First Last Prev Next    This bug is not in your last search results.
Bug 962522 - (CVE-2016-1923) VUL-0: CVE-2016-1923, CVE-2016-1924: openjpeg2: Out-of-bounds Read in the OpenJpeg's opj_j2k_update_image_data and opj_tgt_reset function
(CVE-2016-1923)
VUL-0: CVE-2016-1923, CVE-2016-1924: openjpeg2: Out-of-bounds Read in the Ope...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.1
: P3 - Medium : Normal
: ---
Assigned To: Hans Petter Jansson
Security Team bot
https://smash.suse.de/issue/160845/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-19 09:27 UTC by Johannes Segitz
Modified: 2020-05-28 15:21 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
poc (2.50 KB, application/zip)
2016-01-19 09:27 UTC, Johannes Segitz 		Details
openjpeg2-CVE-2016-1923.patch (4.01 KB, patch)
2019-07-23 00:30 UTC, Hans Petter Jansson 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-01-19 09:27:16 UTC 
Created attachment 662282 [details]
poc

CVE-2016-1923, CVE-2016-1924
found by Qihoo 360 Codesafe Team"

We find two vulnerabilities in the way OpenJpeg's opj_j2k_update_image_data and opj_tgt_reset function  parsed certain 
JPEG 2000 image files.
I was successful in reproducing these issues in the latest version of openjpeg  (https://github.com/uclouvain/openjpeg, 
2016.1.18).

The crash info about opj_j2k_update_image_data function was:
==1630==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb48010d8 at pc 0x8184862 bp 0xbfff8e58 sp 0xbfff8e50
READ of size 4 at 0xb48010d8 thread T0
==1630==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x8184861 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x8184861)

0xb48010d8 is located 0 bytes to the right of 56-byte region [0xb48010a0,0xb48010d8)
allocated by thread T0 here:
    #0 0x80b5f8e (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x80b5f8e)
    #1 0x81ba220 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x81ba220)
    #2 0x8273db1 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x8273db1)
    #3 0x827c023 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x827c023)
    #4 0x81e0709 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x81e0709)
    #5 0x8212cba (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x8212cba)
    #6 0x82cc849 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x82cc849)
    #7 0x81ac9b6 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x81ac9b6)
    #8 0x80dc56e (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x80dc56e)
    #9 0xb7da2a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x369001c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369001d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369001e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369001f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36900200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36900210: fa fa fa fa 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x36900220: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x36900230: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x36900240: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x36900250: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x36900260: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==1630==ABORTING
[Inferior 1 (process 1630) exited with code 01]

The crash info about opj_tgt_reset function was:
ASAN:SIGSEGV
=================================================================
==1666==ERROR: AddressSanitizer: SEGV on unknown address 0x00008109 (pc 0x083b06c7 sp 0xbfa06420 bp 0xbfa065b8 T0)
==1666==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x83b06c6 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x83b06c6)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==1666==ABORTING

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1923
http://seclists.org/oss-sec/2016/q1/131
Comment 1 Swamp Workflow Management 2016-01-19 23:00:14 UTC 
bugbot adjusting priority
Comment 2 Asterios Dramis 2017-01-31 20:47:11 UTC 
Sorry for taking so long to reply...

This issue does not affect openjpeg but openjpeg2. The mentioned functions do not exist in openjpeg (see also rh#1299767 and rh#1299777). Reassigning to default since I do not maintain openjpeg2.
Comment 3 Michael Vetter 2019-03-29 10:01:28 UTC 
Upstream issue: https://github.com/uclouvain/openjpeg/issues/704

It's not clear to me how it was fixed, there were various issues entangled. But since only 42.3 is affected could we just update to openjpeg 2.3.0 there?

Output with 2.3.0:

> opj_decompress -i poc.jp2 -o out.pgm                                                                                                                                          
> [INFO] Start to read j2k main header (141).
> [ERROR] Error with SIZ marker: IHDR w(7) h(9) vs. SIZ w(7) h(128)
> [ERROR] Marker handler function failed to read the marker segment
> ERROR -> opj_decompress: failed to read the header
> opj_decompress -i poc.jp2 -o test.pgm
> [INFO] Start to read j2k main header (141).
> [ERROR] Error with SIZ marker: IHDR w(7) h(9) vs. SIZ w(33021) h(1)
> [ERROR] Marker handler function failed to read the marker segment
> ERROR -> opj_decompress: failed to read the header

Debian tracker[1] also shows 2.1.2 already as fixed.

1: https://security-tracker.debian.org/tracker/CVE-2016-1923
Comment 7 Hans Petter Jansson 2019-07-23 00:28:52 UTC 
The function color_esycc_to_rgb() patched by commit af4a9d92065837caff4e40fd8186342d003fb383 in the upstream issue does not exist in the SLE-12-SP5 version of openjpeg2.

However, the opj_pi_next_pcrl() bits that overflow do exist.

I've made a patch for this that widens the int types for opj_int_floordivpow2() and opj_int_ceildiv() as well as the casts in opj_pi_next_pcrl(). I've also backported as many checks as practically possible for this function from master.
Comment 8 Hans Petter Jansson 2019-07-23 00:30:07 UTC 
Created attachment 811231 [details]
openjpeg2-CVE-2016-1923.patch

Robustness patch that should cover CVE-2016-1923.
Comment 10 Swamp Workflow Management 2019-08-15 19:12:44 UTC 
SUSE-SU-2019:2152-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 962522
CVE References: CVE-2016-1923
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    openjpeg2-2.1.0-4.12.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    openjpeg2-2.1.0-4.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Marcus Meissner 2020-05-28 15:21:37 UTC 
done
First Last Prev Next    This bug is not in your last search results.