openjpeg2: CVE-2018-5785: integer overflow in opj_j2k_setup_encoder function in openjp2/j2k.c

Debian Bug report logs - #888533
openjpeg2: CVE-2018-5785: integer overflow in opj_j2k_setup_encoder function in openjp2/j2k.c

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openjpeg2: CVE-2018-5785: integer overflow in opj_j2k_setup_encoder function in openjp2/j2k.c

Date: Fri, 26 Jan 2018 21:14:16 +0100

Source: openjpeg2
Version: 2.3.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/uclouvain/openjpeg/issues/1057

Hi,

the following vulnerability was published for openjpeg2.

CVE-2018-5785[0]:
| In OpenJPEG 2.3.0, there is an integer overflow caused by an
| out-of-bounds left shift in the opj_j2k_setup_encoder function
| (openjp2/j2k.c). Remote attackers could leverage this vulnerability to
| cause a denial of service via a crafted bmp file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-5785
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5785
[1] https://github.com/uclouvain/openjpeg/issues/1057
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1537758#c2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #18 received at 888533@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 884738@bugs.debian.org, 888533@bugs.debian.org, 889683@bugs.debian.org, 904873@bugs.debian.org, 910763@bugs.debian.org

Cc: luciano@debian.org

Subject: openjpeg2: diff for NMU version 2.3.0-1.2

Date: Sun, 10 Mar 2019 16:59:29 +0100

[Message part 1 (text/plain, inline)]

Control: tags 884738 + patch
Control: tags 888533 + patch
Control: tags 889683 + patch
Control: tags 904873 + patch
Control: tags 910763 + patch

Dear maintainer,

Following the DSA from Luciano I started preparing a NMU for openjpeg2
fixing the same CVEs as in the DSA to avoid a regression from stretch
to buster.

Though I have not yet uploaded to a delayed queue, as I noticed that
openjpeg2 seem to FTBFS in unstable right now. Investigating this
first.

Regards,
Salvatore

[openjpeg2-2.3.0-1.2-nmu.diff (text/x-diff, attachment)]

Message #23 received at 888533-close@bugs.debian.org (full text, mbox, reply):

