Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 409203 (CVE-2012-1499) - <media-libs/openjpeg-1.5.0 : CMAP Record Parsing Vulnerability (CVE-2012-1499)
Summary: <media-libs/openjpeg-1.5.0 : CMAP Record Parsing Vulnerability (CVE-2012-1499)
Status: RESOLVED FIXED
Alias: CVE-2012-1499
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://secunia.com/advisories/48498/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-21 17:19 UTC by Agostino Sarubbo
Modified: 2012-06-21 00:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-03-21 17:19:39 UTC 
From secunia security advisory at $URL:

Description
A vulnerability has been reported in OpenJPEG, which can be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to an error when parsing a CMAP record and can be exploited to cause an out-of-bounds write via specially crafted JPEG files.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 1.4. Prior versions may also be affected.


Solution
Update to version 1.5.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2012-03-21 19:42:32 UTC 
=media-libs/openjpeg-1.5.0 is in Portage but upstream changed SONAME (again) and the cmake based build system is poorly done so it's (again) unclear if there was
a real API/ABI breakage.

Please test reverse dependencies:

http://qa-reports.gentoo.org/output/genrdeps/rindex/media-libs/openjpeg

CCing arch's for testing/stabilization.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2012-03-22 11:57:39 UTC 
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2012-03-23 10:30:46 UTC 
amd64 stable
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-03-24 17:05:21 UTC 
x86 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2012-03-25 14:45:36 UTC 
ppc64 done
Comment 6 Brent Baude (RETIRED) gentoo-dev 2012-03-25 14:52:17 UTC 
ppc done
Comment 7 Markus Meier gentoo-dev 2012-03-31 14:56:25 UTC 
arm stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2012-04-21 17:28:48 UTC 
 alpha/ia64/s390/sh/sparc stable
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-04-21 19:41:31 UTC 
Thanks, everyone. Already on existing GLSA request, but waiting on bug 412895.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-04-28 02:27:42 UTC 
CVE-2012-1499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1499):
  The JPEG 2000 codec in OpenJPEG before 1.5 does not properly allocate memory
  during file parsing, which allows remote attackers to execute arbitrary code
  via a crafted file.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 00:55:11 UTC 
This issue was resolved and addressed in
 GLSA 201206-06 at http://security.gentoo.org/glsa/glsa-201206-06.xml
by GLSA coordinator Sean Amoss (ackle).