Bug 1227425 (CVE-2023-39329) - VUL-0: CVE-2023-39329: openjpeg,openjpeg2: Resource exhaustion will occur in the opj_t1_decode_cblks function in the tcd.c
Summary: VUL-0: CVE-2023-39329: openjpeg,openjpeg2: Resource exhaustion will occur in ...
Status: NEW
Alias: CVE-2023-39329
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: package coldpool
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/412865/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39329:6.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-05 07:41 UTC by SMASH SMASH
Modified: 2024-07-15 04:35 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Reproducer 1 (596 bytes, image/x-jp2-codestream)
2024-07-05 08:08 UTC, Alexander Bergmann 		Details
Reproducer 2 (1010 bytes, image/x-jp2-codestream)
2024-07-05 08:08 UTC, Alexander Bergmann 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-07-05 07:41:57 UTC 
In openjepg, a resource exhaustion can occur in the opj_t1_decode_cblks function in the tcd.c through a crafted image file causing a denial of service.

References:

https://github.com/uclouvain/openjpeg/issues/1474

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39329
https://bugzilla.redhat.com/show_bug.cgi?id=2295816
Comment 1 Alexander Bergmann 2024-07-05 08:08:19 UTC 
Created attachment 875902 [details]
Reproducer 1

$ opj_decompress -i CVE-2023-39329.poc1 -o te.raw

And check memory allocation.
Comment 2 Alexander Bergmann 2024-07-05 08:08:43 UTC 
Created attachment 875903 [details]
Reproducer 2

$ opj_decompress -i CVE-2023-39329.poc2 -o te.raw

And check memory allocation.
Comment 3 Petr Gajdos 2024-07-11 09:40:29 UTC 
opj_decompress is not part of openjpeg 1.5.2. Tried j2k_dump and j2k_to_image,
was not successful.

:/227425 # j2k_dump -i CVE-2023-39329.poc1.j2k -o te.raw

[ERROR] Prevent buffer overflow (x1: 16770048, y1: 256)
[ERROR] 0000002a: expected a marker instead of 8301
ERROR -> j2k_to_image: failed to decode image!

:/227425 # j2k_dump -i CVE-2023-39329.poc2.j2k -o te.raw

[ERROR] Prevent buffer overflow (x1: 256, y1: 16777472)
[ERROR] 0000002a: expected a marker instead of 8301
ERROR -> j2k_to_image: failed to decode image!
:/227425 #
Comment 4 Petr Gajdos 2024-07-11 12:53:05 UTC 
Tried with openjpeg 2.5.2 (openSUSE.org:home:pgajdos/openjpeg) and it is easily reproducible, indeed:

:/227425 # opj_decompress -i CVE-2023-39329.poc1 -o te.raw

===========================================
The extension of this file is incorrect.
FOUND poc1. SHOULD BE .j2k or .jpc or .j2c or .jhc
===========================================

[INFO] Start to read j2k main header (0).
[WARNING] Unknown marker
[WARNING] Unknown marker
[WARNING] Unknown marker
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Psot value of the current tile-part is equal to zero, we assuming it is the last tile-part of the codestream.
[INFO] Header of tile 1 / 2 has been read.
[ERROR] opj_pi_next_lrcp(): invalid compno0/compno1
[ERROR] opj_pi_next_lrcp(): invalid compno0/compno1
^C
:/227425 #

Similar to CVE-2023-39329.poc1.
Comment 5 Petr Gajdos 2024-07-11 12:54:44 UTC 
(In reply to Petr Gajdos from comment #4)
> Similar to CVE-2023-39329.poc1.

> Similarly to CVE-2023-39329.poc2.
Comment 6 Petr Gajdos 2024-07-11 13:02:00 UTC 
I think openjpeg 1.5.2 can be affected, still. I guess we should wait for upstream fix to confirm.