7510 – openjpeg new security issue CVE-2012-3535

Bug 7510 - openjpeg new security issue CVE-2012-3535

Summary: openjpeg new security issue CVE-2012-3535

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	2
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://lwn.net/Vulnerabilities/516634/
Whiteboard:	MGA1TOO has_procedure mga1-32-OK mga1...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2012-09-17 22:17 CEST by David Walser
Modified:	2012-09-18 23:07 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	openjpeg
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-09-17 22:17:46 CEST

RedHat has issued an advisory today (September 17):
https://rhn.redhat.com/errata/RHSA-2012-1283.html

Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated openjpeg packages fix security vulnerability:

It was found that OpenJPEG failed to sanity-check an image header field
before using it. A remote attacker could provide a specially-crafted image
file that could cause an application linked against OpenJPEG to crash or,
possibly, execute arbitrary code (CVE-2012-3535).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3535
https://rhn.redhat.com/errata/RHSA-2012-1283.html
========================

Updated packages in core/updates_testing:
========================
libopenjpeg2-1.3-7.3.mga1
libopenjpeg-devel-1.3-7.3.mga1
openjpeg-1.5.0-1.4.mga2
libopenjpeg1-1.5.0-1.4.mga2
libopenjpeg-devel-1.5.0-1.4.mga2

from SRPMS:
openjpeg-1.3-7.3.mga1.src.rpm
openjpeg-1.5.0-1.4.mga2.src.rpm

David Walser 2012-09-17 22:17:54 CEST

Whiteboard: (none) => MGA1TOO
Severity: normal => critical

Comment 1 Eduard Beliaev 2012-09-18 03:45:07 CEST

Tested on Mageia 2 x86_64.

Here is the testing procedure used for this package:

http://www.openjpeg.org/index.php?menu=samples

I don't know if this is the right way to test this package.

CC: (none) => ed_rus099

Comment 2 Eduard Beliaev 2012-09-18 03:45:59 CEST

I forgot to say that works ok. :)

Comment 3 claire robinson 2012-09-18 09:41:52 CEST

Yes that works Eduard, well done for finding it. It's an open source jpeg2000 library. From memory, I don't think mga1 has the image_to_j2k command. I think we used Krita last time for that

claire robinson 2012-09-18 09:42:18 CEST

Hardware: i586 => All
Whiteboard: MGA1TOO => MGA1TOO has_procedure mga2-64-OK

Comment 4 claire robinson 2012-09-18 10:51:34 CEST

Testing complete Mga1 32

Tested using krita to open a j2k and then open a bmp and save as jpeg2000


$ grep libopenjpeg strace.out | grep -v "such file"
open("/usr/lib/libopenjpeg.so.2", O_RDONLY) = 26

claire robinson 2012-09-18 10:51:49 CEST

Whiteboard: MGA1TOO has_procedure mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga2-64-OK

Comment 5 claire robinson 2012-09-18 11:08:13 CEST

Testing complete mga1 64

$ grep libopenjpeg strace.out | grep -v "such file"
open("/usr/lib64/libopenjpeg.so.2", O_RDONLY) = 28

Whiteboard: MGA1TOO has_procedure mga1-32-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK

Comment 6 claire robinson 2012-09-18 14:51:15 CEST

Testing complete mga2 32

Validating

See comment 0 for advisory and srpms

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-32-OK mga2-64-OK

Comment 7 Thomas Backlund 2012-09-18 23:07:05 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0274

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.