Debian Bug report logs -
#874430
openjpeg2: CVE-2017-14151: heap-based buffer overflow in opj_mqc_flush
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#874430; Package src:openjpeg2.
(Wed, 06 Sep 2017 04:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Wed, 06 Sep 2017 04:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Version: 2.1.2-1.3
Severity: grave
Tags: security upstream patch
Forwarded: https://github.com/uclouvain/openjpeg/issues/982
Hi,
the following vulnerability was published for openjpeg2.
CVE-2017-14151[0]:
| An off-by-one error was discovered in
| opj_tcd_code_block_enc_allocate_data in lib/openjp2/tcd.c in OpenJPEG
| 2.2.0. The vulnerability causes an out-of-bounds write, which may lead
| to remote denial of service (heap-based buffer overflow affecting
| opj_mqc_flush in lib/openjp2/mqc.c and opj_t1_encode_cblk in
| lib/openjp2/t1.c) or possibly remote code execution.
Verifiable with an ASAN build of openjpeg2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14151
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14151
[1] https://github.com/uclouvain/openjpeg/issues/982
[2] https://blogs.gentoo.org/ago/2017/08/16/openjpeg-heap-based-buffer-overflow-in-opj_mqc_flush-mqc-c/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 11 Sep 2017 17:33:45 GMT) (full text, mbox, link).
Reply sent
to Mathieu Malaterre <malat@debian.org>:
You have taken responsibility.
(Mon, 16 Oct 2017 09:09:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 16 Oct 2017 09:09:20 GMT) (full text, mbox, link).
Message #12 received at 874430-close@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Source-Version: 2.3.0-1
We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 874430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathieu Malaterre <malat@debian.org> (supplier of updated openjpeg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Oct 2017 07:43:41 +0200
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 libopenjpip-dec-server libopenjpip-viewer libopenjpip-server libopenjp3d-tools libopenjp2-tools
Architecture: source amd64 all
Version: 2.3.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Mathieu Malaterre <malat@debian.org>
Description:
libopenjp2-7 - JPEG 2000 image compression/decompression library
libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
libopenjp2-tools - command-line tools using the JPEG 2000 library
libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression librar
libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP protocol
libopenjpip-server - JPIP server for JPEG 2000 files
libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP access
libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 874115 874430 874431 877676 877758
Changes:
openjpeg2 (2.3.0-1) unstable; urgency=medium
.
* New upstream release. Closes: #877758
* Drop explicit -dbg package. Closes: #877676
* Fix CVE-2017-14041. Closes: #874115
* Fix CVE-2017-14151. Closes: #874430
* Fix CVE-2017-14152. Closes: #874431
Checksums-Sha1:
90eb0d36e0fb465b7669b6c3b2f5ea57050e1078 2725 openjpeg2_2.3.0-1.dsc
3093a23f815e2a75d4fab2a68a572cb05c4ac75a 2074456 openjpeg2_2.3.0.orig.tar.gz
24d6b3d2ae4b31e48a253d7c4fadb2ca69c0224b 17744 openjpeg2_2.3.0-1.debian.tar.xz
161d550f5708881f1477de4ab461324a5782a26f 412488 libopenjp2-7-dbgsym_2.3.0-1_amd64.deb
5992e9ca12bd4ac1ecd83bbee9e0aed9a153f7cf 43642 libopenjp2-7-dev_2.3.0-1_amd64.deb
3429684594b2271933d40c6ed85825ca94accd54 162718 libopenjp2-7_2.3.0-1_amd64.deb
