Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484802 (CVE-2013-4289) - <media-libs/openjpeg-1.5.2: multiple vulnerabilities (CVE-2013-{4289,4290})
Summary: <media-libs/openjpeg-1.5.2: multiple vulnerabilities (CVE-2013-{4289,4290})
Status: RESOLVED FIXED
Alias: CVE-2013-4289
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords: PullRequest
Depends on:
Blocks: CVE-2013-1447
  Show dependency tree
 
Reported: 2013-09-13 18:45 UTC by Agostino Sarubbo
Modified: 2022-05-22 20:35 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-13 18:45:12 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1007531 :

Seth Arnold reported [1] a number of integer overflows causing heap-based buffer overflows in 
openjpeg:

Many instances of malloc() and opj_malloc() using integers multiplied  together or added together 
without any overflow checks, e.g.:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/jp3d.c#1825
* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/jp3d.c#487

He notes this is not an exhaustive list, but serves as examples.  Upstream has, to this point, not 
responded so there are currently no patches.


[1] http://www.openwall.com/lists/oss-security/2013/09/12/2
Comment 1 Agostino Sarubbo gentoo-dev 2013-09-13 18:45:16 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1007533 :

Seth Arnold reported [1] a number of stack-based buffer overflows in openjpeg:

Several incorrect uses of strncpy() with data that may not have a NUL terminating byte within the 
indicated space, e.g.:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/opj_jp3d_compress.c#260
* http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/opj_jp3d_compress.c#279

Several incorect uses of strcpy() with data that may be longer than expected, e.g.:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/convert.c#188
* http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/convert.c#192

Several incorrect uses of strcat() before accounting for the lengths, e.g.:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/event.c#118
* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/event.c#132

An incorrect use of sprintf() which can overflow a stack-based buffer:

* http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/event.c#158

He notes this is not an exhaustive list, but serves as examples.  Upstream has, to this point, not 
responded so there are currently no patches.


[1] http://www.openwall.com/lists/oss-security/2013/09/12/2


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-08-19 23:04:19 UTC
CVE-2013-4290 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4290):
  Stack-based buffer overflow in OpenJPEG before 1.5.2 allows remote attackers
  to have unspecified impact via unknown vectors to (1)
  lib/openjp3d/opj_jp3d_compress.c, (2) bin/jp3d/convert.c, or (3)
  lib/openjp3d/event.c.

CVE-2013-4289 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4289):
  Multiple integer overflows in lib/openjp3d/jp3d.c in OpenJPEG before 1.5.2
  allow remote attackers to have unspeicified impact and vectors, which
  trigger a heap-based buffer overflow.
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2014-08-24 15:26:52 UTC
(In reply to GLSAMaker/CVETool Bot from comment #2)
> CVE-2013-4290 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4290):
>   Stack-based buffer overflow in OpenJPEG before 1.5.2 allows remote
> attackers
>   to have unspecified impact via unknown vectors to (1)
>   lib/openjp3d/opj_jp3d_compress.c, (2) bin/jp3d/convert.c, or (3)
>   lib/openjp3d/event.c.
> 
> CVE-2013-4289 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4289):
>   Multiple integer overflows in lib/openjp3d/jp3d.c in OpenJPEG before 1.5.2
>   allow remote attackers to have unspeicified impact and vectors, which
>   trigger a heap-based buffer overflow.

1.5.2 is in Portage now.
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2014-08-24 15:35:31 UTC
Please test and stabilize:

=media-libs/openjpeg-1.5.2
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-08-25 02:20:58 UTC
Arches, please test and mark stable:

=media-libs/openjpeg-1.5.2

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

Thank you!
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-08-25 07:37:52 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2014-08-30 16:59:54 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-08-30 17:00:22 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-09-02 07:37:55 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-09-02 07:38:09 UTC
x86 stable
Comment 11 Markus Meier gentoo-dev 2014-09-09 19:00:05 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-09-13 17:35:02 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-09-13 17:38:34 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-09-19 10:31:33 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Samuli Suominen (RETIRED) gentoo-dev 2014-09-19 10:53:36 UTC
cleanup done, maintainers are out :)   reCC graphics@ if you need us for something
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-09-20 00:44:16 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2014-09-20 00:46:26 UTC
Added to an existing GLSA request.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 19:15:26 UTC
This issue was resolved and addressed in
 GLSA 201412-24 at http://security.gentoo.org/glsa/glsa-201412-24.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 19 Larry the Git Cow gentoo-dev 2022-05-22 20:35:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0a1ba2eaccd64377fa90dd289886faaae126df3

commit f0a1ba2eaccd64377fa90dd289886faaae126df3
Author:     Thomas Bracht Laumann Jespersen <t@laumann.xyz>
AuthorDate: 2022-05-16 08:07:39 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-22 20:35:39 +0000

    media-libs/openjpeg: add 2.5.0
    
    Also update to EAPI 8, and bump the test data to the latest commit
    possible. Drop all security patches from v2.4.0 as they are part of the
    upstream release.
    
    Closes: https://bugs.gentoo.org/844064
    Bug: https://bugs.gentoo.org/783513
    Bug: https://bugs.gentoo.org/484802
    Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz>
    Closes: https://github.com/gentoo/gentoo/pull/25523
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openjpeg/Manifest                       |   2 +
 .../files/openjpeg-2.5.0-gnuinstalldirs.patch      | 299 +++++++++++++++++++++
 media-libs/openjpeg/openjpeg-2.5.0.ebuild          | 140 ++++++++++
 3 files changed, 441 insertions(+)