Opened 2 years ago
Closed 8 weeks ago
#16235 closed enhancement (overcomebyevents)
Fix CVE-2021-3575 in OpenJPEG (Wait for upstream consensus)
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | lowest | Milestone: | 12.2 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
OpenJPEG-2.4.0 is vulnerable to a heap buffer overflow that is known to lead to arbitrary code execution.
A fix can be found here: https://github.com/msabwat/openjpeg/commit/f4cb033a340b55dbc576453c4b6a967fec5cbbda
The most recent report for the vulnerability was June 2021.
Change History (15)
comment:1 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 2 years ago
comment:3 by , 2 years ago
For what it's worth, I got it from here: https://www.cisa.gov/uscert/ncas/bulletins/sb22-073
I get an email on a weekly basis that details all recent vulnerabilities that the US Government is aware of
follow-up: 6 comment:4 by , 2 years ago
Actually, the problem seems to be that the fix breaks one of the tests, so that they do not know what to do... And they seem to not be sure whether the fix introduces other issues or not. But it is amazing they have remained silent for 9 months now. Or maybe they discuss privately since it is security related.
In any case, the file src/bin/common/color.c has not been modified in master since April 2020. So the fix is not applied upstream (at least publicly).
comment:5 by , 2 years ago
https://github.com/advisories/GHSA-j3vw-4g3g-wvjc was published 12 days ago
There's some other commits which are related to, or contain, security fixes as well:
https://github.com/uclouvain/openjpeg/commit/1462e9403fb7d1186e999701dfe72980262a089c
https://github.com/uclouvain/openjpeg/commit/241e9e8efeb6750ef4202a61b3a436628e4f6d23
https://github.com/uclouvain/openjpeg/commit/70f5e0a0df0b97a5675673b779105dc8e5cfed30
https://github.com/uclouvain/openjpeg/commit/a1eec9c49e143fab0e0c0dcc13f94f11fef04f22
https://github.com/uclouvain/openjpeg/commit/6e4588f379be0eb5b62fff65bf96aa1ca556ea96
https://github.com/uclouvain/openjpeg/commit/1daaa0b909aebdf71be36238d16dfbec83c494ed
https://github.com/uclouvain/openjpeg/commit/79c7d7af598b778c3cdcb455df23d50efc95eb3c
https://github.com/uclouvain/openjpeg/commit/15594a3dbf735eb52b4a262ed1d4c50779404018
https://github.com/uclouvain/openjpeg/commit/badbd93af92836c7a38ef069d410a829e2575ce2
https://github.com/uclouvain/openjpeg/commit/0afbdcf3e6d0d2bd2e16a0c4d513ee3cf86e460d
https://github.com/uclouvain/openjpeg/commit/e0993d072a0cd8c60d9babd30c58320f13eff867
The fix is not applied upstream, and as far as I can tell, Red Hat is the only group that has a fix for any of these. Ubuntu continues to defer them, even though proof-of-concept exploits (at least for CVE-2021-3575) are public - the proof-of-concept is in the bug report.
follow-up: 9 comment:6 by , 2 years ago
Replying to pierre:
Actually, the problem seems to be that the fix breaks one of the tests, so that they do not know what to do... And they seem to not be sure whether the fix introduces other issues or not. But it is amazing they have remained silent for 9 months now. Or maybe they discuss privately since it is security related.
In any case, the file src/bin/common/color.c has not been modified in master since April 2020. So the fix is not applied upstream (at least publicly).
Yeah the fix has not been applied upstream, and I'm not sure where exactly Red Hat got their patches from for this.
What's interesting is that https://github.com/uclouvain/openjpeg/issues/1347 mentions making the issue public, even though it's not fixed!
comment:7 by , 2 years ago
RedHat uses the patch you posted in the initial ticket. Their source can be found here:
http://vault.centos.org/8-stream/AppStream/Source/SPackages/openjpeg2-2.4.0-4.el8.src.rpm
comment:8 by , 2 years ago
The problem is we don't know if the patch is a correct fix, or just papering over the ASAN warn without fixing the underlying issue. And it seems even the upstream maintainer also doesn't know...
Is there any expert in image processing here? :)
comment:9 by , 2 years ago
Replying to Douglas R. Reno:
Yeah the fix has not been applied upstream, and I'm not sure where exactly Red Hat got their patches from for this.
What's interesting is that https://github.com/uclouvain/openjpeg/issues/1347 mentions making the issue public, even though it's not fixed!
It looks like some CTF guy submitted a public issue improperly, maybe to improve his reputation in CTF area. I don't like those competition participants not obeying the rule of the open source community.
comment:10 by , 2 years ago
| Milestone: | 11.2 → 99-Waiting |
|---|---|
| Summary: | Fix CVE-2021-3575 in OpenJPEG → Fix CVE-2021-3575 in OpenJPEG (Wait for upstream consensus) |
comment:11 by , 2 years ago
| Priority: | elevated → lowest |
|---|
comment:12 by , 2 years ago
We should definitely not use the suggested patch.
That patch, modifies openjpeg/src/bin/common/color.c, which is not a part of libopenjp2.so. So if the patch is really correct, this vulnerability is actually not exploitable unless you run a tool shipped by openjpeg. Then there is no urgency to use it. Otherwise, the patch is useless to prevent a real attack (by putting a malicious j2k image on a web page etc.).
comment:13 by , 21 months ago
| Resolution: | → wontfix |
|---|---|
| Status: | assigned → closed |
comment:14 by , 8 weeks ago
| Milestone: | 99-Waiting → 12.2 |
|---|---|
| Resolution: | wontfix |
| Status: | closed → reopened |
comment:15 by , 8 weeks ago
| Resolution: | → overcomebyevents |
|---|---|
| Status: | reopened → closed |
Fixed with #19370.
Hmmm, upstream does not seem to be convinced by the fix! https://github.com/uclouvain/openjpeg/pull/1362