Bug 1012822 (CVE-2016-9675) - VUL-0: CVE-2016-9675: openjpeg: incorrect fix for CVE-2013-6045
Summary: VUL-0: CVE-2016-9675: openjpeg: incorrect fix for CVE-2013-6045
Status: RESOLVED INVALID
Alias: CVE-2016-9675
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 42.2
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Asterios Dramis
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-30 14:03 UTC by Alexander Bergmann
Modified: 2017-10-11 01:04 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-11-30 14:03:35 UTC 
rh#1382202

A flaw was found in the patch for CVE-2013-6045 for openjpeg-1.  A crafted
jpeg2000 image could cause heap-based buffer overflows, leading to a crash or
possible code execution when reading or converting the crafted file.

External reference:
http://seclists.org/oss-sec/2016/q3/624

See also:
https://bugzilla.redhat.com/show_bug.cgi?id=1036495#c20
https://bugs.debian.org/734238

Correct patch:
http://pkgs.fedoraproject.org/cgit/rpms/openjpeg.git/tree/openjpeg-1.5.1-CVE-2013-6045.patch

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1382202
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9675
Comment 1 Swamp Workflow Management 2016-11-30 23:00:39 UTC 
bugbot adjusting priority
Comment 2 Asterios Dramis 2017-02-02 22:39:17 UTC 
This issue affects only openjpeg <= 1.5.1. See also

http://seclists.org/oss-sec/2016/q3/624

and

https://bugzilla.redhat.com/show_bug.cgi?id=1036495#c20

The suggested patch is from version 1.5.2. 

Leap >= 42.1 and Tumbleweed already have version 1.5.2.
Comment 3 Karl Cheng 2017-10-11 01:04:46 UTC 
CVE does not affect openSUSE as mentioned in comment 2. (SLE does not include openjpeg 1.x.)