Bug 6624 - openjpeg new security issue CVE-2009-5030
: openjpeg new security issue CVE-2009-5030
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/504073/
: MGA1TOO mga2-64-OK MGA2-32-OK mga1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-29 18:55 CEST by David Walser
Modified: 2012-07-10 01:46 CEST (History)
4 users (show)

See Also:
Source RPM: openjpeg-1.5.0-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-06-29 18:55:46 CEST
Fedora has issued an advisory on June 18:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083105.html

Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

For those interested, the other CVE in Fedora's advisory is fixed in openjpeg 1.5 (in Mageia 2) and does not affect openjpeg 1.3 (in Mageia 1).

Advisory:
========================

Updated openjpeg packages fix security vulnerability:

An out-of heap-based buffer bounds read and write flaw, leading to
invalid free, was found in the way a tile coder / decoder (TCD)
implementation of OpenJPEG, an open-source JPEG 2000 codec written in
C language, performed releasing of previously allocated memory for the
TCD encoder handle by processing certain Gray16 TIFF images. A remote
attacker could provide a specially-crafted TIFF image file, which once
converted into the JPEG 2000 file format with an application linked
against OpenJPEG (such as 'image_to_j2k'), would lead to that
application crash, or, potentially arbitrary code execution with the
privileges of the user running the application (CVE-2009-5030).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5030
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083105.html
========================

Updated packages in core/updates_testing:
========================
libopenjpeg2-1.3-7.1.mga1
libopenjpeg-devel-1.3-7.1.mga1
openjpeg-1.5.0-1.1.mga2
libopenjpeg1-1.5.0-1.1.mga2
libopenjpeg-devel-1.5.0-1.1.mga2

from SRPMS:
openjpeg-1.3-7.1.mga1.src.rpm
openjpeg-1.5.0-1.1.mga2.src.rpm
Comment 1 claire robinson 2012-07-02 16:47:20 CEST
Testing x86_64 mga2

Downloaded random.tif from http://code.google.com/p/openjpeg/issues/detail?id=5

which is linked as the upstream ticket from the redhat bug https://bugzilla.redhat.com/show_bug.cgi?id=812317

Before
------
$ image_to_j2k -i random.tif -o random.j2k

[INFO] tile number 1 / 1
[INFO] - tile encoded in 0.857870 s
*** glibc detected *** image_to_j2k: free(): invalid next size (normal): 0x00000000018193a0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x73476)[0x7fb99e6cf476]
/usr/lib64/libopenjpeg.so.1(tcd_free_encode+0x125)[0x7fb99f390e85]
/usr/lib64/libopenjpeg.so.1(j2k_encode+0x1090)[0x7fb99f384ba0]
image_to_j2k(main+0x6a0)[0x403710]
etc.

After
-----
$ image_to_j2k -i random.tif -o random.j2k

[INFO] tile number 1 / 1
[INFO] - tile encoded in 0.858870 s
*** glibc detected *** image_to_j2k: free(): invalid next size (normal): 0x0000000001fdc3a0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x73476)[0x7f9bd422d476]
/usr/lib64/libopenjpeg.so.1(tcd_free_encode+0x125)[0x7f9bd4eeee85]
/usr/lib64/libopenjpeg.so.1(j2k_encode+0x1090)[0x7f9bd4ee2ba0]
image_to_j2k(main+0x6a0)[0x403710]
/lib64/libc.so.6(__libc_start_main+0xed)[0x7f9bd41db32d]
image_to_j2k[0x403b2d]


So it seems either the CVE is not closed by this update or the crash is unrelated.
Comment 2 David Walser 2012-07-02 17:07:01 CEST
Thanks Claire.  I now have the brown paper bag pulled down fully over my head.

I patched the wrong line of code :o(

The patch in the Mageia 1 package is correct.

Mageia 2 and Cauldron packages rebuilding now.
Comment 3 claire robinson 2012-07-02 17:08:26 CEST
Thanks David.

Wassi found it (user7), I can't take the credit.
Comment 4 David Walser 2012-07-02 17:14:46 CEST
Corrected packages uploaded for Mageia 2 and Cauldron.  Updated advisory.

