Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 707926 (CVE-2020-6851, CVE-2020-8112) - <media-libs/openjpeg-2.3.1-r1: multiple vulnerabilities (CVE-2020-{6851,8112})
Summary: <media-libs/openjpeg-2.3.1-r1: multiple vulnerabilities (CVE-2020-{6851,8112})
Status: RESOLVED FIXED
Alias: CVE-2020-6851, CVE-2020-8112
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-02 13:44 UTC by filip ambroz
Modified: 2020-03-31 17:58 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/openjpeg-2.3.1-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-02 13:44:44 UTC
Heap-based buffer overflows.
Described here: https://github.com/uclouvain/openjpeg/issues/1228
And here: https://github.com/uclouvain/openjpeg/issues/1231
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2020-02-25 00:12:50 UTC
CVE-2020-8112 (https://nvd.nist.gov/vuln/detail/CVE-2020-8112):
  opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through
  2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a
  different issue than CVE-2020-6851.

CVE-2020-6851 (https://nvd.nist.gov/vuln/detail/CVE-2020-6851):
  OpenJPEG through 2.3.1 has a heap-based buffer overflow in
  opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of
  opj_j2k_update_image_dimensions validation.
Comment 3 Larry the Git Cow gentoo-dev 2020-03-25 22:42:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26f7a380f84826f1b0b5510cd34e4f72894b5e8f

commit 26f7a380f84826f1b0b5510cd34e4f72894b5e8f
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-22 01:56:44 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-25 22:42:02 +0000

    media-libs/openjpeg: Patch CVEs in SLOT:2
    
    Uses upstream patches to fix CVE-2020-6851, CVE-2020-8112.
    
    Bug: https://bugs.gentoo.org/707926
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/15049
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../files/openjpeg-2.3.1-CVE-2020-6851.patch       |  29 +++++
 .../files/openjpeg-2.3.1-CVE-2020-8112.patch       |  43 +++++++
 media-libs/openjpeg/openjpeg-2.3.1-r1.ebuild       | 135 +++++++++++++++++++++
 3 files changed, 207 insertions(+)
Comment 4 Stabilization helper bot gentoo-dev 2020-03-25 23:00:31 UTC
An automated check of this bug failed - the following atom is unknown:

edia-libs/openjpeg-2.3.1-r1

Please verify the atom list.
Comment 5 Stabilization helper bot gentoo-dev 2020-03-26 01:00:24 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-26 10:18:35 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-26 10:21:23 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-26 10:21:56 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-26 10:23:18 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-26 10:25:19 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-26 12:04:35 UTC
s390 stable
Comment 12 Rolf Eike Beer 2020-03-26 18:03:20 UTC
hppa stable
Comment 13 Mart Raudsepp gentoo-dev 2020-03-29 11:19:41 UTC
arm64 stable despite test failure (looks like -r0 fails even more tests on a single try)
Comment 14 Agostino Sarubbo gentoo-dev 2020-03-30 13:36:34 UTC
arm stable
Comment 15 Agostino Sarubbo gentoo-dev 2020-03-31 12:35:55 UTC
ia64 will pass. See https://archives.gentoo.org/gentoo-dev/message/edaadc85d7423810dd6ecfeda29cc85f
Comment 16 Sam James archtester gentoo-dev Security 2020-03-31 12:43:29 UTC
@maintainer(s), please cleanup
Comment 17 Larry the Git Cow gentoo-dev 2020-03-31 17:57:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fe3f2e1ea52b4d887f707ff3b0564862c5d7b86

commit 8fe3f2e1ea52b4d887f707ff3b0564862c5d7b86
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-31 17:57:39 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-31 17:57:50 +0000

    media-libs/openjpeg: security cleanup (#707926)
    
    Bug: https://bugs.gentoo.org/707926
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/openjpeg/openjpeg-2.3.1.ebuild | 133 ------------------------------
 1 file changed, 133 deletions(-)
Comment 18 Thomas Deutschmann gentoo-dev Security 2020-03-31 17:58:40 UTC
GLSA Vote: No!

Repository is clean, all done!