|Summary:||<media-libs/openjpeg-1.5.1: Gray16 TIFF Image Tile Decoding Vulnerability (CVE-2009-5030)|
|Product:||Gentoo Security||Reporter:||Agostino Sarubbo <ago>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||472536|
Description Agostino Sarubbo 2012-04-21 09:48:18 UTC
From secunia: Description A vulnerability has been reported in OpenJPEG, which can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to an error within the "tcd_free_encode()" function (tcd.c) when decoding tile information from Gray16 TIFF images and can be exploited to corrupt heap memory. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in version 1.5.0. Other versions may also be affected. Solution Do not process files from untrusted sources(unpatched).
Comment 1 Tim Sammut (RETIRED) 2012-05-25 06:38:38 UTC
Correct Secunia advisory is https://secunia.com/advisories/48781.
Comment 2 GLSAMaker/CVETool Bot 2012-07-19 16:30:50 UTC
CVE-2009-5030 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5030): The tcd_free_encode function in tcd.c in OpenJPEG 1.3 through 1.5 allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via crafted tile information in a Gray16 TIFF image, which causes insufficient memory to be allocated and leads to an "invalid free."
Comment 3 Sean Amoss (RETIRED) 2013-09-29 15:24:12 UTC
GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot 2013-10-10 11:48:53 UTC
This issue was resolved and addressed in GLSA 201310-07 at http://security.gentoo.org/glsa/glsa-201310-07.xml by GLSA coordinator Sean Amoss (ackle).