Bug 6758 - openjpeg new security issue CVE-2012-3358
: openjpeg new security issue CVE-2012-3358
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/506390/
: MGA1TOO mga2-64-OK mga1-64-OK mga1-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-11 21:46 CEST by David Walser
Modified: 2012-07-14 01:08 CEST (History)
4 users (show)

See Also:
Source RPM: openjpeg-1.5.0-1.2.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-07-11 21:46:20 CEST
RedHat has issued an advisory today (July 11):
https://rhn.redhat.com/errata/RHSA-2012-1068.html

Link to the upstream commit to fix in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=835767

Mageia 1 and 2 are also affected.
Comment 1 David Walser 2012-07-11 23:13:24 CEST
Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated openjpeg packages fix security vulnerability:

An input validation flaw, leading to a heap-based buffer overflow, was
found in the way OpenJPEG handled the tile number and size in an image
tile header. A remote attacker could provide a specially-crafted image
file that, when decoded using an application linked against OpenJPEG,
would cause the application to crash or, potentially, execute arbitrary
code with the privileges of the user running the application
(CVE-2012-3358).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3358
https://rhn.redhat.com/errata/RHSA-2012-1068.html
========================

Updated packages in core/updates_testing:
========================
libopenjpeg2-1.3-7.1.mga1
libopenjpeg-devel-1.3-7.1.mga1
openjpeg-1.5.0-1.3.mga2
libopenjpeg1-1.5.0-1.3.mga2
libopenjpeg-devel-1.5.0-1.3.mga2

from SRPMS:
openjpeg-1.3-7.1.mga1.src.rpm
openjpeg-1.5.0-1.3.mga2.src.rpm
Comment 2 user7 2012-07-12 14:47:44 CEST
If I got everything right, this was fixed in the same commit as this bug: https://bugs.mageia.org/show_bug.cgi?id=6624
But I guess we didn't apply both patches previously?

See http://code.google.com/p/openjpeg/source/detail?r=1703 for details, http://code.google.com/p/openjpeg/issues/detail?id=62 for a PoC for this bug.

Could anybody check I'm not missing something here? I'm not sure how exactly (or if) this is related to https://bugs.mageia.org/show_bug.cgi?id=6624.

Also, the SRPM version of one of the packages here (openjpeg-1.3-7.1.mga1.src.rpm) is identical to the one used here: https://bugs.mageia.org/show_bug.cgi?id=6624
Is this correct?
Comment 3 David Walser 2012-07-12 21:53:05 CEST
CVE-2009-5030 from the previous update was fixed in revision 1703.

CVE-2012-3358 for this update was fixed in revision 1727:
https://bugzilla.redhat.com/show_bug.cgi?id=835767

I did forget to bump the subrel for the Mageia 1 update, thanks for catching.

Update for Mageia 1 rebuilt.

Advisory:
========================

Updated openjpeg packages fix security vulnerability:

An input validation flaw, leading to a heap-based buffer overflow, was
found in the way OpenJPEG handled the tile number and size in an image
tile header. A remote attacker could provide a specially-crafted image
file that, when decoded using an application linked against OpenJPEG,
would cause the application to crash or, potentially, execute arbitrary
code with the privileges of the user running the application
(CVE-2012-3358).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3358
https://rhn.redhat.com/errata/RHSA-2012-1068.html
========================

Updated packages in core/updates_testing:
========================
libopenjpeg2-1.3-7.2.mga1
libopenjpeg-devel-1.3-7.2.mga1
openjpeg-1.5.0-1.3.mga2
libopenjpeg1-1.5.0-1.3.mga2
libopenjpeg-devel-1.5.0-1.3.mga2

from SRPMS:
openjpeg-1.3-7.2.mga1.src.rpm
openjpeg-1.5.0-1.3.mga2.src.rpm
Comment 4 claire robinson 2012-07-13 13:27:15 CEST
There doesn't seem to be a PoC for this one so just testing it still works with the same procedure as bug 6624
Comment 5 claire robinson 2012-07-13 13:34:02 CEST
Testing complete mga2 64
Comment 6 claire robinson 2012-07-13 13:53:01 CEST
Testing complete mga1 64
Comment 7 claire robinson 2012-07-13 14:40:24 CEST
Testing complete mga1 32
Comment 8 Malo Deniélou 2012-07-13 14:50:51 CEST
Testing complete mga2 32
Comment 9 claire robinson 2012-07-13 14:52:51 CEST
Validating, thanks malo

Please see comment 3 for advisory and srpms for mga1 and 2

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 10 Thomas Backlund 2012-07-14 01:08:38 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0166

Note You need to log in before you can comment on or make changes to this bug.