308e4dd2cb5880e6ad47dfb82134bdc0b8f417e1 344796 libopenjp2-tools-dbgsym_2.3.0-1_amd64.deb
15136a59ac8bddd3215e48515b5c470be64c8e36 100324 libopenjp2-tools_2.3.0-1_amd64.deb
9c48405da7736d579ff70ffe3e489a6b2cf3ace6 59470 libopenjp3d-tools-dbgsym_2.3.0-1_amd64.deb
17d6ae2de268b5ac64a28b1f71809f0bb5a5b864 45776 libopenjp3d-tools_2.3.0-1_amd64.deb
7d54fed1d60ba04e56281aec46d6c57ce32c2e6a 163618 libopenjp3d7-dbgsym_2.3.0-1_amd64.deb
83135e6a6a5d7164b4f1df95cd46fdbfd3029c9e 88948 libopenjp3d7_2.3.0-1_amd64.deb
655558f75e6237e2a319c262d82b3b3137c24604 20924 libopenjpip-dec-server-dbgsym_2.3.0-1_amd64.deb
85c626a01882c6864f63055a83a9e48ff84cb13b 32824 libopenjpip-dec-server_2.3.0-1_amd64.deb
4837cf60fdf04138d883dd15d7c479d23e454f29 96850 libopenjpip-server-dbgsym_2.3.0-1_amd64.deb
f3944189e63902cb50ac6ee5d9c07d9083d2f963 55206 libopenjpip-server_2.3.0-1_amd64.deb
4cc8e41bd7ac42091af2fe6eb3505637a3eeccd4 49344 libopenjpip-viewer_2.3.0-1_all.deb
aa4d1154d31f3e9bb46bd61c159b068903d56128 132162 libopenjpip7-dbgsym_2.3.0-1_amd64.deb
8c31f3618b5484a6cfaa41b488bc8006b86b31e2 65052 libopenjpip7_2.3.0-1_amd64.deb
cabde61b32cef60a5cca64cad0b5e26fc386ddd9 16305 openjpeg2_2.3.0-1_amd64.buildinfo
Checksums-Sha256:
bd59d04084ca51ac063d1920b2615879c7eba172d7eecea61765a0cc2c2fe7cb 2725 openjpeg2_2.3.0-1.dsc
fd5ca8cf3f195b0a54c56193c5897bb423c00db577afda4033318006769a5833 2074456 openjpeg2_2.3.0.orig.tar.gz
a7036deea45045b7bf46acbe50ba0dc648d56058534f673bc6d4add1f052184a 17744 openjpeg2_2.3.0-1.debian.tar.xz
518828b92e9e53646405b3b6ae72519740d0276c1304b2aee4ce5c2d6152ee54 412488 libopenjp2-7-dbgsym_2.3.0-1_amd64.deb
bc882683427fc908001aa498da367e1d5dca2c39f16aea94e3cc4b8b8acb08a3 43642 libopenjp2-7-dev_2.3.0-1_amd64.deb
d6a8527e69d8125a7dcedb74d42c0ae4685fc8e9ea764b3003caeb8312a2fa8e 162718 libopenjp2-7_2.3.0-1_amd64.deb
b1bb613e6861988b1e5aafc1277ecf000ed13b5d7db28622c8c872e67e9e66ac 344796 libopenjp2-tools-dbgsym_2.3.0-1_amd64.deb
f1381fab62c25dfac2bfc158433036aaf1ecce8fba5a13713af99ddb3f5c8b1b 100324 libopenjp2-tools_2.3.0-1_amd64.deb
511692ceea3aaa258b2f16c1fa6706ca7f57bf2ef03e5126cf35a12e4453f9a9 59470 libopenjp3d-tools-dbgsym_2.3.0-1_amd64.deb
8808e468c400e3ade34c4198ed92d0442c9e7b6682b4c2e0e37d8ee085bc868d 45776 libopenjp3d-tools_2.3.0-1_amd64.deb
9bfc296412312ef612e0e7fbb945671f955e259d851e6f1e5c56aa77a3df8ddc 163618 libopenjp3d7-dbgsym_2.3.0-1_amd64.deb
45a297169a57a8b1ca7baeb8f9b650270c17939eb4c6363c808967e491e0e46c 88948 libopenjp3d7_2.3.0-1_amd64.deb
b4ac0005ad43b1e875478a10a3060975bb23d6b1999e1590b2155bac73d7a1cd 20924 libopenjpip-dec-server-dbgsym_2.3.0-1_amd64.deb
4bf60910a517288ed7dadfb27a48f8ff518be4137c062cfadd0a0d7b5a271db9 32824 libopenjpip-dec-server_2.3.0-1_amd64.deb
781f624372cbf2872ab238a8e03ec7c414a4ac3ec9673f9d34d40152a3f87014 96850 libopenjpip-server-dbgsym_2.3.0-1_amd64.deb
ef0033cdccf7c285dd5afe874f5cebb930145bad913518ed4482a7c69dfb047f 55206 libopenjpip-server_2.3.0-1_amd64.deb
489423057f42a81861554ea2ace3c1a609f0d0d931b4fba84ae70be65288113d 49344 libopenjpip-viewer_2.3.0-1_all.deb
1392bcb785572c20c18508933e774c38b44e3ef21949b086cf87759b5e23eb35 132162 libopenjpip7-dbgsym_2.3.0-1_amd64.deb
0e9f5440b82f73afd345cce0f561fe4b63d1e1268189b7ec6ab6c1cddd509146 65052 libopenjpip7_2.3.0-1_amd64.deb
91a12b825edaeabf690bae788e38ca8a2198b4f9f3f14ea4713b1f1cb1ed2fc9 16305 openjpeg2_2.3.0-1_amd64.buildinfo
Files:
e24826fbcf29360964086ef63a826690 2725 libs optional openjpeg2_2.3.0-1.dsc