Advisory:
========================

Updated openjpeg packages fix security vulnerability:

An out-of heap-based buffer bounds read and write flaw, leading to
invalid free, was found in the way a tile coder / decoder (TCD)
implementation of OpenJPEG, an open-source JPEG 2000 codec written in
C language, performed releasing of previously allocated memory for the
TCD encoder handle by processing certain Gray16 TIFF images. A remote
attacker could provide a specially-crafted TIFF image file, which once
converted into the JPEG 2000 file format with an application linked
against OpenJPEG (such as 'image_to_j2k'), would lead to that
application crash, or, potentially arbitrary code execution with the
privileges of the user running the application (CVE-2009-5030).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5030
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083105.html
========================

Updated packages in core/updates_testing:
========================
libopenjpeg2-1.3-7.1.mga1
libopenjpeg-devel-1.3-7.1.mga1
openjpeg-1.5.0-1.2.mga2
libopenjpeg1-1.5.0-1.2.mga2
libopenjpeg-devel-1.5.0-1.2.mga2

from SRPMS:
openjpeg-1.3-7.1.mga1.src.rpm
openjpeg-1.5.0-1.2.mga2.src.rpm
Comment 5 claire robinson 2012-07-02 18:09:01 CEST
Confirmed fixed mga2 64

$ image_to_j2k -i random.tif -o random.j2k

[INFO] tile number 1 / 1
[INFO] - tile encoded in 0.862869 s
Generated outfile random.j2k
Comment 6 user7 2012-07-02 18:54:08 CEST
Testing MGA2, i586.

Testing procedure mostly mirrors Comment 1. The downloaded file was renamed to "attachment.tif" though, as something ate the file extension (the file as I downloaded it was called "attachment". openjpeg will refuse to work on a file without file extension.

Before update:
$ image_to_j2k -i attachment.tif -o testimage.j2k

[INFO] tile number 1 / 1
[INFO] - tile encoded in 1.053840 s
Speicherzugriffsfehler (=segmentation fault)

After update:
$ image_to_j2k -i attachment.tif -o testimage.j2k

[INFO] tile number 1 / 1
[INFO] - tile encoded in 1.063838 s
Generated outfile testimage.j2k

The resulting file can be opened with GIMP, but crashes Krita and can not be opened with neither Gwenview nor Okular (no crashes though). This is not a regression though.

Please note that these results are for openjpeg-1.5.0-1.2.mga2.src.rpm, as openjpeg-1.5.0-1.1.mga2.src.rpm didn't work for me (same result as in Comment 1).
Comment 7 claire robinson 2012-07-02 19:05:48 CEST
Testing mga1 64

Mageia 1 doesn't have the openjpeg package so the image_to_j2k command can't be used.

Just testing lib64openjpeg2 seems to work ok by opening the random.j2k created on mageia 2 in krita on mageia 1.

$ strace -o strace.out krita random.j2k
$ grep openjpeg strace.out 
open("/usr/lib64/libopenjpeg.so.2", O_RDONLY) = 17

No regression noticed.
Comment 8 Dave Hodgins 2012-07-04 04:19:11 CEST
Testing mga1 i586.  Only testing for regressions. None found.

Could someone from the sysadmin team push the srpm
openjpeg-1.5.0-1.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core updates, and the srpm
openjpeg-1.3-7.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated openjpeg packages fix security vulnerability:

An out-of heap-based buffer bounds read and write flaw, leading to
invalid free, was found in the way a tile coder / decoder (TCD)
implementation of OpenJPEG, an open-source JPEG 2000 codec written in
C language, performed releasing of previously allocated memory for the
TCD encoder handle by processing certain Gray16 TIFF images. A remote
attacker could provide a specially-crafted TIFF image file, which once
converted into the JPEG 2000 file format with an application linked
against OpenJPEG (such as 'image_to_j2k'), would lead to that
application crash, or, potentially arbitrary code execution with the
privileges of the user running the application (CVE-2009-5030).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5030
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083105.html

https://bugs.mageia.org/show_bug.cgi?id=6624
Comment 9 Thomas Backlund 2012-07-10 01:46:58 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0152

Note You need to log in before you can comment on or make changes to this bug.