SB2017092138 - Buffer overflow in openjpeg (Alpine package)
Published: September 21, 2017
Security Bulletin ID
SB2017092138
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Buffer overflow (CVE-ID: CVE-2017-14151)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An off-by-one error was discovered in opj_tcd_code_block_enc_allocate_data in lib/openjp2/tcd.c in OpenJPEG 2.2.0. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service (heap-based buffer overflow affecting opj_mqc_flush in lib/openjp2/mqc.c and opj_t1_encode_cblk in lib/openjp2/t1.c) or possibly remote code execution.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=5b27b635acbe69cadaffce1fbe4b69d8256c1315
- https://git.alpinelinux.org/aports/commit/?id=63abfe33f12495cf5ac86d5fd590f018538d33b1
- https://git.alpinelinux.org/aports/commit/?id=6dd49eeff4953456d2d668b4e7653967a44a4972
- https://git.alpinelinux.org/aports/commit/?id=c1056d67e6379994bfff3cc8ff60b100bb94f0a0
- https://git.alpinelinux.org/aports/commit/?id=09b259c2958fc3c703f7bdc84ff7973eb5ee0aa1
- https://git.alpinelinux.org/aports/commit/?id=177eb88fc8668b0fd560c1836cd05bb17c29cad7
- https://git.alpinelinux.org/aports/commit/?id=59aa697c0bdb3436dc0c9a075f26a7c4b5d2fbe5
- https://git.alpinelinux.org/aports/commit/?id=ef3b99f91d4a5648a22401143dd0c2eb84ba81be