Bugzilla – Bug 1227424
VUL-0: CVE-2023-39328: openjpeg,openjpeg2: denail of service via crafted image file
Last modified: 2024-07-15 04:35:58 UTC
A vulnerability was found in OpenJPEG where an attacker remotely sends malicious pictures to allow the program to run, which can cause denial of service and exhaust system resources. References: https://github.com/uclouvain/openjpeg/issues/1471 https://github.com/uclouvain/openjpeg/pull/1470 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39328 https://bugzilla.redhat.com/show_bug.cgi?id=2219236
Created attachment 875904 [details] Reproducer $ opj_decompress -i CVE-2023-39328.poc -o te.raw And check memory allocation.
opj_decompress is not part of openjpeg 1.5.2. Tried j2k_dump and j2k_to_image, I was not successful. :/227424 # j2k_to_image -i CVE-2023-39328.poc.j2k -o te.raw [ERROR] Prevent buffer overflow (x1: 1291845635, y1: 5) [ERROR] 0000002a: expected a marker instead of 701 ERROR -> j2k_to_image: failed to decode image! :/227424 #
Tried with openjpeg 2.5.2 (openSUSE.org:home:pgajdos/openjpeg) and it is easily reproducible, indeed: :/227424 # opj_decompress -i CVE-2023-39328.poc =========================================== The extension of this file is incorrect. FOUND .poc. SHOULD BE .j2k or .jpc or .j2c or .jhc =========================================== [ERROR] Required parameters are missing Example: opj_decompress -i image.j2k -o image.pgm Help: opj_decompress -h :/227424 # opj_decompress -i CVE-2023-39328.poc -o te.raw =========================================== The extension of this file is incorrect. FOUND .poc. SHOULD BE .j2k or .jpc or .j2c or .jhc =========================================== [INFO] Start to read j2k main header (0). [WARNING] Cannot take in charge mct data within multiple MCT records [INFO] Main header has been correctly decoded. [INFO] No decoded area parameters, set the decoded area to the whole image ^C :/227424 #
I think openjpeg 1.5.2 can be affected, still. I guess we should wait for upstream fix to confirm.