Security Advisory Moderate: openjpeg security update

Advisory: RHSA-2017:0838-1
Type: Security Advisory
Severity: Moderate
Issued on: 2017-03-23
Last updated on: 2017-03-23
Affected Products: Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux HPC Node (v. 7)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Server TUS (v. 7.3)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2016-5139
CVE-2016-5158
CVE-2016-5159
CVE-2016-7163
CVE-2016-9573
CVE-2016-9675

Details

An update for openjpeg is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

OpenJPEG is an open source library for reading and writing image files in
JPEG2000 format.

Security Fix(es):

* Multiple integer overflow flaws, leading to heap-based buffer overflows, were
found in OpenJPEG. A specially crafted JPEG2000 image could cause an application
using OpenJPEG to crash or, potentially, execute arbitrary code. (CVE-2016-5139,
CVE-2016-5158, CVE-2016-5159, CVE-2016-7163)

* An out-of-bounds read vulnerability was found in OpenJPEG, in the j2k_to_image
tool. Converting a specially crafted JPEG2000 file to another format could cause
the application to crash or, potentially, disclose some data from the heap.
(CVE-2016-9573)

* A heap-based buffer overflow vulnerability was found in OpenJPEG. A specially
crafted JPEG2000 image, when read by an application using OpenJPEG, could cause
the application to crash or, potentially, execute arbitrary code.
(CVE-2016-9675)

Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-9573. The
CVE-2016-9675 issue was discovered by Doran Moppert (Red Hat Product Security).


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

All running applications using OpenJPEG must be restarted for the update to take
effect.

Updated packages

Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
openjpeg-1.5.1-16.el7_3.src.rpm     MD5: 76930fb7a049542c0a0887e72d4c4760
SHA-256: bbbde2584b0b00cba1a57fe5e687be0f39449ce2236921f017f158adbcde4dc7
 
x86_64:
openjpeg-1.5.1-16.el7_3.x86_64.rpm     MD5: 9ce6cdef40e7d399d3e0542a774485e9
SHA-256: 30a5dca164e88b55412fad25626615910f220bf8b7c56d14c993b97b962ddff4
openjpeg-debuginfo-1.5.1-16.el7_3.i686.rpm     MD5: c1c3fabc07c48500de4b14dc8b75f085
SHA-256: 96320af73f3bd7c206964293a273d573c91365db5200de67bf73327f2ee4cce5
openjpeg-debuginfo-1.5.1-16.el7_3.x86_64.rpm     MD5: 2d0efe6bc01d0013ea1ca0bf06f4ef88
SHA-256: 496c9c82049ae403e6563dc89a25097ec6399677d92728fd17abe6b183456956
openjpeg-devel-1.5.1-16.el7_3.i686.rpm     MD5: 64fe92638893f129197d599ff3d7fdeb
SHA-256: 71ec03a9b9d8288072a6c7c72458110e436e48db9be725486d4ec29fd31a63ad
openjpeg-devel-1.5.1-16.el7_3.x86_64.rpm     MD5: 3697c1088ec67dc9fd14fd45a84ea4b0
SHA-256: 981f1a3549233bd77d9562493deec941f19905d6f61b0e45b6eb54b073f24fda
openjpeg-libs-1.5.1-16.el7_3.i686.rpm     MD5: 5755a91a6c44d23f679e98c4b811fdd0
SHA-256: e388ff0689e2c43ba9798e0a918d96267ac145ec6576ad4b23a796c367c68d98
openjpeg-libs-1.5.1-16.el7_3.x86_64.rpm     MD5: 1f718583a871726e8e6b405166127971
SHA-256: ce65adfee897c64adf33ef96a5fea0e816314b9c2ce33ddf7c6eb31d04ea810c
 
Red Hat Enterprise Linux HPC Node (v. 7)

SRPMS:
openjpeg-1.5.1-16.el7_3.src.rpm     MD5: 76930fb7a049542c0a0887e72d4c4760
SHA-256: bbbde2584b0b00cba1a57fe5e687be0f39449ce2236921f017f158adbcde4dc7
 