753ee37f6f7a97b4dde3e1ff2196372c 2074456 libs optional openjpeg2_2.3.0.orig.tar.gz
0a6e4b2b289ab41888760c1d0e458b83 17744 libs optional openjpeg2_2.3.0-1.debian.tar.xz
5580ea7f8ca38133b94b6a765ff19d70 412488 debug extra libopenjp2-7-dbgsym_2.3.0-1_amd64.deb
0915a27bed93591d7ba2a7f418c891b8 43642 libdevel optional libopenjp2-7-dev_2.3.0-1_amd64.deb
b8504193a165ad6a2a083e2bf70a3ad7 162718 libs optional libopenjp2-7_2.3.0-1_amd64.deb
0d0780b9170fb0d15d859a33711e9cdf 344796 debug extra libopenjp2-tools-dbgsym_2.3.0-1_amd64.deb
acb91ce3a11b5376f2f49b4fb1fe3d74 100324 graphics optional libopenjp2-tools_2.3.0-1_amd64.deb
dca56ce3411e50e9c681e553c05954b1 59470 debug extra libopenjp3d-tools-dbgsym_2.3.0-1_amd64.deb
2d23b644c9b1f6c384fe48c807cbe600 45776 graphics optional libopenjp3d-tools_2.3.0-1_amd64.deb
1311012d68def2cd4cae21da53b9e6b8 163618 debug extra libopenjp3d7-dbgsym_2.3.0-1_amd64.deb
3cb8988c0a666bc2774b9c25c6bc999d 88948 libs optional libopenjp3d7_2.3.0-1_amd64.deb
9cb184f8117c941f1a4a89694f537ee6 20924 debug extra libopenjpip-dec-server-dbgsym_2.3.0-1_amd64.deb
4e14212ccc95d574085487ecf3fe7d1e 32824 graphics optional libopenjpip-dec-server_2.3.0-1_amd64.deb
c0cd4494194262ed036f1ff0ccb1e38d 96850 debug extra libopenjpip-server-dbgsym_2.3.0-1_amd64.deb
15cde76dbf0e55834bea3cb4db26af5f 55206 graphics optional libopenjpip-server_2.3.0-1_amd64.deb
080bb476c9054f38fcda9318d854ce91 49344 graphics optional libopenjpip-viewer_2.3.0-1_all.deb
e6165b8bc54bdd4ed50fd1ebdc787c32 132162 debug extra libopenjpip7-dbgsym_2.3.0-1_amd64.deb
4cd6fb7bc5ce3db28e1b0627e8f70db9 65052 libs optional libopenjpip7_2.3.0-1_amd64.deb
85501713b0a5332948b12a76b17ddc43 16305 libs optional openjpeg2_2.3.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEaTNn/67NjqrNHwY7AXHhgorgk0UFAlnkcesRHG1hbGF0QGRl
Ymlhbi5vcmcACgkQAXHhgorgk0VxFg/9FQz/ECp00aTcRikgScpY0JiB1O+1VcLN
CxB71FpuoY6TPlDEUxCc9GTQPEda0MNgWVARalVIXl3/Lg+5COWX+FbIFwnTG3Pi
Hcd/qNA7rbQQXE+LNM57tBbo/vgFZ+EFCoejpw+PDVAKhAiTX+RXnft2H69PFelJ
doIE2K+ZZyvsjB0Bt7n8X5DBV7TY52+/M8wA3zBFkHs7nXbfnJ+4Y/3HyrVzv0UO
4XSmlg7YerE2tP00rWMXLzAONlHJNuxcVTUyB4nbye36XoPWWmA+w6GtUZ+iFefa
ciMIRHGsOnI+9N8NsGfcqayfce1hJGG//g7Sjr2FZr1Dtl+5crJkgZysRDz4U3ty
f9dILod1mClYpBEtfbIs/xOzwtZy5xRfJuGXF0TwjFIimJ0xp2eaz4rXmlwgC/7Q
Kj9ACBVYgLrKbi5PEYxMS7FWVSSJgUKp43WJGXtRj8+f3VsKowUozKqUAPHvA8k/
1yCY3tvd0DPpN2JIZ8qCVKR+dWkYm++iphObkb/ByA32VhaJByoBttVPpglxYtET
7r1EzGedYh7aGl+P/mpgNVi/1gmAJJrRabcrNsXIOqm+dxEwgttfHPCDz2yTxuZz
3ZkC+2RtlxJqGwuxZLdnIu6/PotDiyms54T/f5KrkU0MSrN5D4fgG3fiNHJKVQhy
9c/4f09mPeY=
=JHGv
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#874430; Package src:openjpeg2.
(Mon, 23 Oct 2017 16:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Mathieu Malaterre <malat@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Mon, 23 Oct 2017 16:57:05 GMT) (full text, mbox, link).
Message #17 received at 874430@bugs.debian.org (full text, mbox, reply):
Control: notfound -1 2.1.0-2+deb8u2
I have been trying to track those related CVE and it appears that this
commit should avoid this kind of issue:
https://github.com/uclouvain/openjpeg/commit/3a80b72ac
(I had actually forgotten I authored this back then).
I think the issue was introducated later:
https://github.com/uclouvain/openjpeg/commit/e05d2901e
So I will not include the related patch.
Cheers
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 21 Nov 2017 07:26:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:05:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon