I reviewed openjpeg 1.3+dfsg-4.6ubuntu2 from saucy. This should not
be considered a full security audit, but rather a quick gauge of code
cleanliness.
- openjpeg provides a library interface and command line utilities for
manipulating jpeg2000 formatted files.
- build-deps upon libtiff-dev
- Does not use cryptography, does not itself do networking
- Does not daemonize
- Does not provide initscripts
- Does not provide D-Bus services
- Does not provide setuid executables
- Provides four programs
- index_create
- jp2-thumbnailer
- image_to_j2k
- j2k_to_image
- Does not provide sudo fragments
- Does not provide cron jobs
- Messy build logs, most warnings can be safely ignored but these may be
serious:
- signedness error mistakes in j2k_index_JPIP() and one program's main()
- 'tmp' may be used uninitialized in j2k_read_sot()
- Frequent casting of malloc(3)'s return value defeats compiler warnings
- Incorrect function prototyping defeats compiler warnings
- I did not discover a test suite.
[ Details redacted until 2013-09-09 -- sarnold 2013-08-28 ]
- cio_*() family of routines never check out-of-bounds reads and writes
before the allocated buffer, even though cursor manipulations frequently
rewind the cursor. I'm surprised such an obvious reliability measure is
missing.
I have applied for CVE numbers.
I stopped auditing this package part-way through, so the above list of
problems is not exhaustive. This package needs a severe overhaul.
Security team NAK for promoting to main.
Thanks
** Changed in: openjpeg (Ubuntu)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061
Title:
[MIR] libopenjpeg2
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg/+bug/711061/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
