Bug 25769 - openjpeg2 new security issue CVE-2019-12973
Summary: openjpeg2 new security issue CVE-2019-12973
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-26 23:12 CET by David Walser
Modified: 2019-12-06 15:17 CET (History)
3 users (show)

See Also:
Source RPM: openjpeg2-2.3.1-1.mga7.src.rpm
CVE: CVE-2019-12973
Status comment:


Attachments

Description David Walser 2019-11-26 23:12:53 CET
openSUSE has issued an advisory on September 30:
https://lists.opensuse.org/opensuse-updates/2019-09/msg00177.html
Comment 1 Nicolas Salguero 2019-11-27 09:36:23 CET
This CVE is for openjpeg2, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12973:
"""
In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616.
"""

Since we remove internal openjpeg2 and use the system one when we build ghostscript the problem is not with ghostscript but with openjpeg2 so I change the bug report.

Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron
Source RPM: ghostscript-9.27-1.4.mga7.src.rpm => openjpeg2-2.3.1-1.mga7.src.rpm
CVE: (none) => CVE-2019-12973
Summary: ghostscript new security issue CVE-2019-12973 => openjpeg2 new security issue CVE-2019-12973

Comment 2 Nicolas Salguero 2019-11-27 10:18:04 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616. (CVE-2019-12973)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12973
https://lists.opensuse.org/opensuse-updates/2019-09/msg00177.html
========================

Updated packages in core/updates_testing:
========================
openjpeg2-2.3.1-1.1.mga7
lib(64)openjp2_7-2.3.1-1.1.mga7
lib(64)openjpeg2-devel-2.3.1-1.1.mga7

from SRPMS:
openjpeg2-2.3.1-1.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 7

Comment 3 Thomas Andrews 2019-12-04 02:13:08 CET
64-bit Plasma system, Intel graphics.

urpmq --whatrequires lib64openjp2_7 indicates the package is used by both ImageMagick and The GIMP. Downloaded a sample jp2 image, and attempted to load it into both apps, both before and after updating.

ImageMagick loaded and displayed the image correctly in both instances, while The GIMP did not. A little research on the Web indicated that The GIMP switched to using openjpeg2-2 starting with version 2.10, using jasper in previous versions. Since ImageMagick works OK, the fault with The GIMP would seem to rest within The GIMP, which is beyond the scope of this bug. A separate bug is needed for that.

Giving this a 64-bit OK, and Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2019-12-06 14:16:41 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 4 Mageia Robot 2019-12-06 15:17:29 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0365.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.