26141 – openjpeg2 new security issue CVE-2020-6851

Bug 26141 - openjpeg2 new security issue CVE-2020-6851

Summary: openjpeg2 new security issue CVE-2020-6851

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-01-28 16:36 CET by David Walser
Modified:	2020-01-30 19:29 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	openjpeg2-2.3.1-2.mga8.src.rpm
CVE:
Status comment:

Attachments
Shortlist of dependent applications (343 bytes, text/plain) 2020-01-29 23:02 CET, Len Lawrence	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-01-28 16:36:23 CET

RedHat has issued an advisory today (January 28):
https://access.redhat.com/errata/RHSA-2020:0262

Mageia 7 is also affected.

David Walser 2020-01-28 16:36:31 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-01-28 23:53:07 CET

Patched packages uploaded by Nicolas.

Advisory:
========================

Updated openjpeg2 packages fix security vulnerability:

OpenJPEG through 2.3.1 has a heap-based buffer overflow in
opj_t1_clbl_decode_processor in libopenjp2.so (CVE-2020-6851).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6851
https://access.redhat.com/errata/RHSA-2020:0262
========================

Updated packages in core/updates_testing:
========================
openjpeg2-2.3.1-1.2.mga7
libopenjp2_7-2.3.1-1.2.mga7
libopenjpeg2-devel-2.3.1-1.2.mga7

from openjpeg2-2.3.1-1.2.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
CC: (none) => nicolas.salguero
Version: Cauldron => 7
Assignee: nicolas.salguero => qa-bugs

Comment 2 Len Lawrence 2020-01-29 00:21:08 CET

Mageia7, x86_64

CVE-2020-6851
PoC available.
https://github.com/uclouvain/openjpeg/issues/1228
$ opj_decompress -i openjpeg_poc.jp2 -o image_verification.png[INFO] Start to read j2k main header (1277).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 33 has been read.
free(): invalid pointer
Aborted (core dumped)

That is expected.
Continuing this tomorrow.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2020-01-29 15:52:34 CET

Updated the packages.
$ opj_decompress -i openjpeg_poc.jp2 -o image_verification.png
[INFO] Start to read j2k main header (1277).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[ERROR] Image coordinates above INT_MAX are not supported
ERROR -> opj_decompress: failed to set the decoded area

Looks like it has been caught.

Used the image utilities to transform some files.
$ opj_compress -i piuva.ppm -o piuva.jp2
[INFO] tile number 1 / 1
[INFO] Generated outfile piuva.jp2
encode time: 52 ms 
<The jp2 image displayed correctly>

$ opj_dump -i piuva.jp2
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
Image info {
	 x0=0, y0=0
	 x1=320, y1=340
[...]
		 type=0xff64, pos=171, len=39
	 }
}

No luck trying to convert local PNG files to openjpeg format although PNG is supposed to be supported.  We should probably ignore this because maybe only certain PNG formats are supported.  Some already have built-in compression which would be flagged in the image header.  That is an unknown anyway.

$ opj_compress -i GlenShiel.pnm -o glenshiel.j2k
[INFO] tile number 1 / 1
[INFO] Generated outfile glenshiel.j2k
encode time: 1187 ms 
$ opj_compress -i ikapati.ppm -o ikapati.jp2
[INFO] tile number 1 / 1
[INFO] Generated outfile ikapati.jp2
encode time: 207 ms 
$ opj_compress -i barbara.bmp -o barbara.j2k
[INFO] tile number 1 / 1
[INFO] Generated outfile barbara.j2k
encode time: 48 ms 

`gm display` and `display` show the output images fine but none of the popular image browsers tried have caught up with open jpeg yet.

This looks good for 64-bits.

Whiteboard: (none) => MGA7-64-OK

Comment 4 Len Lawrence 2020-01-29 16:29:56 CET

Sorry, omitted decompress tests in comment 3.

$ opj_decompress -i ikapati.jp2 -o ikapati.bmp
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[INFO] Stream reached its end !
[INFO] Generated Outfile ikapati.bmp
decode time: 105 ms

$ opj_decompress -i piuva.jp2 -o piuva2.pnm
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[INFO] Stream reached its end !
[INFO] Generated Outfile piuva2.pnm
decode time: 30 ms

There are many modifiers for both compress and decompress, which have not been tested.

Comment 5 Thomas Andrews 2020-01-29 22:23:52 CET

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Len Lawrence 2020-01-29 23:02:51 CET

Created attachment 11492 [details]
Shortlist of dependent applications

Thomas Backlund 2020-01-30 18:24:26 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2020-01-30 19:29:59 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0071.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.