From https://bugzilla.redhat.com/show_bug.cgi?id=1007531 : Seth Arnold reported [1] a number of integer overflows causing heap-based buffer overflows in openjpeg: Many instances of malloc() and opj_malloc() using integers multiplied together or added together without any overflow checks, e.g.: * http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/jp3d.c#1825 * http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/jp3d.c#487 He notes this is not an exhaustive list, but serves as examples. Upstream has, to this point, not responded so there are currently no patches. [1] http://www.openwall.com/lists/oss-security/2013/09/12/2
From https://bugzilla.redhat.com/show_bug.cgi?id=1007533 : Seth Arnold reported [1] a number of stack-based buffer overflows in openjpeg: Several incorrect uses of strncpy() with data that may not have a NUL terminating byte within the indicated space, e.g.: * http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/opj_jp3d_compress.c#260 * http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/opj_jp3d_compress.c#279 Several incorect uses of strcpy() with data that may be longer than expected, e.g.: * http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/convert.c#188 * http://code.google.com/p/openjpeg/source/browse/trunk/src/bin/jp3d/convert.c#192 Several incorrect uses of strcat() before accounting for the lengths, e.g.: * http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/event.c#118 * http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/event.c#132 An incorrect use of sprintf() which can overflow a stack-based buffer: * http://code.google.com/p/openjpeg/source/browse/trunk/src/lib/openjp3d/event.c#158 He notes this is not an exhaustive list, but serves as examples. Upstream has, to this point, not responded so there are currently no patches. [1] http://www.openwall.com/lists/oss-security/2013/09/12/2 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
CVE-2013-4290 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4290): Stack-based buffer overflow in OpenJPEG before 1.5.2 allows remote attackers to have unspecified impact via unknown vectors to (1) lib/openjp3d/opj_jp3d_compress.c, (2) bin/jp3d/convert.c, or (3) lib/openjp3d/event.c. CVE-2013-4289 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4289): Multiple integer overflows in lib/openjp3d/jp3d.c in OpenJPEG before 1.5.2 allow remote attackers to have unspeicified impact and vectors, which trigger a heap-based buffer overflow.
(In reply to GLSAMaker/CVETool Bot from comment #2) > CVE-2013-4290 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4290): > Stack-based buffer overflow in OpenJPEG before 1.5.2 allows remote > attackers > to have unspecified impact via unknown vectors to (1) > lib/openjp3d/opj_jp3d_compress.c, (2) bin/jp3d/convert.c, or (3) > lib/openjp3d/event.c. > > CVE-2013-4289 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4289): > Multiple integer overflows in lib/openjp3d/jp3d.c in OpenJPEG before 1.5.2 > allow remote attackers to have unspeicified impact and vectors, which > trigger a heap-based buffer overflow. 1.5.2 is in Portage now.
Please test and stabilize: =media-libs/openjpeg-1.5.2
Arches, please test and mark stable: =media-libs/openjpeg-1.5.2 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86" Thank you!
Stable for HPPA.
ppc stable
ppc64 stable
amd64 stable
x86 stable
arm stable
alpha stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
cleanup done, maintainers are out :) reCC graphics@ if you need us for something
Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201412-24 at http://security.gentoo.org/glsa/glsa-201412-24.xml by GLSA coordinator Sean Amoss (ackle).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0a1ba2eaccd64377fa90dd289886faaae126df3 commit f0a1ba2eaccd64377fa90dd289886faaae126df3 Author: Thomas Bracht Laumann Jespersen <t@laumann.xyz> AuthorDate: 2022-05-16 08:07:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-05-22 20:35:39 +0000 media-libs/openjpeg: add 2.5.0 Also update to EAPI 8, and bump the test data to the latest commit possible. Drop all security patches from v2.4.0 as they are part of the upstream release. Closes: https://bugs.gentoo.org/844064 Bug: https://bugs.gentoo.org/783513 Bug: https://bugs.gentoo.org/484802 Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz> Closes: https://github.com/gentoo/gentoo/pull/25523 Signed-off-by: Sam James <sam@gentoo.org> media-libs/openjpeg/Manifest | 2 + .../files/openjpeg-2.5.0-gnuinstalldirs.patch | 299 +++++++++++++++++++++ media-libs/openjpeg/openjpeg-2.5.0.ebuild | 140 ++++++++++ 3 files changed, 441 insertions(+)
