[Bug 1630702] Re: Fix for CVE-2016-8332 and CVE-2016-7163

[Launchpad Bug Tracker]

This bug was fixed in the package openjpeg2 - 2.1.1-1ubuntu0.1

---
openjpeg2 (2.1.1-1ubuntu0.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: Out-of-bound heap write possible resulting
in heap corruption and arbitrary code execution (lp: #1630702)
- debian/patches/CVE-2016-8332.patch: fix incrementing of
  "l_tcp->m_nb_mcc_records" in opj_j2k_read_mcc
  in src/lib/openjp2/j2k.c.
- CVE-2016-8332
  * SECURITY UPDATE: Integer overflow possible resulting in
arbitrary code execution via a crafted JP2 file,
triggering out-of-bound read or write (lp: #1630702)
- debian/patches/CVE-2016-7163.patch: fix an integer
  overflow issue in function opj_pi_create_decode of
  pi.c in src/lib/openjp2/pi.c.
- CVE-2016-7163

 -- Nikita Yerenkov-Scott   Sat, 08 Oct 2016
16:10:43 +0100

** Changed in: openjpeg2 (Ubuntu Yakkety)
   Status: Confirmed => Fix Released

** Changed in: openjpeg2 (Ubuntu Xenial)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630702

Title:
  Fix for CVE-2016-8332 and CVE-2016-7163

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/1630702/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630702] Re: Fix for CVE-2016-8332 and CVE-2016-7163

[Launchpad Bug Tracker]

This bug was fixed in the package openjpeg2 - 2.1.0-2.1ubuntu0.1

---
openjpeg2 (2.1.0-2.1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Out-of-bound heap write possible resulting
in heap corruption and arbitrary code execution (lp: #1630702)
- debian/patches/CVE-2016-8332.patch: fix incrementing of
  "l_tcp->m_nb_mcc_records" in opj_j2k_read_mcc
  in src/lib/openjp2/j2k.c.
- CVE-2016-8332
  * SECURITY UPDATE: Integer overflow possible resulting in
arbitrary code execution via a crafted JP2 file,
triggering out-of-bound read or write (lp: #1630702)
- debian/patches/CVE-2016-7163.patch: fix an integer
  overflow issue in function opj_pi_create_decode of
  pi.c in src/lib/openjp2/pi.c.
- CVE-2016-7163

 -- Nikita Yerenkov-Scott   Sat, 08 Oct 2016
16:10:43 +0100

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630702

Title:
  Fix for CVE-2016-8332 and CVE-2016-7163

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/1630702/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630702] Re: Fix for CVE-2016-8332 and CVE-2016-7163

[Marc Deslauriers]

ACK on the debdiffs, thanks!

Packages are currently building and will be released today.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630702

Title:
  Fix for CVE-2016-8332 and CVE-2016-7163

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/1630702/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630702] Re: Fix for CVE-2016-8332 and CVE-2016-7163

[Marc Deslauriers]

** Also affects: openjpeg2 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: openjpeg2 (Ubuntu Yakkety)
   Importance: Medium
 Assignee: Nikita Yerenkov-Scott (yerenkov-scott)
   Status: Confirmed

** Changed in: openjpeg2 (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: openjpeg2 (Ubuntu Xenial)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630702

Title:
  Fix for CVE-2016-8332 and CVE-2016-7163

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/1630702/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630702] Re: Fix for CVE-2016-8332 and CVE-2016-7163

[Nikita Yerenkov-Scott]

** Changed in: openjpeg2 (Ubuntu)
 Assignee: (unassigned) => Nikita Yerenkov-Scott (yerenkov-scott)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630702

Title:
  Fix for CVE-2016-8332 and CVE-2016-7163

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/1630702/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630702] Re: Fix for CVE-2016-8332 and CVE-2016-7163

[Mathew Hodson]

** Changed in: openjpeg2 (Ubuntu)
   Importance: Undecided => Medium

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630702

Title:
  Fix for CVE-2016-8332 and CVE-2016-7163

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/1630702/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630702] Re: Fix for CVE-2016-8332 and CVE-2016-7163

[Nikita Yerenkov-Scott]

This was my conclusion after looking through the CVEs in the list for
openjpeg2:

