|
From: | Leo Famulari |
Subject: | v2: OpenJPEG security fixes (CVE-2016-{5157,7163}) |
Date: | Fri, 9 Sep 2016 14:04:58 -0400 |
User-agent: | Mutt/1.7.0 (2016-08-17) |
On Fri, Sep 09, 2016 at 02:04:39AM -0400, Leo Famulari wrote: > Two bugs disclosed in OpenJPEG, CVE-2016-5157 and CVE-2016-7163. Both > can be used to execute arbitrary code, apparently. > > CVE-2016-7163: > http://seclists.org/oss-sec/2016/q3/442 > > CVE-2016-5157: > http://seclists.org/oss-sec/2016/q3/441 My previous attempt to fix these bugs did not work. The patch for CVE-2016-7163 was mangled in a confusing way, and the patch for CVE-2016-5157 simply did not apply. Here is an updated patch series. First, it updates openjpeg to 2.1.1, which apparently has not changed the ABI or API: https://github.com/uclouvain/openjpeg/blob/master/NEWS.md#openjpeg-211 Then, it applies the fix for CVE-2016-7163 to openjpeg and openjpeg-2.0. Finally, it adapts the upstream fix for CVE-2016-5157 and applies it to openjpeg. I had to amend this commit slightly, since the diff that adds tests for the fixed issue referred to a commit that is not yet released. Also, the fix for CVE-2016-5157 does not apply to openjpeg-2.0. I'd like to investigate this issue separately. The only user of openjpeg-2.0 is mupdf.
0001-gnu-openjpeg-Update-to-2.1.1.patch
Description: Text document
0002-gnu-openjpeg-2.-Fix-CVE-2016-7163.patch
Description: Text document
0003-gnu-openjpeg-Fix-CVE-2016-5157.patch
Description: Text document
signature.asc
Description: PGP signature
[Prev in Thread] | Current Thread | [Next in Thread] |