From ${URL} : During a review for EDF, I discovered multiple kinds of vulnerabilities in openjpeg (different than CVE-2013-4289 and CVE-2013-4290). Summary: * multiple denial of service (null ptr deref, high resource consumption - in the order of 20GBs, division by zero, etc), * invalid free()s (didn't check impact), * out of bounds array reads and writes (similar to CVE-2012-3358, so possibly exploitable to run arbitrary code), * a format string bug (didn't check impact, at least DoS, ileak), and * the use of uninitialized memory for all sorts of things. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE Assignments: 1. heap OOB reads, information leaks - (CVE-2013-6052) 2. heap OOB reads, information leaks (V: 1.5.1 Only) - (CVE-2013-6053) 3. heap OOB writes (CVE-2013-6045) 4. heap OOB writes (V:1.3 Only) - (CVE-2013-6054) 5. null pointer dereferences, division by zero, and anything that would just fit as DoS (CVE-2013-1447) 6.null pointer dereferences, division by zero, and anything that would just fit as DoS (V: 1.5.1 Only) - (CVE-2013-6887) Patches attempts are at the URL: http://www.openwall.com/lists/oss-security/2013/12/04/6
CVE-2013-6054 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6054): Heap-based buffer overflow in OpenJPEG 1.3 has unspecified impact and remote vectors, a different vulnerability than CVE-2013-6045. CVE-2013-6052 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6052): OpenJPEG 1.3 and earlier allows remote attackers to obtain sensitive information via unspecified vectors. CVE-2013-6045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6045): Multiple heap-based buffer overflows in OpenJPEG 1.3 and earlier might allow remote attackers to execute arbitrary code via unspecified vectors. CVE-2013-1447 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1447): OpenJPEG 1.3 and earlier allows remote attackers to cause a denial of service (memory consumption or crash) via unspecified vectors.
fixed in 1.5.2: http://openjpeg.googlecode.com/svn/tags/version.1.5.2/NEWS
CVE-2013-6887 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6887): OpenJPEG 1.5.1 allows remote attackers to cause a denial of service via unspecified vectors that trigger NULL pointer dereferences, division-by-zero, and other errors.
CVE-2013-6053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6053): OpenJPEG 1.5.1 allows remote attackers to obtain sensitive information via unspecified vectors that trigger a heap-based out-of-bounds read.
1.5.2 is in Portage, see also bug 484802
*** Bug 506456 has been marked as a duplicate of this bug. ***
Stabilization is happening at bug 484802 as we speak.
Stabilization is complete from bug 484802 (see "Depends on: ") so changed Whiteboard to "glsa?"
Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes
Ignore the Vote this is a A2, I was going by blocker. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201412-24 at http://security.gentoo.org/glsa/glsa-201412-24.xml by GLSA coordinator Sean Amoss (ackle).
