Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <7c197fe9-19b4-6d6b-69a9-5504a9efbcb2@724safe.com>
Date: Sun, 18 Sep 2016 20:41:43 +0800
From: vul@...safe <vul@...safe.com>
To: oss-security@...ts.openwall.com
Subject: CVE request - openjpeg null ptr dereference

# Vulnerability
openjpeg null ptr dereference in convert.c:1331

# Version
2.1.1  ( http://www.openjpeg.org/ )

# Address Sanitizer Output
ASAN:SIGSEGV
=================================================================
==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc
0x0815d204 bp 0xff846938 sp 0xff846380 T0)
    #0 0x815d203 in skip_white
/home/starlab/fuzzing/openjpeg/src/bin/jp2/convert.c:1331
    #1 0x8135d81 in main
/home/starlab/fuzzing/openjpeg/src/bin/jp2/opj_compress.c:1723
    #2 0xf7343636 in __libc_start_main ??:?
    #3 0x807a31b in _start ??:?

# PoC
See poc.ppm

# Analysis
In convert.c:1483 and convert.c:1485, variable s is uncheck after
skip_int is called.
A null ptr will be passed to skip_int again and will cause a null ptr
dereference.

# Report Timeline
2016-09-16: FB3F15 of STARLAB discovered this issue
2016-09-18:Patch released

# Credit
FB3F15 of STARLAB

# PoC
https://github.com/STARLABSEC/pocs/raw/master/openjpeg-nullptr-github-issue-842.ppm

# External link
https://github.com/uclouvain/openjpeg/issues/843

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.