Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAA7hUgE_xknsSqeYVZhG4Ka8J2=AA4ZQR=Ppgws1oGOCOJv==A@mail.gmail.com>
Date: Wed, 4 Dec 2013 12:24:31 +0100
From: Raphael Geissert <atomo64@...il.com>
To: oss-security@...ts.openwall.com
Subject: Fwd: [vs] multiple issues in openjpeg

Hi,

This was unembargoed yesterday, so here's a copy of the messages sent
to the distros list.
There were no responses, so no messages are missing.

In the meantime I've received a response from one of upstream authors,
Mathieu Malaterre, saying he would be reviewing the patches at a later
time.

This work was done as part of a review of openjpeg for EDF.

Cheers,
Raphael

---------- Forwarded message ----------
From: Raphael Geissert <atomo64@...il.com>
Date: 1 December 2013 23:42
Subject: Re: [vs] multiple issues in openjpeg
To: distros@...openwall.org


Hi again,

Given that there has been no response whatsoever...

On 26 November 2013 12:04, Raphael Geissert <atomo64@...il.com> wrote:
[...]
> 1. heap OOB reads, information leaks

CVE-2013-6052

> 2. ditto, but only affecting 1.5.1

CVE-2013-6053

> 3. heap OOB writes (CVE-2013-6045)
> 4. ditto but only affecting 1.3

CVE-2013-6054

> 5. null pointer dereferences, division by zero, and anything that
> would just fit as DoS (CVE-2013-1447)
> 6. ditto, but only affecting 1.5.1

CVE-2013-6887

Cheers,
--
Raphael Geissert


---------- Forwarded message ----------
From: Raphael Geissert <atomo64@...il.com>
Date: 26 November 2013 12:04
Subject: [vs] multiple issues in openjpeg
To: distros@...openwall.org


Hi everyone,

During a review for EDF, I discovered multiple kinds of
vulnerabilities in openjpeg (different than CVE-2013-4289 and
CVE-2013-4290).

Summary:
* multiple denial of service (null ptr deref, high resource
consumption - in the order of 20GBs, division by zero, etc),
* invalid free()s (didn't check impact),
* out of bounds array reads and writes (similar to CVE-2012-3358, so
possibly exploitable to run arbitrary code),
* a format string bug (didn't check impact, at least DoS, ileak), and
* the use of uninitialized memory for all sorts of things.

Notice that this does not constitute a full review and that there
surely are more issues left in the code base.

Versions reviewed:
* 1.3 (with Debian's patches, as found in Debian squeeze and wheezy), and
* 1.5.1 (as found in Debian experimental).
Other versions might also be affected.

Upstream was contacted but got no response.

CVE-wise, I've classified the issues as following:

1. heap OOB reads, information leaks
2. ditto, but only affecting 1.5.1
3. heap OOB writes (CVE-2013-6045)
4. ditto but only affecting 1.3
5. null pointer dereferences, division by zero, and anything that
would just fit as DoS (CVE-2013-1447)
6. ditto, but only affecting 1.5.1

The two CVE ids above come from Debian's pool, but given the above
classification more ids are going to be needed. If there's an
agreement to the above, could somebody please assign some other ids?

Now, as for the vulnerabilities themselves, they are best described by
the attached patches. If details for any specific patch are desired
don't hesitate to ask. They should apply to both versions almost
as-is, if they don't, prod me.

Patches by categories defined above:

1.
shifting_too_much.patch
2.
segfault3.patch
3.
segfault0.patch
segfault1.patch
segfault2.patch
segfault5.patch
segfault7.patch
4.
qcx_backport.patch
5.
bloop1.patch
bloop2.patch
divbyzero.patch
null-ptr-deref.patch
segfault4.patch
segfault6.patch
segfault8.patch
segfault10.patch
uint_overflow.patch
6.
ifree1.patch

The patch that replaces malloc with calloc (segfault4.patch) is surely
enough just a workaround, but there are too many problems with the
code to spend further time on it.

Desired CDR: 3rd of December, 07:00 UTC

Cheers,
--
Raphael Geissert


-- 
Raphael Geissert

View attachment "bloop1.patch" of type "text/x-patch" (765 bytes)

View attachment "bloop2.patch" of type "text/x-patch" (2154 bytes)

View attachment "divbyzero.patch" of type "text/x-patch" (1874 bytes)

View attachment "ifree1.patch" of type "text/x-patch" (1113 bytes)

View attachment "null-ptr-deref.patch" of type "text/x-patch" (1166 bytes)

View attachment "qcx_backport.patch" of type "text/x-patch" (1149 bytes)

View attachment "segfault0.patch" of type "text/x-patch" (857 bytes)

View attachment "segfault1.patch" of type "text/x-patch" (1428 bytes)

View attachment "segfault2.patch" of type "text/x-patch" (774 bytes)

View attachment "segfault3.patch" of type "text/x-patch" (628 bytes)

View attachment "segfault4.patch" of type "text/x-patch" (509 bytes)

View attachment "segfault5.patch" of type "text/x-patch" (726 bytes)

View attachment "segfault6.patch" of type "text/x-patch" (590 bytes)

View attachment "segfault7.patch" of type "text/x-patch" (662 bytes)

View attachment "segfault8.patch" of type "text/x-patch" (583 bytes)

View attachment "segfault10.patch" of type "text/x-patch" (502 bytes)

View attachment "shifting_too_much.patch" of type "text/x-patch" (1947 bytes)

View attachment "uint_overflow.patch" of type "text/x-patch" (710 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.