Bug 27903 - openjpeg2 new security issue CVE-2020-2784[1235]
Summary: openjpeg2 new security issue CVE-2020-2784[1235]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-22 17:36 CET by David Walser
Modified: 2020-12-29 12:58 CET (History)
5 users (show)

See Also:
Source RPM: openjpeg2-2.3.1-1.5.mga7.src.rpm
CVE: CVE-2020-2784[1235]
Status comment:


Attachments

Description David Walser 2020-12-22 17:36:17 CET
Fedora has issued an advisory today (December 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/THY4LKGUS3D4XE5YHKLMTPVLURQ7OV57/

Mageia 7 is also affected.
David Walser 2020-12-22 17:36:28 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-12-22 20:43:30 CET
Assigning to DavidG as most recent maintainer - more CVEs!

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Lécureuil 2020-12-24 00:57:26 CET
new package pushed in cauldron and mageia 7:

src:openjpeg2-2.3.1-1.6.mga7

CC: (none) => mageia
Version: Cauldron => 7
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 3 David Walser 2020-12-24 03:28:38 CET
Advisory:
========================

Updated openjpeg2 packages fix security vulnerabilities:

There's a flaw in openjpeg in src/lib/openjp2/pi.c. When an attacker is able to
provide crafted input to be processed by the openjpeg encoder, this could cause
an out-of-bounds read. The greatest impact from this flaw is to application
availability (CVE-2020-27841).

There's a flaw in openjpeg's t2 encoder. An attacker who is able to provide
crafted input to be processed by openjpeg could cause a null pointer
dereference. The highest impact of this flaw is to application availability
(CVE-2020-27842).

A flaw was found in OpenJPEG. This flaw allows an attacker to provide specially
crafted input to the conversion or encoding functionality, causing an
out-of-bounds read. The highest threat from this vulnerability is system
availability (CVE-2020-27843).

There's a flaw in  src/lib/openjp2/pi.c of openjpeg. If an attacker is able to
provide untrusted input to openjpeg's conversion/encoding functionality, they
could cause an out-of-bounds read. The highest impact of this flaw is to
application availability (CVE-2020-27845).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27841
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27842
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27845
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/THY4LKGUS3D4XE5YHKLMTPVLURQ7OV57/
========================

Updated packages in core/updates_testing:
========================
openjpeg2-2.3.1-1.6.mga7
libopenjp2_7-2.3.1-1.6.mga7
libopenjpeg2-devel-2.3.1-1.6.mga7

from openjpeg2-2.3.1-1.6.mga7.src.rpm
Comment 4 Len Lawrence 2020-12-28 13:33:31 CET
Mga7, x64

Not much discussion on the web - no obvious reproducers.  Testing update later.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2020-12-28 16:22:51 CET
Using bug 27822 as a guide tested some of the utilities on various jpeg files.

$ opj_compress -i ikapati.ppm -o ikapati.jp2

$ opj_dump -i ikapati.jp2
$ file ikapati.jp2
ikapati.jp2: JPEG 2000 Part 1 (JP2)
$ identify ikapati.jp2
ikapati.jp2 JP2 1434x717 1434x717+0+0 8-bit sRGB 0.000u 0:00.000

$ opj_decompress -i ikapati.jp2 -o ikapati.bmp

Results are identical to those on the previous bug.
All output files display properly with ImageMagick and eom.

Green light for this.

Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-12-28 23:04:38 CET
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Aurelien Oudelet 2020-12-29 11:23:14 CET
Advisory pushed to SVN.

CVE: (none) => CVE-2020-2784[1235]
Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 8 Mageia Robot 2020-12-29 12:58:50 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0478.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.