Security Advisory Moderate: openjpeg security update

Advisory: RHSA-2017:0559-1
Type: Security Advisory
Severity: Moderate
Issued on: 2017-03-19
Last updated on: 2017-03-19
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2016-5139
CVE-2016-5158
CVE-2016-5159
CVE-2016-7163
CVE-2016-9675

Details

An update for openjpeg is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

OpenJPEG is an open source library for reading and writing image files in
JPEG2000 format.

Security Fix(es):

* Multiple integer overflow flaws, leading to heap-based buffer overflows, were
found in OpenJPEG. A specially crafted JPEG2000 image could cause an application
using OpenJPEG to crash or, potentially, execute arbitrary code. (CVE-2016-5139,
CVE-2016-5158, CVE-2016-5159, CVE-2016-7163)

* A vulnerability was found in the patch for CVE-2013-6045 for OpenJPEG. A
specially crafted JPEG2000 image, when read by an application using OpenJPEG,
could cause heap-based buffer overflows leading to a crash or, potentially,
arbitrary code execution. (CVE-2016-9675)

The CVE-2016-9675 issue was discovered by Doran Moppert (Red Hat Product
Security).


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

All running applications using OpenJPEG must be restarted for the update to take
effect.

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
openjpeg-1.3-16.el6_8.src.rpm     MD5: b19949e04ad8644cb0b0a1fadd89775b
SHA-256: bb5919f04cbda47ec1eeb3622eab8f56c9d86478b63eac8a19c4fe4dee18e29b
 
IA-32:
openjpeg-1.3-16.el6_8.i686.rpm     MD5: ba57ba2227880d36f498649f20c79fbf
SHA-256: c71e5b141e9f556c1cb1b44371d6e2e5aa872a40d7d67a7b17b920b3a0e83560
openjpeg-debuginfo-1.3-16.el6_8.i686.rpm     MD5: 1a31137070f5b6ef9fa6084bb059911c
SHA-256: b16bb17f4f3dbd020a014c4d3f89ea8b2a71826bcad33dfb10b9f4e4b4556d3d
openjpeg-devel-1.3-16.el6_8.i686.rpm     MD5: 939d58185b7bf2a31aed88d036d98fa5
SHA-256: 47996d9a42a9364cf4677dcdde690e4e41b383cb2c49f2061cd9990a0f8f8401
openjpeg-libs-1.3-16.el6_8.i686.rpm     MD5: 565d7c20be34058586dbbbc3740cb756
SHA-256: d7af76d3f6cf28d186fbfc4a6f17e6edd1b1d171f6a9c7aa7e4de81671728fca
 
x86_64:
openjpeg-1.3-16.el6_8.x86_64.rpm     MD5: 2a36ce662413e4126a257b9b3d47f504
SHA-256: df1e9927354d1b091ba12ea00f97267c4bd70b731e8f3b60154cc1148772e5df
openjpeg-debuginfo-1.3-16.el6_8.i686.rpm     MD5: 1a31137070f5b6ef9fa6084bb059911c
SHA-256: b16bb17f4f3dbd020a014c4d3f89ea8b2a71826bcad33dfb10b9f4e4b4556d3d
openjpeg-debuginfo-1.3-16.el6_8.x86_64.rpm     MD5: 10e0720199c7e0187fc2b9cb80995446
SHA-256: 900b2552b25395c9c81f2320dd459ab3e01ea6fac3d3737a7c87e71bb102a0aa
openjpeg-devel-1.3-16.el6_8.i686.rpm     MD5: 939d58185b7bf2a31aed88d036d98fa5
SHA-256: 47996d9a42a9364cf4677dcdde690e4e41b383cb2c49f2061cd9990a0f8f8401
openjpeg-devel-1.3-16.el6_8.x86_64.rpm     MD5: b8c592dc837561762de10e7bd0a29056
SHA-256: c149b16dd047083974688238f3ed88a0a19e67bebe9ee4f3d3e0f2fb1a33fb49
openjpeg-libs-1.3-16.el6_8.i686.rpm     MD5: 565d7c20be34058586dbbbc3740cb756
SHA-256: d7af76d3f6cf28d186fbfc4a6f17e6edd1b1d171f6a9c7aa7e4de81671728fca
openjpeg-libs-1.3-16.el6_8.x86_64.rpm     MD5: 04db48460fadbf1ae225dc12ce6a7783
SHA-256: 77439a3894c9e8657f03af86b8676036d55429bbe1e48226133c4a9401571e22
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
openjpeg-1.3-16.el6_8.src.rpm     MD5: b19949e04ad8644cb0b0a1fadd89775b
SHA-256: bb5919f04cbda47ec1eeb3622eab8f56c9d86478b63eac8a19c4fe4dee18e29b
 
