Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2016-1626 and CVE-2016-1628 #850

Closed
nluedtke opened this issue Sep 23, 2016 · 2 comments
Closed

CVE-2016-1626 and CVE-2016-1628 #850

nluedtke opened this issue Sep 23, 2016 · 2 comments
Labels
bug
Milestone
OPJ v2.1.3

Comments

@nluedtke
Copy link

The vulnerable code in http://www.zerodayinitiative.com/advisories/ZDI-16-171/ and http://www.zerodayinitiative.com/advisories/ZDI-16-172/ also appears to effect openjpeg in the pi.c file.

Google fixed this code with: https://pdfium.googlesource.com/pdfium.git/+/76c995796f95fd4c54c5f11d2a04392f16478619%5E%21/#F2

  •   l_current_pi->poc.layno1 = l_current_poc->layno1; /\* Layer Index #0 (End) */

  •   l_current_pi->poc.layno1 = opj_uint_min(l_current_poc->layno1, p_tcp->numlayers); /\* Layer Index #0 (End) */

Is this something that effects openjpeg? And if so can you patch as well?
@malaterre malaterre added this to the OPJ v2.1.3 milestone Oct 4, 2016
@malaterre
Copy link
Collaborator

@detonin what do you think of the suggested patch ?

@malaterre
Copy link
Collaborator

BTW the proof of concept are locate in the ZIP file: https://bugs.chromium.org/p/chromium/issues/detail?id=571480#c2

rouault added a commit that referenced this issue Jul 29, 2017
@rouault
opj_pi_update_decode_poc(): limit layno1 to the number of layers (CVE…
11445ed 
…-2016-1626 and CVE-2016-1628, #850)

This has been recently fixed in a less elegant way per
80818c3
@rouault rouault closed this as completed Jul 29, 2017
@detonin detonin added the bug label Aug 3, 2017
joebonrichie pushed a commit to solus-packages/openjpeg that referenced this issue Aug 15, 2023
@kyrios123 @JoshStrobl
Update openjpeg to 2.2.0 to address multiple CVEs
01687bc 
Summary:
This new release includes a significant number of improvements and bug fixes. In particular:
- Multi-threading support at decoding side
- Several speed optimisations both at encoder and decoder, and both on Wavelet
  Transform and Entropy Coding parts. On our test set, a single-threaded
  execution is now around 20% faster (encoding or decoding).
- Huge memory consumption reduction at decoding side (~60% reduction on
  large images)
- Several important bug fixes, in particular the one that was preventing
  OpenJPEG to encode lossless in some specific situations, as well as those
  related to mode switches (BYPASS/LAZY, RESTART/TERMALL, etc).
- Several security fixes thanks to the inclusion of OpenJPEG in the Google
  OSS Fuzz project.
Beside that, several improvements have been brought to the project maintenance, like inclusion of benchmarking scripts to compare speed with latest available kakadu binaries.

Security fixes:
- CVE-2016-5139, CVE-2016-5152, CVE-2016-5158, CVE-2016-5159 [#854](uclouvain/openjpeg#854)
- CVE-2016-1626 and CVE-2016-1628 [#850](uclouvain/openjpeg#850)

For more info check the [NEWS](https://github.com/uclouvain/openjpeg/blob/v2.2.0/NEWS.md) and the [Changelog](https://github.com/uclouvain/openjpeg/blob/v2.2.0/CHANGELOG.md)

Signed-off-by: Pierre-Yves <pyu@riseup.net>

Test Plan:
```
$ opj_compress -i test.png -o test.j2k

[INFO] tile number 1 / 1
[INFO] Generated outfile test.j2k
encode time: 283 ms
```

Reviewers: #triage_team, JoshStrobl

Reviewed By: #triage_team, JoshStrobl

Subscribers: sunnyflunk, JoshStrobl

Tags: #security

Differential Revision: https://dev.solus-project.com/D794
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
OPJ v2.1.3
Development

No branches or pull requests
4 participants
@malaterre @detonin @rouault @nluedtke