Two security issues in openjpeg2 have been announced: http://openwall.com/lists/oss-security/2016/12/09/4 Fedora also has a patch for two more recently committed in git (fixed by the same author). Patched packages uploaded for Mageia 5 and Cauldron. I don't have CVE descriptions yet, so advisory to come later. Updated packages in core/updates_testing: ======================== openjpeg2-2.1.2-1.1.mga5 libopenjp2_7-2.1.2-1.1.mga5 libopenjpeg2-devel-2.1.2-1.1.mga5 from openjpeg2-2.1.2-1.1.mga5.src.rpm
Fedora has issued an advisory for CVE-2016-957[23] on December 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G3C7U32IFCUOTSYNRT6QD5AFHWZ2ELHE/
URL: (none) => https://lwn.net/Vulnerabilities/708875/
LWN reference for CVE-2016-958[01]: https://lwn.net/Vulnerabilities/709745/ Fedora has issued an advisory for this on December 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FBFRC3OO5376WRT5PO5VE2JL6UB3NBO7/
MGA5-32 on Acer D620 Xfce No installation issues mupdf is dependent, so used $ strace -o openjpeg.txt mupdf /home/tester5/Afbeeldingen/IMG_0013.jpg and I find in the trace file a.o. open("/lib/libopenjp2.so.7", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300K\0\0004\0\0\0"..., 512) = 512 So OK for me
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
x86_64 test PoCs have been found but analysis depends on address sanitizer support which would have to be specified on a local build. Given the frustrating efforts in the past to use libasan we should try an image conversion and compare the error messages before and after updates. Before: -------------------------------- CVE-2016-9580 Integer overflow in tiftoimage https://github.com/uclouvain/openjpeg/issues/871 poc1.analysis1 1_000007.tif $ opj_compress -i 1_000007.tif -o test1.jp2 TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored. _TIFFVSetField: 1_000007.tif: Null count for "ICC Profile" (type 7, writecount -3, passcount 1). TIFFFillStrip: Invalid strip byte count 0, strip 1. Segmentation fault CVE-2016-9581 Infinite loop in tiftoimage https://github.com/uclouvain/openjpeg/issues/872 poc2.analysis2f $ opj_compress -i 1_000009.tif -o test2.jp2 TIFFOpen: 1_000009.tif: No such file or directory. tiftoimage:Failed to open 1_000009.tif for reading Unable to load tiff file Afterwards: ------------------------------ $ opj_compress -i 1_000007.tif -o test1.jp2 Unable to load file: got no image $ opj_compress -i 1_000009.tif -o test2.jp2 Unable to load file: got no image That shows that the patches are doing something and correctly rejecting the files. And using Herman's command from comment 3: $ strace -o pdf.txt mupdf africa.jpg $ grep openj pdf.txt open("/lib64/libopenjp2.so.7", O_RDONLY|O_CLOEXEC) = 3
CC: (none) => tarazed25
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
Validating. Comment 0: advisory to come.
CC: (none) => lewyssmith
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory: ======================== Updated openjpeg2 packages fix security vulnerabilities: A NULL pointer dereference flaw was found in the way openjpeg decoded certain input images. Due to a logic error in the code responsible for decoding the input image, an application using openjpeg to process image data could crash when processing a crafted image (CVE-2016-9572). A heap buffer overflow flaw was found in the way openjpeg decompressed certain input images. Due to an insufficient check in the imagetopnm() function, an application using openjpeg to process image data could crash when processing a crafted image (CVE-2016-9573). An integer overflow vulnerability was found in tiftoimage function resulting into heap buffer overflow (CVE-2016-9580). An infinite loop vulnerability in tiftoimage that results into heap buffer overflow in convert_32s_C1P1 was found (CVE-2016-9581). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9573 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9581 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G3C7U32IFCUOTSYNRT6QD5AFHWZ2ELHE/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FBFRC3OO5376WRT5PO5VE2JL6UB3NBO7/
Thanks David. Advisory ex Comments 6 & 0.
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0426.html
Status: NEW => RESOLVEDResolution: (none) => FIXED