x86_64:
openjpeg-1.3-16.el6_8.x86_64.rpm     MD5: 2a36ce662413e4126a257b9b3d47f504
SHA-256: df1e9927354d1b091ba12ea00f97267c4bd70b731e8f3b60154cc1148772e5df
openjpeg-debuginfo-1.3-16.el6_8.i686.rpm     MD5: 1a31137070f5b6ef9fa6084bb059911c
SHA-256: b16bb17f4f3dbd020a014c4d3f89ea8b2a71826bcad33dfb10b9f4e4b4556d3d
openjpeg-debuginfo-1.3-16.el6_8.x86_64.rpm     MD5: 10e0720199c7e0187fc2b9cb80995446
SHA-256: 900b2552b25395c9c81f2320dd459ab3e01ea6fac3d3737a7c87e71bb102a0aa
openjpeg-devel-1.3-16.el6_8.i686.rpm     MD5: 939d58185b7bf2a31aed88d036d98fa5
SHA-256: 47996d9a42a9364cf4677dcdde690e4e41b383cb2c49f2061cd9990a0f8f8401
openjpeg-devel-1.3-16.el6_8.x86_64.rpm     MD5: b8c592dc837561762de10e7bd0a29056
SHA-256: c149b16dd047083974688238f3ed88a0a19e67bebe9ee4f3d3e0f2fb1a33fb49
openjpeg-libs-1.3-16.el6_8.i686.rpm     MD5: 565d7c20be34058586dbbbc3740cb756
SHA-256: d7af76d3f6cf28d186fbfc4a6f17e6edd1b1d171f6a9c7aa7e4de81671728fca
openjpeg-libs-1.3-16.el6_8.x86_64.rpm     MD5: 04db48460fadbf1ae225dc12ce6a7783
SHA-256: 77439a3894c9e8657f03af86b8676036d55429bbe1e48226133c4a9401571e22
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
openjpeg-1.3-16.el6_8.src.rpm     MD5: b19949e04ad8644cb0b0a1fadd89775b
SHA-256: bb5919f04cbda47ec1eeb3622eab8f56c9d86478b63eac8a19c4fe4dee18e29b
 
IA-32:
openjpeg-1.3-16.el6_8.i686.rpm     MD5: ba57ba2227880d36f498649f20c79fbf
SHA-256: c71e5b141e9f556c1cb1b44371d6e2e5aa872a40d7d67a7b17b920b3a0e83560
openjpeg-debuginfo-1.3-16.el6_8.i686.rpm     MD5: 1a31137070f5b6ef9fa6084bb059911c
SHA-256: b16bb17f4f3dbd020a014c4d3f89ea8b2a71826bcad33dfb10b9f4e4b4556d3d
openjpeg-devel-1.3-16.el6_8.i686.rpm     MD5: 939d58185b7bf2a31aed88d036d98fa5
SHA-256: 47996d9a42a9364cf4677dcdde690e4e41b383cb2c49f2061cd9990a0f8f8401
openjpeg-libs-1.3-16.el6_8.i686.rpm     MD5: 565d7c20be34058586dbbbc3740cb756
SHA-256: d7af76d3f6cf28d186fbfc4a6f17e6edd1b1d171f6a9c7aa7e4de81671728fca
 
