Bug 20038 - openjpeg2 new security issues CVE-2016-911[2-8]
Summary: openjpeg2 new security issues CVE-2016-911[2-8]
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/710286/
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Reported: 2016-12-28 18:48 CET by David Walser
Modified: 2017-02-18 22:50 CET (History)
6 users (show)

See Also:
Source RPM: openjpeg2-2.1.2-1.1.mga5.src.rpm
Status comment:


Description David Walser 2016-12-28 18:48:05 CET
SUSE has issued an advisory on December 27:

Mageia 5 is also affected.
David Walser 2016-12-28 18:48:13 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-12-30 09:41:49 CET
Assigning to maintainer, but CC'ing all packagers collectively, because we haven't heard from the maintainer in a long time.

We miss you, fwang, and hope everything's well with you.

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => fundawang

Comment 2 Nicolas Salguero 2017-02-10 13:51:12 CET
Suggested advisory:

The updated packages fix security vulnerabilities:

Floating Point Exception (aka FPE or divide by zero) in opj_pi_next_cprl function in openjp2/pi.c:523 in OpenJPEG 2.1.2. (CVE-2016-9112)

There is a NULL pointer dereference in function imagetobmp of convertbmp.c:980 of OpenJPEG 2.1.2. image->comps[0].data is not assigned a value after initialization(NULL). Impact is Denial of Service. (CVE-2016-9113)

There is a NULL Pointer Access in function imagetopnm of convert.c:1943(jp2) of OpenJPEG 2.1.2. image->comps[compno].data is not assigned a value after initialization(NULL). Impact is Denial of Service. (CVE-2016-9114)

Heap Buffer Over-read in function imagetotga of convert.c(jp2):942 in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file. (CVE-2016-9115)

NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file. (CVE-2016-9116)

NULL Pointer Access in function imagetopnm of convert.c(jp2):1289 in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file. (CVE-2016-9117)

Heap Buffer Overflow (WRITE of size 4) in function pnmtoimage of convert.c:1719 in OpenJPEG 2.1.2. (CVE-2016-9118)


Updated packages in core/updates_testing:

from SRPMS:

CC: (none) => nicolas.salguero
Version: Cauldron => 5
Assignee: fundawang => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 3 Lewis Smith 2017-02-11 21:38:16 CET
Testing M5_64

There are 3 (2 really) commands to play with:
 obj_compress         Other formats -> jp2
 obj_decompress       jp2-> other formats
[obj_dump             Dump a .jp2 .j2k .jpt image to stdout]

AFTER the update:

Converted sucessfully .bmp .ppm images to j2k/jp2, which displayed OK with ImageMagick.
$ opj_compress -i blackbuck.bmp -o blackbuck.j2k
[INFO] tile number 1 / 1
[INFO] Generated outfile blackbuck.j2k
$ opj_compress -i blackbuck.ppm -o blackbuck.j2k
[INFO] tile number 1 / 1
[INFO] Generated outfile blackbuck.j2k

.png .tif both FAILED (it does not recognise .tiff). Both source files displayed OK.
$ opj_compress -i blackbuck.png -o blackbuck.j2k
Unable to load file: got no image
$ opj_compress -i blackbuck.tif -o blackbuck.jp2
Unable to load file: got no image

The decoding jp2 -> other formats followed the same success (.bmp .ppm) which displayed correctly; and failure (.png .tif) as for the encoding:
$ opj_decompress -i bell_206.j2k -o bell_206.bmp
[INFO] Generated Outfile bell_206.bmp
$ opj_decompress -i bell_206.j2k -o bell_206.ppm
[INFO] Generated Outfile bell_206.ppm

$ opj_decompress -i bell_206.j2k -o bell_206.png
[ERROR] Outfile bell_206.png not generated
$ opj_decompress -i bell_206.j2k -o bell_206.tif
[ERROR] Outfile bell_206.tif not generated

This behaviour was the same BEFORE the update (I reverted & checked it):
so I am OKing this update (no reversion) despite the dubious behaviour of the packages. Perhaps this is just on my system. Next tester please cross-check.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

Lewis Smith 2017-02-11 21:46:39 CET

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 4 Len Lawrence 2017-02-12 01:58:01 CET
@Lewis re comment 3.
Will do.  And when I have time a 32-bit vbox test.

A whole lot of CVEs again and the report offers to supply a PoC if contacted by email.  Don't know if that is worth following up.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2017-02-16 16:03:52 CET
Valid input image extensions are .bmp, .pgm, .pgx,  .png,  .pnm,  .ppm,
       .raw, .tga, .tif . For PNG resp. TIF it needs libpng resp. libtiff .

This machine has lib64png16_16 and lib64tiff5.

$ opj_compress -i indian_blackbuck.png -o blackbuck.j2k
Unable to load file: got no image
$ opj_compress -i lena_color.tiff -o lenacolor.j2k
[ERROR] Unknown input file format: lena_color.tiff 
        Known file formats are *.pnm, *.pgm, *.ppm, *.pgx, *png, *.bmp, *.tif, *.raw or *.tga

So, "dubious behaviour" is confirmed with respect to PNG and TIFF formats.

opj_decompress works fine for PPM and PNM output formats but not PNG or TIFF.

Updated packages worked fine apart from the unsupported "supported" formats.

opj_dump of a J2K file shows the structure of the data in the file.
Comment 6 Len Lawrence 2017-02-16 20:41:48 CET
i586 virtualbox

Updated the packages and checked that libpng and libtiff were installed.
Used the three utilities to convert between PNM, PPM, JP2 and J2K file formats.  The resulting images displayed fine.  Used opj_dump to show the data structure of a JP2 file.  As before compressing PNG and TIFF files failed.

The overall behaviour of the 32bit packages is no different from 64bits so this can be passed.
Len Lawrence 2017-02-16 20:42:15 CET

Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK

Len Lawrence 2017-02-18 22:30:56 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK advisory MGA5-32-OK => MGA5-64-OK advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2017-02-18 22:50:39 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.