Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 22 Aug 2017 12:57:09 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com,
        winsonliu(刘科)
 <winsonliu@...cent.com>
Cc: cve-assign <cve-assign@...re.org>
Subject: Re: CVE Request: Multiple security issues in OpenJPEG

Most of these seem to be fixed now in OpenJPEG's recent 2.2.0 release.
Did CVE id's ever get assigned for them?

	-Alan Coopersmith-               alan.coopersmith@...cle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc

On 09/18/16 07:00 PM, winsonliu(刘科) wrote:
> Hi,
> 
> This is Ke Liu of Tencent's Xuanwu LAB. I reported some security issues to OpenJPEG some months ago. Could you please assign some CVE numbers for them? Thanks.
> 
> The memory issues may lead to code execution, other issues may simply lead to DoS problems.
> 
> BTW, proof-of-concept files for all issues were supplied. For more details, please click the issue links below.
> 
> 1. Out-of-Bounds Write in opj_mqc_byteout of mqc.c
> 
> An Out-of-Bounds Write issue can be triggered in function opj_mqc_byteout of mqc.c during executing opj_compress. This issue was caused by a malformed BMP file.
> 
> AddressSanitizer: heap-buffer-overflow, WRITE of size 1
> Report date: 2016/09/12
> Status: Not fixed
> Url: https://github.com/uclouvain/openjpeg/issues/835
> Root cause: not clear
> Patch: no patch supplied
> 
> 2. Out-of-Bounds Read in function bmp24toimage of convertbmp.c
> 
> An Out-of-Bounds Read issue was found in function bmp24toimage of convertbmp.c during executing opj_compress. The root cause of this issue was an Integer Overflow issue. This issue was caused by a malformed BMP file.
> 
> AddressSanitizer: heap-buffer-overflow, READ of size 1
> Report date: 2016/09/12
> Status: Not fixed
> Url: https://github.com/uclouvain/openjpeg/issues/833
> Root cause: integer overflow
> Patch: https://github.com/uclouvain/openjpeg/pull/834
> 
> 3. Null Pointer Access in function sycc422_to_rgb of color.c
> A null pointer access issue was found in function sycc422_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file.
> 
> AddressSanitizer: SEGV on unknown address 0x00000000
> Report date: 2016/06/28
> Status: Not fixed
> Url: https://github.com/uclouvain/openjpeg/issues/792
> Root cause: null pointer dereference
> Patch: easy to fix, check before accessing
> 
> 4. Null Pointer Access in function color_esycc_to_rgb of color.c
> A null pointer access issue was found in function color_esycc_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file.
> 
> AddressSanitizer: SEGV on unknown address 0x00000000
> Report date: 2016/05/25
> Status: Not fixed
> Url: https://github.com/uclouvain/openjpeg/issues/785
> Root cause: null pointer dereference
> Patch: easy to fix, check before accessing
> 
> 5. Null Pointer Access in function sycc444_to_rgb of color.c
> A null pointer access issue was found in function sycc444_to_rgb of color.c during executing opj_decompress. This issue was caused by a malformed J2K file.
> 
> AddressSanitizer: SEGV on unknown address 0x00000000
> Report date: 2016/05/25
> Status: Not fixed
> Url: https://github.com/uclouvain/openjpeg/issues/784
> Root cause: null pointer dereference
> Patch: easy to fix, check before accessing
> 
> 6. Null Pointer Access in function imagetopnm of convert.c
> A null pointer access issue was found in function imagetopnm of convert.c during executing opj_decompress. This issue was caused by a malformed J2K file.
> 
> AddressSanitizer: SEGV on unknown address 0x00000000
> Report date: 2016/05/06
> Status: Not fixed
> Url: https://github.com/uclouvain/openjpeg/issues/776
> Root cause: null pointer dereference
> Patch: easy to fix, check before accessing
> 
> 7. Multiple division-by-zero issues in function opj_pi_next_rpcl of pi.c
> Multiple division-by-zero issues were found in function opj_pi_next_rpcl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files.
> 
> AddressSanitizer: SIGFPE, Arithmetic exception
> Report date: 2016/05/06
> Status: Not fixed
> Url1: https://github.com/uclouvain/openjpeg/issues/780
> Url2: https://github.com/uclouvain/openjpeg/issues/779
> Root cause: division-by-zero
> Patch: easy to fix, check before dividing
> 
> 8. Multiple division-by-zero issues in function opj_pi_next_pcrl of pi.c
> Multiple division-by-zero issues were found in function opj_pi_next_pcrl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files.
> 
> AddressSanitizer: SIGFPE, Arithmetic exception
> Report date: 2016/05/06
> Status: Not fixed
> Url1: https://github.com/uclouvain/openjpeg/issues/777
> Url2: https://github.com/uclouvain/openjpeg/issues/778
> Root cause: division-by-zero
> Patch: easy to fix, check before dividing
> 
> 9. Multiple division-by-zero issues in function opj_pi_next_cprl of pi.c
> Multiple division-by-zero issues were found in function opj_pi_next_cprl of pi.c during executing opj_decompress. The issues were caused by malformed J2K files.
> 
> AddressSanitizer: SIGFPE, Arithmetic exception
> Report date: 2016/03/28
> Status: Not fixed
> Url1: https://github.com/uclouvain/openjpeg/issues/731
> Url2: https://github.com/uclouvain/openjpeg/issues/732
> Root cause: division-by-zero
> Patch: easy to fix, check before dividing
> 
> Regards,
> Ke
> Tencent's Xuanwu LAB
> 


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.