-x11 cab_n_stove.pdf All worked fine. ---- I won't post an okay based on Bill's experience above.
CC: (none) => brtians1
Adding feedback whiteboard entry due to comment 4.
Whiteboard: has_procedure advisory => has_procedure advisory feedback
mga5 x86_64 Maybe a ppm file problem : Both openjpeg2-2.1.0-3.2.mga5 and openjpeg2-2.1.0-3.mga5 fail for opj_compress -i blackbuck.ppm -o blackbuck.j2k -r 200,50,10 but both succeed for opj_compress -i bell_206.ppm -o bell_206.j2k -r 200,50,10 At least this isn't a regression.
CC: (none) => yann.cantin
[wilcal@localhost Pictures]$ gdb --args opj_compress -i blackbuck.ppm -o blackbuck.j2k -r 200,50,10 GNU gdb (GDB) 7.8.1-7.mga5 (Mageia release 5) Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i586-mageia-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from opj_compress...Reading symbols from /usr/lib/debug/usr/bin/opj_compress.debug...done. done. I'm not very familiar wit gdb. Hints are appreciated.
In VirtualBox, M5, KDE, 32-bit Package(s) under test: openjpeg2 using updated openjpeg2 [root@localhost Pictures]# urpmi openjpeg2 Package openjpeg2-2.1.0-3.2.mga5.i586 is already installed Run in terminal: [wilcal@localhost Pictures]$ opj_compress -i bell_206.ppm -o bell_206.j2k -r 200,50,10 [INFO] tile number 1 / 1 [INFO] Generated outfile bell_206.j2k in /Pictures: bell_206.j2k 59.9KiB bell_206.ppm 598.7KiB Both files can be opened with GIMP Run in terminal: [wilcal@localhost Pictures]$ opj_decompress -i bell_206.j2k -o bell_206.pgx Generated Outfile bell_206.pgx in /Pictures: bell_206.j2k 59.9KiB bell_206.ppm 598.7KiB bell_206.pgx 199.6KiB Run in terminal: [wilcal@localhost Pictures]$ opj_dump -i bell_206.j2k Displays a whole lotta stuff about bell_206.j2k Seems to work fine with bell_206.ppm but not with blackbuck.ppm
Well try'n this with a bunch of different files: opj_compress -i newton.ppm -o newton.j2k -r 200,50,10 ( unable to load file ) opj_compress -i pbmlib.ppm -o pbmlib.j2k -r 200,50,10 ( seg fault ) opj_compress -i underwater_bmx.ppm -o underwater_bmx.j2k -r 200,50,10 ( works fine ) opj_compress -i test1.png -o test1.j2k -r 200,50,10 ( works fine ) opj_compress -i test2.png -o test2.j2k -r 200,50,10 ( works fine ) Seems to be picky on what files it deal with. [root@localhost Pictures]# opj_compress -i test1.jpg -o test1.j2k -r 200,50,10 [ERROR] Unknown input file format: test1.jpg Known file formats are *.pnm, *.pgm, *.ppm, *.pgx, *png, *.bmp, *.tif, *.raw or *.tga
William, thanks for the tests. Would you mind filing a bug report upstream here for the segfaulting test cases you identified? https://github.com/uclouvain/openjpeg/issues As it's not a regression and it's not a PoC for these security issues, we can OK and release this as-is.
Whiteboard: has_procedure advisory feedback => has_procedure advisory
Agreed. Adding OK's from previous tests. You can link the bug report here if you do one Bill. Validating. Please push to 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory => has_procedure advisory mga5-32-ok mga5-64-okCC: (none) => sysadmin-bugs
Thanks all for the help on this one.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0398.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
use-after-free issue finally assigned CVE-2015-8871: http://openwall.com/lists/oss-security/2016/05/13/1 Advisory: ======================== Updated openjpeg2 packages fix security vulnerabilities: Use-after-free vulnerability was found in j2k.c in opj_j2k_write_mco function (CVE-2015-8871). Double free vulnerability in the opj_j2k_copy_default_tcp_and_create_tcd function in j2k.c in OpenJPEG allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by triggering a memory-allocation failure (CVE-2015-6581). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6581 http://openwall.com/lists/oss-security/2016/05/13/1 https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168012.html https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168736.html
Summary: openjpeg2 new use-after-free and double-free (CVE-2015-6581) security issues => openjpeg2 new use-after-free (CVE-2015-8871) and double-free (CVE-2015-6581) security issues