Bug 26953 - openjpeg2 new security issue CVE-2020-15389
Summary: openjpeg2 new security issue CVE-2020-15389
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-07-14 22:27 CEST by David Walser
Modified: 2020-08-01 01:28 CEST (History)
5 users (show)

See Also:
Source RPM: openjpeg2-2.3.1-5.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-07-14 22:27:07 CEST
Debian-LTS has issued an advisory on July 11:
https://www.debian.org/lts/security/2020/dla-2277

Mageia 7 is also affected.
David Walser 2020-07-14 22:27:23 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-07-15 11:06:38 CEST
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-07-15 17:44:03 CEST
Advisory:
========================

Updated openjpeg2 packages fix security vulnerability:

jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free that can be
triggered if there is a mix of valid and invalid files in a directory operated
on by the decompressor. Triggering a double-free may also be possible. This is
related to calling opj_image_destroy twice (CVE-2020-15389).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15389
https://www.debian.org/lts/security/2020/dla-2277
========================

Updated packages in core/updates_testing:
========================
openjpeg2-2.3.1-1.4.mga7
libopenjp2_7-2.3.1-1.4.mga7
libopenjpeg2-devel-2.3.1-1.4.mga7

from openjpeg2-2.3.1-1.4.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 Len Lawrence 2020-07-15 18:37:45 CEST
mga7, x86_64

CVE-2020-15389
https://github.com/uclouvain/openjpeg/issues/1261
$ opj_decompress -ImgDir inputs -OutFor pgm
$ opj_decompress -ImgDir inputs -OutFor pgm
Folder opened successfully

File Number 0 "balloon.jpm"

===========================================
The extension of this file is incorrect.
FOUND .jpm. SHOULD BE .jp2
===========================================
[ERROR] JP2H box missing. Required.
ERROR -> opj_decompress: failed to read the header

These files are meant to produce output within the asan framework and upstream end in ABORT.

Updated the three packages.
$ opj_decompress -ImgDir inputs -OutFor pgm
Folder opened successfully

File Number 0 "balloon.jpm"

===========================================
The extension of this file is incorrect.
FOUND .jpm. SHOULD BE .jp2
===========================================
[ERROR] JP2H box missing. Required.
ERROR -> opj_decompress: failed to read the header

So, no change there but the test has a tidy exit and the pgm directory is empty.
Note that the invalid file is intended to be treated as such because the fault would have triggered on a mixture of good and bad files as stated in the advisory.  Probable good result.

$ opj_compress -i ikapati.ppm -o ikapati.jp2
[INFO] tile number 1 / 1
[INFO] Generated outfile ikapati.jp2
encode time: 222 ms 
$ gm display ikapati.jp2
<image displays as expected>
 opj_dump -i ikapati.jp2
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
Image info {
	 x0=0, y0=0
	 x1=1434, y1=717
	 numcomps=3
		 component 0 {
<and so on....>

$ opj_decompress -i ikapati.jp2 -o ikapati.bmp
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[INFO] Stream reached its end !
[INFO] Generated Outfile ikapati.bmp
decode time: 108 ms
$ gm display ikapati.bmp
<Looks as good as new>

Avoided PNG, although it is supposed to be supported, because PNG images can come in one of several compression modes.  None here are suitable.

This looks good to go.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2020-07-15 22:52:49 CEST
That was a quick one. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2020-07-31 10:51:33 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-08-01 01:28:05 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0307.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.