Bugzilla – Bug 1079845
VUL-1: CVE-2018-6616: openjpeg2: There is an excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c.
Last modified: 2022-04-21 06:56:30 UTC
CVE-2018-6616 In OpenJPEG 2.3.0, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. References: https://bugzilla.redhat.com/show_bug.cgi?id=1542321 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6616 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6616.html https://github.com/uclouvain/openjpeg/issues/1059
Created attachment 759249 [details] reproducer opj_compress -n 1 -i $POC -o /tmp/null.j2k
We've tried the reproducer. On SLE12 (OpenJPG 2.1) it does not trigger. On Tumbleweed it does trigger, but only runs for a couple of seconds (vs. 15 minutes). However our stack trace looks completely different, so we are not too sure what to make of this. hpjansson and/or tzotsos could you please take a look at this?
Please check, if possible.
Please have a look here and submit with the other three issues if applicable. Thank you.
The function exists in SLE12, but the line number is different. There's no official fix and I don't see an obvious way to fix it at that location, but maybe there's something that can be done somewhere else. Since we can't reproduce this on SLE12, I'm inclined to leave it out of the CVE fix submission there.
Upstream fix is now available: https://github.com/uclouvain/openjpeg/commit/51f097e6d5754ddae93e716276fe8176b44ec548
Verified that this does not apply to SLE12. Submission accepted, reassigning to security-team.
@Hans, is SUSE:SLE-15:Update/openjpeg affected here?
SUSE-SU-2022:1252-1: An update that fixes 13 vulnerabilities is now available. Category: security (important) Bug References: 1076314,1076967,1079845,1102016,1106881,1106882,1140130,1160782,1162090,1173578,1180457,1184774,1197738 CVE References: CVE-2018-14423,CVE-2018-16375,CVE-2018-16376,CVE-2018-20845,CVE-2018-5727,CVE-2018-5785,CVE-2018-6616,CVE-2020-15389,CVE-2020-27823,CVE-2020-6851,CVE-2020-8112,CVE-2021-29338,CVE-2022-1122 JIRA References: Sources used: openSUSE Leap 15.4 (src): openjpeg2-2.3.0-150000.3.5.1 openSUSE Leap 15.3 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Manager Server 4.1 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Manager Retail Branch Server 4.1 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Manager Proxy 4.1 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise Server for SAP 15 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise Server 15-LTSS (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Enterprise Storage 7 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE Enterprise Storage 6 (src): openjpeg2-2.3.0-150000.3.5.1 SUSE CaaS Platform 4.0 (src): openjpeg2-2.3.0-150000.3.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Thomas Leroy from comment #9) > @Hans, is SUSE:SLE-15:Update/openjpeg affected here? No.
(In reply to Hans Petter Jansson from comment #11) > (In reply to Thomas Leroy from comment #9) > > @Hans, is SUSE:SLE-15:Update/openjpeg affected here? > > No. Thanks! Everything fixed then, closing.