group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1630702] Re: Fix for CVE-2016-8332 and CVE-2016-7163

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1630702@xxxxxxxxxxxxxxxxxx>
Date: Fri, 14 Oct 2016 12:39:20 -0000
Reply-to: Bug 1630702 <1630702@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package openjpeg2 - 2.1.1-1ubuntu0.1

---------------
openjpeg2 (2.1.1-1ubuntu0.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: Out-of-bound heap write possible resulting
    in heap corruption and arbitrary code execution (lp: #1630702)
    - debian/patches/CVE-2016-8332.patch: fix incrementing of
      "l_tcp->m_nb_mcc_records" in opj_j2k_read_mcc
      in src/lib/openjp2/j2k.c.
    - CVE-2016-8332
  * SECURITY UPDATE: Integer overflow possible resulting in
    arbitrary code execution via a crafted JP2 file,
    triggering out-of-bound read or write (lp: #1630702)
    - debian/patches/CVE-2016-7163.patch: fix an integer
      overflow issue in function opj_pi_create_decode of
      pi.c in src/lib/openjp2/pi.c.
    - CVE-2016-7163

 -- Nikita Yerenkov-Scott <cooks.go.hungry@xxxxxxxxx>  Sat, 08 Oct 2016
16:10:43 +0100

** Changed in: openjpeg2 (Ubuntu Yakkety)
       Status: Confirmed => Fix Released

** Changed in: openjpeg2 (Ubuntu Xenial)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1630702

Title:
  Fix for CVE-2016-8332 and CVE-2016-7163

Status in openjpeg2 package in Ubuntu:
  Fix Released
Status in openjpeg2 source package in Xenial:
  Fix Released
Status in openjpeg2 source package in Yakkety:
  Fix Released

Bug description:
  * Impact
  - CVE-2016-8332:
  Out-of-bound heap write possible resulting in heap corruption and arbitrary code execution

  - CVE-2016-7163:
  Integer overflow possible resulting in arbitrary code execution via a crafted JP2 file, triggering out-of-bound read or write

  * Test case
  - CVE-2016-8332:
  Information on exploit: http://www.talosintelligence.com/reports/TALOS-2016-0193/

  - CVE-2016-7163:
  I haven't been able to find information on the exploit for this except for the information given here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163

  * Regression potential
  These patches have not been tested as I currently do not have the resources to do so.

  ----------------------------------

  Original report:

  A security vulnerability was recently disclosed in OpenJPEG and
  assigned the CVE number of CVE-2016-8332.

  The vulnerability is described here (http://www.zdnet.com/article
  /openjpeg-zero-day-flaw-leads-to-remote-code-execution/):

  "
  Cisco Talos researchers have uncovered a severe zero-day flaw in the OpenJPEG JPEG 2000 codec which could lead to remote code execution on compromised systems.

  On Friday, researchers from Cisco revealed the existence of the zero-
  day flaw in the JPEG 2000 image file format parser implemented in
  OpenJPEG library. The out-of-bounds vulnerability, assigned as
  CVE-2016-8332, could allow an out-of-bound heap write to occur
  resulting in heap corruption and arbitrary code execution.

  OpenJPEG is an open-source JPEG 2000 codec. Written in C, the software
  was created to promote JPEG 2000, an image compression standard which
  is in popular use and is often used for tasks including embedding
  images within PDF documents through software including Poppler, MuPDF
  and Pdfium.

  The bug, assigned a CVSS score of 7.5, was caused by errors in parsing
  mcc records in the jpeg2000 file, resulting in "an erroneous read and
  write of adjacent heap area memory." If manipulated, these errors can
  lead to heap metadata process memory corruption.

  In a security advisory, the team said the security vulnerability can
  be exploited by attackers if victims open specifically crafted,
  malicious JPEG 2000 images. For example, if this content was within a
  phishing email or hosted on legitimate services such as Google Drive
  or Dropbox, once downloaded to their system, the path is created for
  attackers to execute code remotely.

  The vulnerability was discovered by Aleksander Nikolic from the Cisco
  Talos security team in OpenJpeg openjp2 version 2.1.1.

  Cisco Talos disclosed the vulnerability to affected vendors on 26 July, granting them time to prepare patches to fix the problem before public release.
  "

  I am filing this report as a fix for the issue doesn't seem to have
  yet been backported in and given the importance of the issue and the
  ease in exploiting it, it would be good if this is done soon.

  This is the fix on GitHub:
  https://github.com/uclouvain/openjpeg/pull/820/files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/1630702/+subscriptions