629372 – (CVE-2016-10504, CVE-2016-10505, CVE-2016-10506, CVE-2016-10507) <media-libs/openjpeg-2.2.0: multiple denial of service (CVE-2016-{10504,10505,10506,10507})

Bug 629372 (CVE-2016-10504, CVE-2016-10505, CVE-2016-10506, CVE-2016-10507) - <media-libs/openjpeg-2.2.0: multiple denial of service (CVE-2016-{10504,10505,10506,10507})

Summary: <media-libs/openjpeg-2.2.0: multiple denial of service (CVE-2016-{10504,10505...

Status:	RESOLVED FIXED

Alias:	CVE-2016-10504, CVE-2016-10505, CVE-2016-10506, CVE-2016-10507

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa cve]
Keywords:

Depends on:	CVE-2016-1626, CVE-2016-1628, CVE-2016-9112
Blocks:
	Show dependency tree

Reported:	2017-08-30 12:13 UTC by Aleksandr Wagner (Kivak)
Modified:	2017-10-23 01:40 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Wagner (Kivak) 2017-08-30 12:13:18 UTC

CVE-2016-10504 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10504):

Heap-based buffer overflow vulnerability in the opj_mqc_byteout function in mqc.c in OpenJPEG before 2.2.0 allows remote attackers to cause a denial of service (application crash) via a crafted bmp file. 

References:

https://github.com/uclouvain/openjpeg/commit/397f62c0a838e15d667ef50e27d5d011d2c79c04
https://github.com/uclouvain/openjpeg/issues/835

CVE-2016-10505 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10505):

NULL pointer dereference vulnerabilities in the imagetopnm function in convert.c, sycc444_to_rgb function in color.c, color_esycc_to_rgb function in color.c, and sycc422_to_rgb function in color.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of service (application crash) via crafted j2k files. 

References:

https://github.com/uclouvain/openjpeg/issues/776
https://github.com/uclouvain/openjpeg/issues/784
https://github.com/uclouvain/openjpeg/issues/785
https://github.com/uclouvain/openjpeg/issues/792

CVE-2016-10506 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10506):

Division-by-zero vulnerabilities in the functions opj_pi_next_cprl, opj_pi_next_pcrl, and opj_pi_next_rpcl in pi.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of service (application crash) via crafted j2k files. 

References:

https://github.com/uclouvain/openjpeg/commit/d27ccf01c68a31ad62b33d2dc1ba2bb1eeaafe7b
https://github.com/uclouvain/openjpeg/issues/731
https://github.com/uclouvain/openjpeg/issues/732
https://github.com/uclouvain/openjpeg/issues/777
https://github.com/uclouvain/openjpeg/issues/778
https://github.com/uclouvain/openjpeg/issues/779
https://github.com/uclouvain/openjpeg/issues/780

CVE-2016-10507 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10507):

Integer overflow vulnerability in the bmp24toimage function in convertbmp.c in OpenJPEG before 2.2.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted bmp file. 

References:

https://github.com/uclouvain/openjpeg/commit/da940424816e11d624362ce080bc026adffa26e8
https://github.com/uclouvain/openjpeg/issues/833

Comment 1 Aleksandr Wagner (Kivak) 2017-08-30 12:14:01 UTC

Stabilization will happen in bug 602180.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2017-10-23 01:40:14 UTC

This issue was resolved and addressed in
 GLSA 201710-26 at https://security.gentoo.org/glsa/201710-26
by GLSA coordinator Aaron Bauman (b-man).