|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2017-14040: openjpeg2: An invalid write access was discovered in bin/jp2/convert.c in OpenJPEG2.2.0, triggering a crash in the tgatoimage function. The vulnerabilitymay lead to remote denial of service or possibly unspecified o | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | astieger, hpj, smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | openSUSE 42.2 | ||
| URL: | https://smash.suse.de/issue/191292/ | ||
| Whiteboard: | CVSSv2:SUSE:CVE-2017-14040:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:SUSE:CVE-2017-14040:4.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2017-14040:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv2:NVD:CVE-2017-14040:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1057435 | ||
| Attachments: |
00326-openjpeg-invalidwrite-tgatoimage.tga
openjpeg2-CVE-2017-14040.patch |
||
|
Description
Marcus Meissner
2017-08-31 12:21:32 UTC
Created attachment 739006 [details]
00326-openjpeg-invalidwrite-tgatoimage.tga
QA REPRODUCER:
opj_compress -r 20,10,1 -jpip -EPH -SOP -cinema2K 24 -n 1 -i 00326-openjpeg-invalidwrite-tgatoimage.tga -o null.j2k
should not crash
I could not get it to crash on leap or factory. assuming not affected. Based on upstream fix and code inspection, SLE, Leap and TW are all affected. Created attachment 740414 [details]
openjpeg2-CVE-2017-14040.patch
This is an autogenerated message for OBS integration: This bug (1056621) was mentioned in https://build.opensuse.org/request/show/523821 42.3 / openjpeg2 https://build.opensuse.org/request/show/523822 42.2 / openjpeg2 SUSE-SU-2017:2649-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1056421,1056562,1056621,1056622,1057511 CVE References: CVE-2016-10507,CVE-2017-14039,CVE-2017-14040,CVE-2017-14041,CVE-2017-14164 Sources used: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): openjpeg2-2.1.0-4.6.1 SUSE Linux Enterprise Server 12-SP3 (src): openjpeg2-2.1.0-4.6.1 SUSE Linux Enterprise Server 12-SP2 (src): openjpeg2-2.1.0-4.6.1 SUSE Linux Enterprise Desktop 12-SP3 (src): openjpeg2-2.1.0-4.6.1 SUSE Linux Enterprise Desktop 12-SP2 (src): openjpeg2-2.1.0-4.6.1 releasing for Leap, done openSUSE-SU-2017:2685-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1056421,1056562,1056621,1056622,1057511 CVE References: CVE-2016-10507,CVE-2017-14039,CVE-2017-14040,CVE-2017-14041,CVE-2017-14164 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): openjpeg2-2.1.0-8.1, openjpeg2-2.1.0-9.1 openSUSE-SU-2017:2686-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1056421,1056562,1056621,1056622,1057511 CVE References: CVE-2016-10507,CVE-2017-14039,CVE-2017-14040,CVE-2017-14041,CVE-2017-14164 Sources used: openSUSE Leap 42.3 (src): openjpeg2-2.1.0-19.1 openSUSE Leap 42.2 (src): openjpeg2-2.1.0-13.6.1 |