Bug 757260 - VUL-0: openjpeg: heap corruption
VUL-0: openjpeg: heap corruption
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Asterios Dramis
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2012-04-16 06:57 UTC by Sebastian Krahmer
Modified: 2012-07-04 05:51 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2012-04-16 06:57:38 UTC
Via oss-sec:

Date: Fri, 13 Apr 2012 12:59:59 +0530
From: Huzaifa Sidhpurwala
To: oss-security

Hi All,

While looking at openjpeg, i found the following bug in their tracker,
which still seems to be un-addressed.

I dont think a CVE id has been assigned to this issue yet.
Comment 1 Sebastian Krahmer 2012-04-16 06:58:41 UTC
Via oss-sec:

Yes, doesn't look so one got assigned for this one yet, since:

provides just recent CVE-2012-1499. To the:


issue itself:

1) It should get a CVE-2009-* identifier (upstream
ticket is public from 2009-Jul-31).

2) From the issue reasons investigation, it seems to
be combination of heap-based buffer invalid reads and
writes by processing certain Gray16 TIFF images, leading
to invalid free (when such corrupted memory allocated
for tile encoder / decoder handle (TCD) is attempted
to be freed).

More official description in Red Hat bug:

Kurt, could you allocate a 2009 CVE id?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 2 Sebastian Krahmer 2012-04-16 06:59:23 UTC
Comment 3 Swamp Workflow Management 2012-04-16 22:00:22 UTC
bugbot adjusting priority
Comment 5 Asterios Dramis 2012-06-27 18:31:32 UTC
A patch has been submitted upstream to fix the issue. See:


If this is OK I'll submit an update in the openjpeg package.
Comment 6 Ludwig Nussel 2012-06-28 07:07:48 UTC
sure, please go ahead and apply the patch
Comment 7 Bernhard Wiedemann 2012-06-28 20:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (757260) was mentioned in
https://build.opensuse.org/request/show/126485 Factory / openjpeg
Comment 8 Marcus Meissner 2012-07-04 05:51:02 UTC
i think this marks it done...