From: Mathieu Malaterre <malat@debian.org>

To: 888533-close@bugs.debian.org

Subject: Bug#888533: fixed in openjpeg2 2.3.0-2

Date: Sun, 10 Mar 2019 17:50:19 +0000

Source: openjpeg2
Source-Version: 2.3.0-2

We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888533@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathieu Malaterre <malat@debian.org> (supplier of updated openjpeg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 10 Mar 2019 18:34:51 +0100
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 libopenjpip-dec-server libopenjpip-viewer libopenjpip-server libopenjp3d-tools libopenjp2-tools
Architecture: source
Version: 2.3.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Mathieu Malaterre <malat@debian.org>
Description:
 libopenjp2-7 - JPEG 2000 image compression/decompression library
 libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
 libopenjp2-tools - command-line tools using the JPEG 2000 library
 libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
 libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression librar
 libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP protocol
 libopenjpip-server - JPIP server for JPEG 2000 files
 libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP access
 libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 884738 888533 889683 904873 910763
Changes:
 openjpeg2 (2.3.0-2) unstable; urgency=high
 .
   [ Hugo Lefeuvre ]
   * CVE-2017-17480: stack-based buffer overflow in the pgxtovolume function in
     jp3d/convert.c (Closes: #884738).
   * CVE-2018-14423: division-by-zero in pi_next_pcrl, pi_next_cprl, and
     pi_next_rpcl in lib/openjp3d/pi.c (Closes: #904873).
   * CVE-2018-18088: null pointer dereference in imagetopnm in jp2/convert.c
     (Closes: #910763).
   * CVE-2018-5785: integer overflow caused by an out-of-bounds left shift in the
     opj_j2k_setup_encoder function (openjp2/j2k.c) (Closes: #888533).
   * CVE-2018-6616: excessive iteration in the opj_t1_encode_cblks function of
     openjp2/t1.c (Closes: #889683).
 .
   [ Mathieu Malaterre ]
   * Add Hugo as Uploader
Checksums-Sha1:
 26883ff0dfeb5e7e8fa32954a0ac04ad8b3a0ef0 2757 openjpeg2_2.3.0-2.dsc
 c270a0b9ab31b9484c265fe0f7f5263ddbfdd68b 21040 openjpeg2_2.3.0-2.debian.tar.xz
 775b0ffea7429fa7b8cf7fdb66e8a67b71c90c9a 15501 openjpeg2_2.3.0-2_source.buildinfo
Checksums-Sha256:
 3b5e407cde75432d1a9bdd92ee229644d1e804302f6421b24fe91372bdcf4841 2757 openjpeg2_2.3.0-2.dsc
 def9d0c3020e494fc9e69a674f03e11e736e7765292cf0fe01d481f4cb578b5a 21040 openjpeg2_2.3.0-2.debian.tar.xz
 926398f35fa8e3a8b83d01613ae7300826048a507674e2819312ea7c39528254 15501 openjpeg2_2.3.0-2_source.buildinfo
Files:
 2d5fcb24dfc3176548866a25a6e34a19 2757 libs optional openjpeg2_2.3.0-2.dsc
 6321d54d89ffcf19bf79ea180bfdcfd4 21040 libs optional openjpeg2_2.3.0-2.debian.tar.xz
 b88b898e9482387089fe63c1f3b13c87 15501 libs optional openjpeg2_2.3.0-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEaTNn/67NjqrNHwY7AXHhgorgk0UFAlyFSw0RHG1hbGF0QGRl
Ymlhbi5vcmcACgkQAXHhgorgk0UmTg//STU21I8TDyd5qSDCoPBSlthHVfCL7r1/
+3w5Of30DdpPJQ0luyKM6YbqieGgH+IEyEB4yU8H155amLs1MWPuwZuCsOVfv3BH
gzSKJpFVCYQ+XyH39XMyZ57yKZfQaMBO4/Q2VVYKDHdz3xTUvDh9J+eZhO3uu2d3
6R6EfBERfCi2l9+pq0l8/hFn0+tAp95wqM+fkQDis4QpLmVwxRM/3QlgveDKUqeD
F9XYwc6HBsHHkJgkA8jNsUWXtYEapM+9Nya7J8Ndqtj5KH5Jy7dklI7PIAJV4S9y
DNQ6lrXskpKqU+UsYYTTvX8ZkK+nN+ubUwixCbawYITH2Li3Qp+KKeDhKYWvs8i6
U4HT21HH+2Khf3qKNSwYB5yT70fdu5cNXEMw5FngfWT9Vjk8DsHu/7fv0Idi21XT
YCVYZPWl/SXOIXC52J793BUhL8WA39eYk1iGVr8Bqhw3pwEmN6gkazwaFx2obfch
hrrfd+d/vo9+8096HVrRjfPM7Dw7gBvVtS6Cs5+GUx9MFeVdmUIeScpxp1yJ+1oh
ddvreeRneCO5fBzRFbZPMfiUY3YNUGTBI/3wV0yRfqoSXnB0gZm6rFrTPjtdFYaq
ZP8NWvC7I1xsyFpBmRnY78JZfOmMkDC+NfAvTEdyo2wIxjjnTT184PMto0gwm0Z8
EWWuVSm7Mk0=
=thfA
-----END PGP SIGNATURE-----

Message #28 received at 888533-close@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: 888533-close@bugs.debian.org