CVE-2014-7945: Half done but unconfirmable (some files are so different I am 
unable to find the relevant lines in them).
CVE-2014-7947: Can’t find patch.
CVE-2015-8871: Seems a patched.
CVE-2016-1923: Can’t find patch.
CVE-2016-1924: Seems already patched.
CVE-2016-3181: Closed upstream as duplicate of CVE-2016-3182 bug report (I am 
confused about what to do for this).
CVE-2016-3182: Seems already patched.
CVE-2016-3183: Some changes are already present in accordance to the upstream 
patch, however in the majority of cases the file is so different to the 
upstream one that I am unable to figure what to put where. I am also concerned 
that as they are so different that perhaps the changes would not be compatible 
with it.
CVE-2016-4796: Seems already patched.
CVE-2016-4797: Seems already patched.
CVE-2016-7445: Unable to view patch.
CVE-2016-7163: Successfully patched.
CVE-2016-8332: Successfully patched.

I will now attach the debdiffs for Yakkety and Xenial with those two
patches patched. I have never done a debdiff for CVE related fixes
before so I hope that I have done everything correctly. I assume that
you will let me know if I have not so that I can fix any issues.

** Summary changed:

- CVE-2016-8332 allows an out-of-bound heap write to occur resulting in heap 
corruption and arbitrary code execution
+ Fix for CVE-2016-8332 and CVE-2016-7163

** Description changed:

- A security vulnerability was recently disclosed in openjpeg and assigned
+ * Impact
+ - CVE-2016-8332:
+ Out-of-bound heap write possible resulting in heap corruption and arbitrary 
code execution
+ 
+ - CVE-2016-7163:
+ Integer overflow possible resulting in arbitrary code execution via a crafted 
JP2 file, triggering out-of-bound read or write
+ 
+ * Test case
+ - CVE-2016-8332:
+ Information on exploit: 
http://www.talosintelligence.com/reports/TALOS-2016-0193/
+ 
+ - CVE-2016-7163:
+ I haven't been able to find information on the exploit for this except for 
the information given here: 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163
+ 
+ * Regression potential
+ These patches have not been tested as I currently do not have the resources 
to do so.
+ 
+ --
+ 
+ Original report:
+ 
+ A security vulnerability was recently disclosed in OpenJPEG and assigned
  the CVE number of CVE-2016-8332.
  
  The vulnerability is described here (http://www.zdnet.com/article
  /openjpeg-zero-day-flaw-leads-to-remote-code-execution/):
  
  "
  Cisco Talos researchers have uncovered a severe zero-day flaw in the OpenJPEG 
JPEG 2000 codec which could lead to remote code execution on compromised 
systems.
  
  On Friday, researchers from Cisco revealed the existence of the zero-day
  flaw in the JPEG 2000 image file format parser implemented in OpenJPEG
  library. The out-of-bounds vulnerability, assigned as CVE-2016-8332,
  could allow an out-of-bound heap write to occur resulting in heap
  corruption and arbitrary code execution.
  
  OpenJPEG is an open-source JPEG 2000 codec. Written in C, the software
  was created to promote JPEG 2000, an image compression standard which is
  in popular use and is often used for tasks including embedding images
  within PDF documents through software including Poppler, MuPDF and
  Pdfium.
  
  The bug, assigned a CVSS score of 7.5, was caused by errors in parsing
  mcc records in the jpeg2000 file, resulting in "an erroneous read and
  write of adjacent heap area memory." If manipulated, these errors can
  lead to heap metadata process memory corruption.
  
  In a security advisory, the team said the security vulnerability can be
  exploited by attackers if victims open specifically crafted, malicious
  JPEG 2000 images. For example, if this content was within a phishing
  email or hosted on legitimate services such as Google Drive or Dropbox,
  once downloaded to their system, the path is created for attackers to
  execute code remotely.
  
  The vulnerability was discovered by Aleksander Nikolic from the Cisco
  Talos security team in OpenJpeg openjp2 version 2.1.1.
  
  Cisco Talos disclosed the vulnerability to affected vendors on 26 July, 
granting them time to prepare patches to fix the problem before public release.
  "
  
  I am filing this report as a fix for the issue doesn't seem to have yet
  been backported in and given the importance of the issue and the ease in
  exploiting it, it would be good if this is done soon.
  
  This is the fix on GitHub:
  https://github.com/uclouvain/openjpeg/pull/820/files

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-7945

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-7947

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-8871

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1923

** CVE added: http://www.cve.mitre.org/cgi-