SB2017092139 - Out-of-bounds write in openjpeg (Alpine package)
Published: September 21, 2017
Security Bulletin ID
SB2017092139
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Out-of-bounds write (CVE-ID: CVE-2017-14152)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
A mishandled zero case was discovered in opj_j2k_set_cinema_parameters in lib/openjp2/j2k.c in OpenJPEG 2.2.0. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service (heap-based buffer overflow affecting opj_write_bytes_LE in lib/openjp2/cio.c and opj_j2k_write_sot in lib/openjp2/j2k.c) or possibly remote code execution.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=5b27b635acbe69cadaffce1fbe4b69d8256c1315
- https://git.alpinelinux.org/aports/commit/?id=63abfe33f12495cf5ac86d5fd590f018538d33b1
- https://git.alpinelinux.org/aports/commit/?id=6dd49eeff4953456d2d668b4e7653967a44a4972
- https://git.alpinelinux.org/aports/commit/?id=c1056d67e6379994bfff3cc8ff60b100bb94f0a0
- https://git.alpinelinux.org/aports/commit/?id=09b259c2958fc3c703f7bdc84ff7973eb5ee0aa1
- https://git.alpinelinux.org/aports/commit/?id=177eb88fc8668b0fd560c1836cd05bb17c29cad7
- https://git.alpinelinux.org/aports/commit/?id=59aa697c0bdb3436dc0c9a075f26a7c4b5d2fbe5
- https://git.alpinelinux.org/aports/commit/?id=ef3b99f91d4a5648a22401143dd0c2eb84ba81be