Subject: Bug#888533: fixed in openjpeg2 2.1.2-1.1+deb9u3

Date: Tue, 12 Mar 2019 16:17:09 +0000

Source: openjpeg2
Source-Version: 2.1.2-1.1+deb9u3

We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888533@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated openjpeg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 07 Mar 2019 16:41:30 -0500
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server libopenjp3d-tools libopenjp2-tools
Architecture: source amd64 all
Version: 2.1.2-1.1+deb9u3
Distribution: stretch-security
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description:
 libopenjp2-7 - JPEG 2000 image compression/decompression library
 libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
 libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
 libopenjp2-tools - command-line tools using the JPEG 2000 library
 libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
 libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression librar
 libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP protocol
 libopenjpip-server - JPIP server for JPEG 2000 files
 libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP access
 libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 884738 888533 889683 904873 910763
Changes:
 openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2018-14423: Division-by-zero vulnerabilities in the functions
     pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873).
   * CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
     (closes: #889683).
   * CVE-2017-17480: Write stack buffer overflow due to missing buffer
     length formatter in fscanf call (closes: #884738).
   * CVE-2018-18088: Null pointer dereference caused by null image
     components in imagetopnm (closes: #910763).
   * CVE-2018-5785: Integer overflow in convertbmp.c (closes: #888533).
Checksums-Sha1:
 0bb0b62c4d594aee08a9c8ad0e09600ff837fca1 2797 openjpeg2_2.1.2-1.1+deb9u3.dsc
 bf7200a53237309731c0a7aeb5bb3d3521cdd2e5 25464 openjpeg2_2.1.2-1.1+deb9u3.debian.tar.xz
 9c0984edc917655a29a4114dadd74d7448baa9d2 1104792 libopenjp2-7-dbg_2.1.2-1.1+deb9u3_amd64.deb
 1884bd30286fc08ec51a9bb7e890d941e1654495 38598 libopenjp2-7-dev_2.1.2-1.1+deb9u3_amd64.deb
 f921ecfcbfeb3a7d5feabe7dc53d078d0a2b4451 122130 libopenjp2-7_2.1.2-1.1+deb9u3_amd64.deb
 e2488d27382a742a8d431a0730f4aebf50b38deb 94044 libopenjp2-tools_2.1.2-1.1+deb9u3_amd64.deb
 ded14698e1d569f9ecc8da5f765a6236540c8560 41600 libopenjp3d-tools_2.1.2-1.1+deb9u3_amd64.deb
 8e49a8941eee3817d4033bbc8aa216d421ac4017 84986 libopenjp3d7_2.1.2-1.1+deb9u3_amd64.deb
 0116918ac53e864dbf1fb88d662d2bc816fa6344 28564 libopenjpip-dec-server_2.1.2-1.1+deb9u3_amd64.deb
 8527587877ab29da1d35cc03d9d91493ce8820de 51002 libopenjpip-server_2.1.2-1.1+deb9u3_amd64.deb
 2c58348763b4109a6160b5fc464301858c498634 45150 libopenjpip-viewer_2.1.2-1.1+deb9u3_all.deb
 5c883cbc1749227db6c85bdfea7ef15d99e161d2 60780 libopenjpip7_2.1.2-1.1+deb9u3_amd64.deb
 3b5b33a9cd176a2b164eebf0cd69c18cde78ad04 15461 openjpeg2_2.1.2-1.1+deb9u3_amd64.buildinfo
Checksums-Sha256:
 dcb5cf6adee12ab0cc23d9a08731df6ee87406a98f623233348580e9f0373f78 2797 openjpeg2_2.1.2-1.1+deb9u3.dsc
 c168bec05ef60b78e1d219760d6faf67e58f9055cbde770005bd12123c3b0002 25464 openjpeg2_2.1.2-1.1+deb9u3.debian.tar.xz
