Bug 1012822 (CVE-2016-9675)

Summary: VUL-0: CVE-2016-9675: openjpeg: incorrect fix for CVE-2013-6045
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: SecurityAssignee: Asterios Dramis <asterios.dramis>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: qantas94heavy
Version: Leap 42.2   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2016-11-30 14:03:35 UTC
rh#1382202

A flaw was found in the patch for CVE-2013-6045 for openjpeg-1.  A crafted
jpeg2000 image could cause heap-based buffer overflows, leading to a crash or
possible code execution when reading or converting the crafted file.

External reference:
http://seclists.org/oss-sec/2016/q3/624

See also:
https://bugzilla.redhat.com/show_bug.cgi?id=1036495#c20
https://bugs.debian.org/734238

Correct patch:
http://pkgs.fedoraproject.org/cgit/rpms/openjpeg.git/tree/openjpeg-1.5.1-CVE-2013-6045.patch

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1382202
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9675
Comment 1 Swamp Workflow Management 2016-11-30 23:00:39 UTC
bugbot adjusting priority
Comment 2 Asterios Dramis 2017-02-02 22:39:17 UTC
This issue affects only openjpeg <= 1.5.1. See also

http://seclists.org/oss-sec/2016/q3/624

and

https://bugzilla.redhat.com/show_bug.cgi?id=1036495#c20

The suggested patch is from version 1.5.2. 

Leap >= 42.1 and Tumbleweed already have version 1.5.2.
Comment 3 Karl Cheng 2017-10-11 01:04:46 UTC
CVE does not affect openSUSE as mentioned in comment 2. (SLE does not include openjpeg 1.x.)