PPC:
openjpeg-1.3-16.el6_8.ppc64.rpm     MD5: 42f43e7c415dbd757b8a24d86ca33a0d
SHA-256: a66f61e8290413b4553d716871f9475021f723f623633de303a15a6b233aa884
openjpeg-debuginfo-1.3-16.el6_8.ppc.rpm     MD5: d6f51437af9d2544a8bf76514e2deb6e
SHA-256: 2282f1f95c6c0a6f1933438d88cec2d50fc99b5e031b59eee40ecd4b059eb48d
openjpeg-debuginfo-1.3-16.el6_8.ppc64.rpm     MD5: a89e960bbf8bc0602b59def86c6a2ec9
SHA-256: b7d8f89d857b2ed287b8634c1613dc984c7f3121f78690f4243536ca609e59ec
openjpeg-devel-1.3-16.el6_8.ppc.rpm     MD5: 3e99d5cc67405421b8e86c3c6ec17904
SHA-256: afa9a8d5874e8a4138506f3b45c934c34fa32c2bac28e37c5e0f2e3f0d667b69
openjpeg-devel-1.3-16.el6_8.ppc64.rpm     MD5: dca3ba2139a07e03630fd9f23bd2b221
SHA-256: 311dce8871397efe23c6626e0bd7611bba5577c86ac14efb52b69783529c69b9
openjpeg-libs-1.3-16.el6_8.ppc.rpm     MD5: db09becaf20c33959835fa3686a08fa5
SHA-256: 6c3ac491235e1df130655636a9fd7a666aca33f8ae87b43e319abdf94a7b8261
openjpeg-libs-1.3-16.el6_8.ppc64.rpm     MD5: cafe900779e6969d17c53074148193cc
SHA-256: 4fc0990a55eef3c0952dc973c5e53e1bbc125e03880b98653288f88c93ad16bc
 
s390x:
openjpeg-1.3-16.el6_8.s390x.rpm     MD5: 29566f028fcaeda1d51438c76eddbaa9
SHA-256: b5dc3a8b9a25cae2e71942707a1ebf69f95e5fae8b5cd39b0acd8cbb0f4785c7
openjpeg-debuginfo-1.3-16.el6_8.s390.rpm     MD5: e80d181aaf163eec34d89577ed21b58e
SHA-256: 8199b809590643f581bbfa0904cf3a01b0ff71549bbcfb5b5aa12939c6d4c7e2
openjpeg-debuginfo-1.3-16.el6_8.s390x.rpm     MD5: bd4bb5ad37d563905af6050d32210a18
SHA-256: 43e76cd3cd73009f8d0909112c603d041ec4df8db815494eb3af5e92365936c2
openjpeg-devel-1.3-16.el6_8.s390.rpm     MD5: 68b0da716051ffb4f8da96699c635317
SHA-256: 1371f1f5e480b15a40121fdabb4573190c1aa629153e4b808558f04a72163651
openjpeg-devel-1.3-16.el6_8.s390x.rpm     MD5: 54edb008316aebb6f1dd4d4654e00fd6
SHA-256: 763eb9fa0406e4c7f5e8b56b631c055f0fe5927e6899538174b742916e447f3d
openjpeg-libs-1.3-16.el6_8.s390.rpm     MD5: cb0e2bb9722d01aa715cc9b56db5818e
SHA-256: f261f634efdc7ee28884d03c3c179ea8a245f5f24c6bd9770656ec281fb1c1e3
openjpeg-libs-1.3-16.el6_8.s390x.rpm     MD5: 83e4b09e36a0c075c93d42790461d702
SHA-256: f9270fabf95a041a2854de2ffe4a3487c0646c427c5da86b100414395422b82d
 
x86_64:
openjpeg-1.3-16.el6_8.x86_64.rpm     MD5: 2a36ce662413e4126a257b9b3d47f504
SHA-256: df1e9927354d1b091ba12ea00f97267c4bd70b731e8f3b60154cc1148772e5df
openjpeg-debuginfo-1.3-16.el6_8.i686.rpm     MD5: 1a31137070f5b6ef9fa6084bb059911c
SHA-256: b16bb17f4f3dbd020a014c4d3f89ea8b2a71826bcad33dfb10b9f4e4b4556d3d
openjpeg-debuginfo-1.3-16.el6_8.x86_64.rpm     MD5: 10e0720199c7e0187fc2b9cb80995446
SHA-256: 900b2552b25395c9c81f2320dd459ab3e01ea6fac3d3737a7c87e71bb102a0aa
openjpeg-devel-1.3-16.el6_8.i686.rpm     MD5: 939d58185b7bf2a31aed88d036d98fa5
SHA-256: 47996d9a42a9364cf4677dcdde690e4e41b383cb2c49f2061cd9990a0f8f8401
openjpeg-devel-1.3-16.el6_8.x86_64.rpm     MD5: b8c592dc837561762de10e7bd0a29056
SHA-256: c149b16dd047083974688238f3ed88a0a19e67bebe9ee4f3d3e0f2fb1a33fb49
openjpeg-libs-1.3-16.el6_8.i686.rpm     MD5: 565d7c20be34058586dbbbc3740cb756
SHA-256: d7af76d3f6cf28d186fbfc4a6f17e6edd1b1d171f6a9c7aa7e4de81671728fca
openjpeg-libs-1.3-16.el6_8.x86_64.rpm     MD5: 04db48460fadbf1ae225dc12ce6a7783
SHA-256: 77439a3894c9e8657f03af86b8676036d55429bbe1e48226133c4a9401571e22
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
openjpeg-1.3-16.el6_8.src.rpm     MD5: b19949e04ad8644cb0b0a1fadd89775b
SHA-256: bb5919f04cbda47ec1eeb3622eab8f56c9d86478b63eac8a19c4fe4dee18e29b
 
