Bug 1227411 - VUL-0: CVE-2023-39327: openjpeg: openjpeg: malicious files can cause a large loop that continuously prints warning messages on the terminal
Summary: VUL-0: CVE-2023-39327: openjpeg: openjpeg: malicious files can cause a large ...
Status: NEW
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: package coldpool
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/412864/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2023-39327
  Show dependency treegraph
 
Reported: 2024-07-04 18:15 UTC by Camila Camargo de Matos
Modified: 2024-07-15 04:34 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
poc (139 bytes, image/x-jp2-codestream)
2024-07-11 08:12 UTC, Petr Gajdos 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Camila Camargo de Matos 2024-07-04 18:15:46 UTC 
+++ This bug was initially created as a clone of Bug #1227410 +++

In openjpeg, maliciously constructed pictures can cause the program to enter a large loop and continuously print warning messages on the terminal.

References:

https://github.com/uclouvain/openjpeg/issues/1472

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39327
https://bugzilla.redhat.com/show_bug.cgi?id=2295812
Comment 2 Petr Gajdos 2024-07-11 08:12:54 UTC 
Created attachment 876003 [details]
poc
Comment 3 Petr Gajdos 2024-07-11 08:13:46 UTC 
According the upstream bug:

opj_decompress -i bigloop -o te.raw
Comment 4 Petr Gajdos 2024-07-11 09:31:19 UTC 
opj_decompress is not part of openjpeg 1.5.2.

Tried j2k_dump and j2k_to_image, not successfly:

:/227411 # j2k_to_image -i bigloop -o te.raw
!! Unrecognized format for infile : bigloop [accept only *.j2k, *.jp2, *.jpc or *.jpt] !!

:/227411 # j2k_to_image -i bigloop.j2k -o te.raw

[ERROR] 00000088: expected a marker instead of 4fff
ERROR -> j2k_to_image: failed to decode image!
:/227411 #
Comment 7 Petr Gajdos 2024-07-11 12:42:12 UTC 
Tried with openjpeg 2.5.2 (openSUSE.org:home:pgajdos/openjpeg) and it is easily reproducible, indeed:

:/227411 # opj_decompress -i bigloop -o te.raw

===========================================
The extension of this file is incorrect.
FOUND loop. SHOULD BE .j2k or .jpc or .j2c or .jhc
===========================================

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1041 has been read.
[WARNING] Not enough space for expected SOP marker
[WARNING] Not enough space for expected EPH marker
[WARNING] Not enough space for expected SOP marker
[WARNING] Not enough space for expected EPH marker
[WARNING] Not enough space for expected SOP marker
[WARNING] Not enough space for expected EPH marker
[WARNING] Not enough space for expected SOP marker
[WARNING] Not enough space for expected EPH marker
[..]
:/227411 #
Comment 8 Petr Gajdos 2024-07-11 13:02:03 UTC 
I think openjpeg 1.5.2 can be affected, still. I guess we should wait for upstream fix to confirm.