FS#68939 - [openjpeg2] [Security] multiple issues (AVG-1343)

Attached to Project: Arch Linux
Opened by Jonas Witschel (diabonas) - Friday, 11 December 2020, 13:10 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 29 December 2020, 07:28 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Andreas Radke (AndyRTR)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Summary
=======

The package openjpeg2 is vulnerable to multiple issues including arbitrary code execution and denial of service via CVE-2020-27824, CVE-2020-27814, CVE-2020-15389, CVE-2020-8112, CVE-2020-6851, CVE-2019-12973, CVE-2019-6988, CVE-2018-20846 and CVE-2018-16376.

Guidance
========

After the last vulnerability report ( FS#68906 ), I dug a little deeper and discovered that openjpeg has gathered quite a few security issues since its last release 2.3.1 in April 2019. I have collected all the CVEs I could find in the linked security tracker entry. The necessary patches are:

https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcdf4406d5e88723c4922202aa3 # CVE-2019-12973
https://github.com/uclouvain/openjpeg/commit/3aef207f90e937d4931daf6d411e092f76d82e66 # CVE-2019-12973
https://github.com/uclouvain/openjpeg/commit/024b8407392cb0b82b04b58ed256094ed5799e04 # CVE-2020-6851
https://github.com/uclouvain/openjpeg/commit/05f9b91e60debda0e83977e5e63b2e66486f7074 # CVE-2020-8112
https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 # CVE-2020-15389
https://github.com/uclouvain/openjpeg/commit/4ce7d285a55d29b79880d0566d4b010fe1907aa9 # CVE-2020-27814
https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d # CVE-2020-27824

CVE-2018-16376 and CVE-2019-6988 appear to have no upstream fixes, CVE-2018-20846 had one (https://github.com/uclouvain/openjpeg/commit/c277159986c80142180fbe5efb256bbf3bdf3edc) which was later reverted (https://github.com/uclouvain/openjpeg/commit/e1740e7ce79d0a1676db4da0f4189b64e85f52cb) because it did not compile.

Given the relatively large number of patches, I think this might be one of the few cases where packaging the current master (currently at commit 98a4c5c3709e0cc43b0a1c151ed5bd85a2d607fa, including all these fixes) might be easier.

References
==========

https://security.archlinux.org/AVG-1343
https://github.com/uclouvain/openjpeg/issues/1286
https://github.com/uclouvain/openjpeg/pull/1292
https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d
https://github.com/uclouvain/openjpeg/issues/1283
https://github.com/uclouvain/openjpeg/pull/1303
https://github.com/uclouvain/openjpeg/commit/4ce7d285a55d29b79880d0566d4b010fe1907aa9
https://github.com/uclouvain/openjpeg/issues/1261
https://github.com/uclouvain/openjpeg/pull/1262
https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0
https://github.com/uclouvain/openjpeg/issues/1231
https://github.com/uclouvain/openjpeg/pull/1232
https://github.com/uclouvain/openjpeg/commit/05f9b91e60debda0e83977e5e63b2e66486f7074
https://github.com/uclouvain/openjpeg/issues/1228
https://github.com/uclouvain/openjpeg/pull/1229
https://github.com/uclouvain/openjpeg/commit/024b8407392cb0b82b04b58ed256094ed5799e04
https://github.com/uclouvain/openjpeg/issues/1222
https://github.com/uclouvain/openjpeg/pull/1185
https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcdf4406d5e88723c4922202aa3
https://github.com/uclouvain/openjpeg/commit/3aef207f90e937d4931daf6d411e092f76d82e66
https://github.com/uclouvain/openjpeg/issues/1178
https://github.com/uclouvain/openjpeg/pull/1168
https://github.com/uclouvain/openjpeg/commit/c277159986c80142180fbe5efb256bbf3bdf3edc
https://github.com/uclouvain/openjpeg/commit/e1740e7ce79d0a1676db4da0f4189b64e85f52cb
https://github.com/uclouvain/openjpeg/issues/1127
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Tuesday, 29 December 2020, 07:28 GMT
Reason for closing:  Fixed
Additional comments about closing:  2.4.0
Comment by Andreas Radke (AndyRTR) - Friday, 11 December 2020, 14:06 GMT
How about kicking upstream to do stable release? It seems to be one of the projects that sadly doesn't follow "release early & release often".

I have no clue if master is in a good backward compatible shape or might break something.
Comment by Jonas Witschel (diabonas) - Friday, 11 December 2020, 14:20 GMT
I agree that a new release would be the best option, but am unsure how to approach upstream: the maintainer acknowledges the need for a new release (https://github.com/uclouvain/openjpeg/issues/1222#issuecomment-624129304), but hasn't cut one in over a year and doesn't seem overly receptive to upstream issues asking for one (https://github.com/uclouvain/openjpeg/issues/1247, https://github.com/uclouvain/openjpeg/issues/1238). FWIW, the person reporting some of the more recent security issues asked for a new release two weeks ago: https://github.com/uclouvain/openjpeg/pull/1288#issuecomment-735309012
Comment by Jonas Witschel (diabonas) - Tuesday, 15 December 2020, 14:18 GMT
Some more CVEs have been assigned:

https://github.com/uclouvain/openjpeg/commit/c9380ed0f8cc4794fc71d556ea23ae61e32247af # CVE-2020-27841
https://github.com/uclouvain/openjpeg/commit/00383e162ae2f8fc951f5745bf1011771acb8dce # CVE-2020-27841
https://github.com/uclouvain/openjpeg/commit/fbd30b064f8f9607d500437b6fedc41431fd6cdc # CVE-2020-27842
https://github.com/uclouvain/openjpeg/commit/38d661a3897052c7ff0b39b30c29cb067e130121 # CVE-2020-27843
https://github.com/uclouvain/openjpeg/commit/8f5aff1dff510a964d3901d0fba281abec98ab63 # CVE-2020-27845

The fixes for CVE-2020-27842 and CVE-2020-27843 are possibly only stopgap solutions according to their commit description.

There is also CVE-2020-27844, see https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296, but this issue probably only affects the current master according to the commit description since the vulnerable code is not present in any released version.

Loading...