IA-32:
openjpeg-1.3-16.el6_8.i686.rpm     MD5: ba57ba2227880d36f498649f20c79fbf
SHA-256: c71e5b141e9f556c1cb1b44371d6e2e5aa872a40d7d67a7b17b920b3a0e83560
openjpeg-debuginfo-1.3-16.el6_8.i686.rpm     MD5: 1a31137070f5b6ef9fa6084bb059911c
SHA-256: b16bb17f4f3dbd020a014c4d3f89ea8b2a71826bcad33dfb10b9f4e4b4556d3d
openjpeg-devel-1.3-16.el6_8.i686.rpm     MD5: 939d58185b7bf2a31aed88d036d98fa5
SHA-256: 47996d9a42a9364cf4677dcdde690e4e41b383cb2c49f2061cd9990a0f8f8401
openjpeg-libs-1.3-16.el6_8.i686.rpm     MD5: 565d7c20be34058586dbbbc3740cb756
SHA-256: d7af76d3f6cf28d186fbfc4a6f17e6edd1b1d171f6a9c7aa7e4de81671728fca
 
x86_64:
openjpeg-1.3-16.el6_8.x86_64.rpm     MD5: 2a36ce662413e4126a257b9b3d47f504
SHA-256: df1e9927354d1b091ba12ea00f97267c4bd70b731e8f3b60154cc1148772e5df
openjpeg-debuginfo-1.3-16.el6_8.i686.rpm     MD5: 1a31137070f5b6ef9fa6084bb059911c
SHA-256: b16bb17f4f3dbd020a014c4d3f89ea8b2a71826bcad33dfb10b9f4e4b4556d3d
openjpeg-debuginfo-1.3-16.el6_8.x86_64.rpm     MD5: 10e0720199c7e0187fc2b9cb80995446
SHA-256: 900b2552b25395c9c81f2320dd459ab3e01ea6fac3d3737a7c87e71bb102a0aa
openjpeg-devel-1.3-16.el6_8.i686.rpm     MD5: 939d58185b7bf2a31aed88d036d98fa5
SHA-256: 47996d9a42a9364cf4677dcdde690e4e41b383cb2c49f2061cd9990a0f8f8401
openjpeg-devel-1.3-16.el6_8.x86_64.rpm     MD5: b8c592dc837561762de10e7bd0a29056
SHA-256: c149b16dd047083974688238f3ed88a0a19e67bebe9ee4f3d3e0f2fb1a33fb49
openjpeg-libs-1.3-16.el6_8.i686.rpm     MD5: 565d7c20be34058586dbbbc3740cb756
SHA-256: d7af76d3f6cf28d186fbfc4a6f17e6edd1b1d171f6a9c7aa7e4de81671728fca
openjpeg-libs-1.3-16.el6_8.x86_64.rpm     MD5: 04db48460fadbf1ae225dc12ce6a7783
SHA-256: 77439a3894c9e8657f03af86b8676036d55429bbe1e48226133c4a9401571e22
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1363982 - CVE-2016-5139 chromium-browser, openjpeg: Heap overflow in parsing of JPEG2000 precincts
1372219 - CVE-2016-5158 chromium-browser, openjpeg: heap overflow due to unsafe use of opj_aligned_malloc
1372220 - CVE-2016-5159 chromium-browser, openjpeg: heap overflow in parsing of JPEG2000 code blocks
1374329 - CVE-2016-7163 openjpeg: Integer overflow in opj_pi_create_decode
1382202 - CVE-2016-9675 openjpeg: incorrect fix for CVE-2013-6045


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/