 18e57bc0920008f558ba3664e12f647fa851e6d4bdec53078a585d99c4f5cd5b 1104792 libopenjp2-7-dbg_2.1.2-1.1+deb9u3_amd64.deb
 be81266d7855f4d608738f5b5823d5fab4df4181b5e877e2c5c8e55926ca62d2 38598 libopenjp2-7-dev_2.1.2-1.1+deb9u3_amd64.deb
 c27e9a64efd804baccb0bd2721286a928a352d822710abe00a96d12e9e7c8789 122130 libopenjp2-7_2.1.2-1.1+deb9u3_amd64.deb
 56ff2b99ed823eda18f5b9b06f4aa7676c9cad5c220be2601fb5cd8de198435c 94044 libopenjp2-tools_2.1.2-1.1+deb9u3_amd64.deb
 59510064aedb3959942aa94dac75f2231a00f2d39fb7b784fd1ff0db8acb1327 41600 libopenjp3d-tools_2.1.2-1.1+deb9u3_amd64.deb
 54f2ba8c1257a2ea59e3eb8ab812a189c33a687ede3148a66399a277f4a54d79 84986 libopenjp3d7_2.1.2-1.1+deb9u3_amd64.deb
 24eaea599e88ceb716a77e5b10f979bb15f282e40da1a0fe516dbba0a997b43f 28564 libopenjpip-dec-server_2.1.2-1.1+deb9u3_amd64.deb
 027ae15436855e26039dbd6fe1bf0454f9278dc909718870996bf678ecfbfc97 51002 libopenjpip-server_2.1.2-1.1+deb9u3_amd64.deb
 37ee8d1ff37aa71dc0da418b12ad98d779cb439c715209ec0a4e10644cd52fa3 45150 libopenjpip-viewer_2.1.2-1.1+deb9u3_all.deb
 3819a0ddbf629f9e15b974012223504d900bc4a29db7d3425e5c6e6512c8885c 60780 libopenjpip7_2.1.2-1.1+deb9u3_amd64.deb
 757801686b19428ae77f0b9b09004b4e7de3b46e2d0ac053b43969e829b4dff5 15461 openjpeg2_2.1.2-1.1+deb9u3_amd64.buildinfo
Files:
 07cab98fc00a26409aeaf301a3c9dafe 2797 libs optional openjpeg2_2.1.2-1.1+deb9u3.dsc
 e99ac3fca1bd9ab9aa164346db9f5f54 25464 libs optional openjpeg2_2.1.2-1.1+deb9u3.debian.tar.xz
 67dbede5aaf2db2670cd372f82477191 1104792 debug extra libopenjp2-7-dbg_2.1.2-1.1+deb9u3_amd64.deb
 f3155b3bec2e217a2e62af0544005f3e 38598 libdevel optional libopenjp2-7-dev_2.1.2-1.1+deb9u3_amd64.deb
 c5e1828696f6fbe81a5e8ae0b132872c 122130 libs optional libopenjp2-7_2.1.2-1.1+deb9u3_amd64.deb
 ba1a18f5171cfbf8105f47ea8e94a724 94044 graphics optional libopenjp2-tools_2.1.2-1.1+deb9u3_amd64.deb
 6df1cf91913480769e8eea3123ab3dc8 41600 graphics optional libopenjp3d-tools_2.1.2-1.1+deb9u3_amd64.deb
 e888089592bcb92c74d37387c31bd771 84986 libs optional libopenjp3d7_2.1.2-1.1+deb9u3_amd64.deb
 cbb7261624611756e0763f3ed0199557 28564 graphics optional libopenjpip-dec-server_2.1.2-1.1+deb9u3_amd64.deb
 b3745aee4c333a47c8edf53a1551fc6e 51002 graphics optional libopenjpip-server_2.1.2-1.1+deb9u3_amd64.deb
 f77cc3ba770a5c969070feef5c703e2b 45150 graphics optional libopenjpip-viewer_2.1.2-1.1+deb9u3_all.deb
 8293bcf4d675bf00535b28a4a04cac6b 60780 libs optional libopenjpip7_2.1.2-1.1+deb9u3_amd64.deb
 6704384b3c4de6b601d9beac771a5924 15461 libs optional openjpeg2_2.1.2-1.1+deb9u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlyFEcEACgkQbsLe9o/+
N3TqKA//Q8tDyecutOV43IXXdaexrLF+UtcXn8ZDFj+G0RtFXmrIOsenZFP8JHyi
zOUi/dCIfgH7V6qFRTkt/qbUp7Zx0AAxUhJEdcvCO4L3RPyF2zrvibcSjdH2xHEP
J6OFtINQnUpnL94toEQWmzgptu2bPqduTael8c7hvGADYFt9NdNacfMaOWGXuD7N
TpUFr7dkMGtHA5nJUFsAp7L5DpJZAjvUO6UVeAyVPZEwVjS44VUPVtUXROk7t9Qm
9J5LbHMu3SifUSDbEI+a7YG35/rd7aNWz3Nl3PKFuIsCIbdXEJ/mKEPLlXJwo7bw
NRfkffKJ4ewK7P6o5w7Xp2bFm7qwRHwXr5d2OiiGNupxQzi86/YXdwVjADUq6MWL
PMa9baJOPexxiBBZjXnnappas/6m+mSAM1dPaW/rRegq+FWFuNUQm3/6oZHHNC/y
Lbczft0lYg8REdeFJBBk8Dn88IA7WbZjaSfB4K1b9BD8ushHKiSxQK5j6BVldTJK
oTt0EOb2FX5g6T3bOWnhbPxEPZGOySCXIws3k8bnyvPtj6wZD3r/O/T3baKpDpFh
wp+7uP4f588/E+n3Sl6LVn8VXsN3rs8lwqrwlqOrksSNXo9tKGy6Ft1XuUg954z1
Igt+zEF3uM57StL5wabmYPMtx6PYI4bgxnhLsP1zhdZgL06P0lo=
=5UPl
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.