Bug 27986 - openjpeg2 new security issues fixed upstream in 2.4.0 (including CVE-2020-27844)
Summary: openjpeg2 new security issues fixed upstream in 2.4.0 (including CVE-2020-27844)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-30 04:34 CET by David Walser
Modified: 2021-03-02 23:35 CET (History)
5 users (show)

See Also:
Source RPM: openjpeg2-2.3.1-1.6.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-12-30 04:34:22 CET 
openjpeg2 2.4.0 has been released on December 28:
https://github.com/uclouvain/openjpeg/blob/master/CHANGELOG.md

Release announcement said no API or ABI breakage, so it should be a safe update.
Comment 1 David Walser 2020-12-30 11:39:53 CET 
openjpeg2-2.4.0-1.mga8 uploaded for Cauldron by David.

We'll probably want to update it for Mageia 7 too.

Version: Cauldron => 7

Comment 2 David Walser 2021-02-26 16:59:39 CET 
We may have most of the security fixes already (or at least the more serious ones), but it's hard to tell with them not labeling things consistently with CVEs in the changelog.  At the very least we've missed on security issue, CVE-2020-27844.

Debian-LTS has issued an advisory for this on February 9:
https://www.debian.org/lts/security/2021/dla-2550

Severity: normal => critical
Source RPM: openjpeg2-2.3.1-8.mga8.src.rpm => openjpeg2-2.3.1-1.6.mga7.src.rpm
Summary: openjpeg2 new security issues fixed upstream in 2.4.0 => openjpeg2 new security issues fixed upstream in 2.4.0 (including CVE-2020-27844)

Comment 3 David GEIGER 2021-02-27 09:36:03 CET 
Done for mga7!
Comment 4 David Walser 2021-02-27 17:40:26 CET 
Package list:
openjpeg2-2.4.0-1.mga7
libopenjp2_7-2.4.0-1.mga7
libopenjpeg2-devel-2.4.0-1.mga7

from openjpeg2-2.4.0-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 5 Len Lawrence 2021-02-27 21:38:48 CET 
The Debian advisory lists the four CVEs which were probably covered in the update under bug 27903 so you are probably right about the fixes having been done except for the "missing" CVE-2020-27844.  Unfortunately there seem to be no PoC for any openjpeg2 issues going back to bug 26953 exclusive.  Shall run the usual tests.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2021-02-28 19:39:33 CET 
mga7, x64

Decompressed a JP2 image before updating.

Clean install for the three packages.

$ opj_decompress -i Ikapati.jp2 -o Ikapati.bmp
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[INFO] Stream reached its end !
[INFO] Generated Outfile Ikapati.bmp
decode time: 38 ms

The BMP file displayed correctly with display, eom and gthumb.

$ opj_dump -i Ikapati.jp2
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
Image info {
	 x0=0, y0=0
	 x1=614, y1=614
[...]
Codestream index from main header: {
	 Main header start position=85
	 Main header end position=204
	 Marker list: {
		 type=0xff4f, pos=85, len=2
....

$ opj_compress -i sunset_1.bmp -o sunset.jp2
[INFO] tile number 1 / 1
[INFO] Generated outfile sunset.jp2
encode time: 484 ms 
$ display sunset.jp2
<OK>

According to help the utilities recognize *.pnm, *.pgm, *.ppm, *.pgx, *png, *.bmp, *.tif, *.raw or *.tga.
Picking a few at random confirmed that PNM, TGA, PPM files can be compressed to JP2 format.  Could not find any PNG or TIFF files which could be converted to JP2.  They all come back with the message "Unable to load file: got no image".
This is not a regression - it has been noted before and may indicate a project still in progress.

As far as these local tests go it continues to work.

Whiteboard: (none) => MGA7-64-OK

Comment 7 Len Lawrence 2021-02-28 19:44:00 CET 
Rider to comment 6:

There may well be some PNG images which can be compressed, because they come in several flavours with different levels of compression IIRC.
Comment 8 Thomas Andrews 2021-03-01 14:45:34 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 9 Aurelien Oudelet 2021-03-01 15:31:39 CET 
So we have previous fixes done, adding an adv for CVE-2020-27844:

Advisory:
========================

Updated openjpeg2 packages fix security vulnerability:

A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-27844).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27844
https://www.debian.org/lts/security/2021/dla-2550
========================

Updated packages in core/updates_testing:
========================
openjpeg2-2.4.0-1.mga7
libopenjp2_7-2.4.0-1.mga7
libopenjpeg2-devel-2.4.0-1.mga7

from openjpeg2-2.4.0-1.mga7.src.rpm

This his commited to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 10 Mageia Robot 2021-03-02 23:35:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0093.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.