CVE-2017-12982
Published: 21 August 2017
The bmp_read_info_header function in bin/jp2/convertbmp.c in OpenJPEG 2.2.0 does not reject headers with a zero biBitCount, which allows remote attackers to cause a denial of service (memory allocation failure) in the opj_image_create function in lib/openjp2/image.c, related to the opj_aligned_alloc_n function in opj_malloc.c.
From the Ubuntu Security Team
It was discovered that OpenJPEG incorrectly handled certain image files. A remote attacker could possibly use this issue to cause a denial of service.
Notes
Author | Note |
---|---|
ccdm94 | openjpeg is not affected by this issue since the variable which was not checked for value 0 is checked in the 1.x versions. The code was refactored in versions 2.x, and this check was removed, causing the vulnerability. In versions 1.x, variable Info_h.biBitCount is checked for values 24 and 8, and if not equal to one of them, the converter returns an error message instead of processing the image file given as input. In versions 1.x of openjpeg, the function that contains similar code to the vulnerable one in versions 2.x can be found in file convert.c. The reproducer does not cause the memory allocation failure error in versions 1.x. |
Priority
Status
Package | Release | Status |
---|---|---|
ghostscript Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not compiled)
|
focal |
Not vulnerable
(uses system openjpeg2)
|
|
groovy |
Not vulnerable
(uses system openjpeg2)
|
|
hirsute |
Not vulnerable
(uses system openjpeg2)
|
|
impish |
Not vulnerable
(uses system openjpeg2)
|
|
jammy |
Not vulnerable
(uses system openjpeg2)
|
|
kinetic |
Not vulnerable
(uses system openjpeg2)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(code not compiled)
|
|
openjpeg Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Released
(2.3.0)
|
|
xenial |
Not vulnerable
(code not present)
|
|
Patches: upstream: https://github.com/uclouvain/openjpeg/commit/baf0c1ad4572daa89caa3b12985bdd93530f0dd7 |
||
openjpeg2 Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Released
(2.3.0-1)
|
|
cosmic |
Ignored
(end of life)
|
|
disco |
Not vulnerable
(2.3.0-1)
|
|
eoan |
Not vulnerable
(2.3.0-1)
|
|
focal |
Not vulnerable
(2.3.0-1)
|
|
groovy |
Not vulnerable
(2.3.0-1)
|
|
hirsute |
Not vulnerable
(2.3.0-1)
|
|
impish |
Not vulnerable
(2.3.0-1)
|
|
jammy |
Not vulnerable
(2.3.0-1)
|
|
kinetic |
Not vulnerable
(2.3.0-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(2.3.0)
|
|
xenial |
Released
(2.1.2-1.1+deb9u6ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
zesty |
Ignored
(end of life)
|
|
Patches: upstream: https://github.com/uclouvain/openjpeg/commit/baf0c1ad4572daa89caa3b12985bdd93530f0dd7 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |