Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Oct 2016 13:06:03 +0200
From: Raphael Geissert <>
To: Open Source Security <>
Subject: Re: openjpeg CVE-2016-3181, CVE-2016-3182 .. and CVE-2013-6045


On 27 September 2016 at 03:24, Doran Moppert <> wrote:
> First, CVE-2016-3181 and CVE-2016-3182 have been identified by upstream as the
> same underlying issue.
>> Origin of the issue is the same as #725
> .. it gets more interesting.  The reproducer on issue 725 happens to tickle
> a flaw in a patch for CVE-2013-6045 that was posted here back when:
> segfault-1.patch uses:
> +               tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));
> which should have used compcsize instead of comp0size.

Yes, indeed. This patch also introduced a regression in the processing
of some images.

> This hasn't been an issue in upstream openjpeg releases for a long time ...
> but there are LTS distributions around still shipping 1.5.1 (or 1.3) with the
> patches from here applied.  Those should preferably upgrade to 1.5.2:  changing
> comp0size to compcsize eliminates this particular crash, but the upstream fixes
> that got into 1.5.2 seem to more thoroughly address some of the underlying
> problems.

Do you specifically know of a distribution that still has that patch?
If I remember the context correctly, the use of comp0size could then
lead to a heap buffer overflow later on. Was that what you noticed?

In any case, the patch should indeed better be replaced by the one
provided upstream (cf. the Debian bug report).

Raphael Geissert - Debian Developer -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.