{"id":2041,"date":"2017-09-06T15:34:37","date_gmt":"2017-09-06T13:34:37","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=2041"},"modified":"2017-09-06T20:51:02","modified_gmt":"2017-09-06T18:51:02","slug":"heap-based-buffer-overflow-in-opj_write_bytes_le-cio-c-incomplete-fix-for-cve-2017-14152","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/09\/06\/heap-based-buffer-overflow-in-opj_write_bytes_le-cio-c-incomplete-fix-for-cve-2017-14152\/","title":{"rendered":"openjpeg: heap-based buffer overflow in opj_write_bytes_LE (cio.c) (INCOMPLETE FIX FOR CVE-2017-14152)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.openjpeg.org\">openjpeg<\/a> is an open-source JPEG 2000 library.<\/p>\n<p>The fix for CVE-2017-14152 seems that wasn&#8217;t enough.<\/p>\n<p>The complete ASan output of the issue:<\/p>\n<pre><font size=\"2\"># opj_compress -r 20,10,1 -jpip -EPH -SOP -cinema2K 24 -n 1 -i $FILE -o null.j2k\r\nTIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.                                                                                                             \r\nTIFFReadDirectory: Warning, Unknown field with tag 6376 (0x18e8) encountered.                                                                                                                                     \r\nTIFFReadDirectory: Warning, Unknown field with tag 27154 (0x6a12) encountered.                                                                                                                                    \r\nTIFFReadDirectory: Warning, Unknown field with tag 32512 (0x7f00) encountered.                                                                                                                                    \r\nTIFFReadDirectory: Warning, Unknown field with tag 15163 (0x3b3b) encountered.                                                                                                                                    \r\nTIFFFetchNormalTag: Warning, Sanity check on size of \"Tag 6376\" value failed; tag ignored.                                                                                                                        \r\nTIFFFetchNormalTag: Warning, Incorrect count for \"FillOrder\"; tag ignored.                                                                                                                                        \r\nTIFFReadDirectory: Warning, TIFF directory is missing required \"StripByteCounts\" field, calculating from imagelength.                                                                                             \r\n=================================================================                                                                                                                                                 \r\n==62004==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000000b6 at pc 0x7fd4d46ef89a bp 0x7ffc068d7070 sp 0x7ffc068d7068                                                                         \r\nWRITE of size 1 at 0x6060000000b6 thread T0                                                                                                                                                                       \r\n    #0 0x7fd4d46ef899 in opj_write_bytes_LE \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/lib\/openjp2\/cio.c:67:23                                                                              \r\n    #1 0x7fd4d4736bef in opj_j2k_write_sot \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/lib\/openjp2\/j2k.c:4225:5                                                                              \r\n    #2 0x7fd4d4736bef in opj_j2k_write_all_tile_parts \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/lib\/openjp2\/j2k.c:11575                                                                    \r\n    #3 0x7fd4d4736bef in opj_j2k_post_write_tile \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/lib\/openjp2\/j2k.c:11287                                                                         \r\n    #4 0x7fd4d473545d in opj_j2k_encode \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/lib\/openjp2\/j2k.c:11028:15                                                                               \r\n    #5 0x7fd4d47802f8 in opj_encode \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/lib\/openjp2\/openjpeg.c:775:20                                                                                \r\n    #6 0x50b942 in main \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/bin\/jp2\/opj_compress.c:1993:36                                                                                           \r\n    #7 0x7fd4d3117680 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.23-r4\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289                                                                                    \r\n    #8 0x41bc18 in _start (\/usr\/bin\/opj_compress+0x41bc18)                                                                                                                                                        \r\n                                                                                                                                                                                                                  \r\n0x6060000000b6 is located 0 bytes to the right of 54-byte region [0x606000000080,0x6060000000b6)                                                                                                                  \r\nallocated by thread T0 here:                                                                                                                                                                                      \r\n    #0 0x4d15c8 in malloc \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/asan\/asan_malloc_linux.cc:66                                                                      \r\n    #1 0x7fd4d482be29 in opj_malloc \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/lib\/openjp2\/opj_malloc.c:196:12\r\n    #2 0x7fd4d4762760 in opj_j2k_update_rates \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/lib\/openjp2\/j2k.c:5157:22\r\n    #3 0x7fd4d473937f in opj_j2k_exec \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/lib\/openjp2\/j2k.c:7954:33\r\n    #4 0x7fd4d473937f in opj_j2k_start_compress \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/lib\/openjp2\/j2k.c:11103\r\n    #5 0x7fd4d478019c in opj_start_compress \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/lib\/openjp2\/openjpeg.c:758:20\r\n    #6 0x50b90f in main \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/bin\/jp2\/opj_compress.c:1970:20\r\n    #7 0x7fd4d3117680 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.23-r4\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/lib\/openjp2\/cio.c:67:23 in opj_write_bytes_LE\r\nShadow bytes around the buggy address:\r\n  0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa\r\n=&gt;0x0c0c7fff8010: 00 00 00 00 00 00[06]fa fa fa fa fa 00 00 00 00\r\n  0x0c0c7fff8020: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00\r\n  0x0c0c7fff8030: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa\r\n  0x0c0c7fff8040: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00\r\n  0x0c0c7fff8050: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00\r\n  0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==62004==ABORTING\r\nCINEMA 2K profile activated\r\nOther options specified could be overridden\r\n[WARNING] JPEG 2000 Profile-3 and 4 (2k\/4k dc profile) requires:\r\n1 single quality layer-&gt; Number of layers forced to 1 (rather than 3)\r\n-&gt; Rate of the last layer (1.0) will be used[INFO] tile number 1 \/ 1\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n2.2.0<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/uclouvain\/openjpeg\/commit\/dcac91b8c72f743bda7dbfa9032356bc8110098a\">https:\/\/github.com\/uclouvain\/openjpeg\/commit\/dcac91b8c72f743bda7dbfa9032356bc8110098a<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-14164<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00321-openjpeg-heapoverflow-opj_write_bytes_LE\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00321-openjpeg-heapoverflow-opj_write_bytes_LE<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-08-16: bug discovered and reported to upstream<br \/>\n2017-08-16: upstream released a fix<br \/>\n2017-09-06: blog post about the issue<br \/>\n2017-09-06: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nThis bug was identified with bare metal servers donated by <a href=\"https:\/\/www.packet.net\/\">Packet<\/a>. This work is also supported by the <a href=\"https:\/\/www.coreinfrastructure.org\">Core Infrastructure Initiative<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"3LlB8hCVbM\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/09\/06\/heap-based-buffer-overflow-in-opj_write_bytes_le-cio-c-incomplete-fix-for-cve-2017-14152\/\">heap-based buffer overflow in opj_write_bytes_LE (cio.c) (INCOMPLETE FIX FOR CVE-2017-14152)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/09\/06\/heap-based-buffer-overflow-in-opj_write_bytes_le-cio-c-incomplete-fix-for-cve-2017-14152\/embed\/#?secret=3LlB8hCVbM\" data-secret=\"3LlB8hCVbM\" width=\"600\" height=\"338\" title=\"&#8220;heap-based buffer overflow in opj_write_bytes_LE (cio.c) (INCOMPLETE FIX FOR CVE-2017-14152)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: openjpeg is an open-source JPEG 2000 library. The fix for CVE-2017-14152 seems that wasn&#8217;t enough. The complete ASan output of the issue: # opj_compress -r 20,10,1 -jpip -EPH -SOP -cinema2K 24 -n 1 -i $FILE -o null.j2k TIFFReadDirectoryCheckOrder: Warning, &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/09\/06\/heap-based-buffer-overflow-in-opj_write_bytes_le-cio-c-incomplete-fix-for-cve-2017-14152\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-wV","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2041"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=2041"}],"version-history":[{"count":6,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2041\/revisions"}],"predecessor-version":[{"id":2133,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2041\/revisions\/2133"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=2041"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=2041"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=2041"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}