x86_64:
openjpeg-1.5.1-16.el7_3.x86_64.rpm     MD5: 9ce6cdef40e7d399d3e0542a774485e9
SHA-256: 30a5dca164e88b55412fad25626615910f220bf8b7c56d14c993b97b962ddff4
openjpeg-debuginfo-1.5.1-16.el7_3.i686.rpm     MD5: c1c3fabc07c48500de4b14dc8b75f085
SHA-256: 96320af73f3bd7c206964293a273d573c91365db5200de67bf73327f2ee4cce5
openjpeg-debuginfo-1.5.1-16.el7_3.x86_64.rpm     MD5: 2d0efe6bc01d0013ea1ca0bf06f4ef88
SHA-256: 496c9c82049ae403e6563dc89a25097ec6399677d92728fd17abe6b183456956
openjpeg-devel-1.5.1-16.el7_3.i686.rpm     MD5: 64fe92638893f129197d599ff3d7fdeb
SHA-256: 71ec03a9b9d8288072a6c7c72458110e436e48db9be725486d4ec29fd31a63ad
openjpeg-devel-1.5.1-16.el7_3.x86_64.rpm     MD5: 3697c1088ec67dc9fd14fd45a84ea4b0
SHA-256: 981f1a3549233bd77d9562493deec941f19905d6f61b0e45b6eb54b073f24fda
openjpeg-libs-1.5.1-16.el7_3.i686.rpm     MD5: 5755a91a6c44d23f679e98c4b811fdd0
SHA-256: e388ff0689e2c43ba9798e0a918d96267ac145ec6576ad4b23a796c367c68d98
openjpeg-libs-1.5.1-16.el7_3.x86_64.rpm     MD5: 1f718583a871726e8e6b405166127971
SHA-256: ce65adfee897c64adf33ef96a5fea0e816314b9c2ce33ddf7c6eb31d04ea810c
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
openjpeg-1.5.1-16.el7_3.src.rpm     MD5: 76930fb7a049542c0a0887e72d4c4760
SHA-256: bbbde2584b0b00cba1a57fe5e687be0f39449ce2236921f017f158adbcde4dc7
 
PPC:
openjpeg-1.5.1-16.el7_3.ppc64.rpm     MD5: f094b0df19b84b9a965c1cde9bd7603b
SHA-256: ef399057feeea8c13f7b6c5ff46035e76b0f20cbfcb10e4084ac2522970b1e47
openjpeg-debuginfo-1.5.1-16.el7_3.ppc.rpm     MD5: 836303f8a6d1706985f09a1ff75e5949
SHA-256: a416eba5115477b6d16a5ca766334a04fd54fa50c287313b8925ae64eb23e5ba
openjpeg-debuginfo-1.5.1-16.el7_3.ppc64.rpm     MD5: d46260248fbe319f72c01abdc1feabab
SHA-256: 931b005118b29e5e47648ba66598d2603559c3ed572ed769cbdb905ba82f249d
openjpeg-devel-1.5.1-16.el7_3.ppc.rpm     MD5: a53351163b31e3aceef85903f705bebc
SHA-256: 1204beec44d3686ed5d6f504bf28e4262611a6ef7fae306ee1c6f16e17634c74
openjpeg-devel-1.5.1-16.el7_3.ppc64.rpm     MD5: 9d51ed0941a3b9a9fed65d983a4918e1
SHA-256: 8f291b2142233f68eb07976ca375521c672145da16d2dd4d8fd5c28620288f0c
openjpeg-libs-1.5.1-16.el7_3.ppc.rpm     MD5: cd08db703cb110760e6b62c19bc36042
SHA-256: aa2dabb68cd655e1e51555f80d67a3f7b76c1e526cd58a84d1b1f3a4e98cae4f
openjpeg-libs-1.5.1-16.el7_3.ppc64.rpm     MD5: 6b95c59b7d73d4accb0498ef99b68745
SHA-256: 71419e3eaad73ffec302d25cd61bb710df01372b1d49ef3d7f80f9a5edece182
 
PPC64LE:
openjpeg-1.5.1-16.el7_3.ppc64le.rpm     MD5: cdd5a229ec019ef2cb9ac3ed76b06bbc
SHA-256: 0040e03941fdd466babfff6d879785a253e4c7ce058cad0b9fac4c2315d2f5e9
openjpeg-debuginfo-1.5.1-16.el7_3.ppc64le.rpm     MD5: 6dd1f595ac2c003a7a982b7a7150d73e
SHA-256: 35f39eee78a4e56e67bb8bfc32c21bb24b7a4e5453c36de7d5e4c72016089355
openjpeg-devel-1.5.1-16.el7_3.ppc64le.rpm     MD5: 5f13b08bbbf7950fdc7fba0afa81bce8
SHA-256: aa048172a8880b00f7e9ff25b5b5664280f3b518ca29aba1484d89ec04e3590a
openjpeg-libs-1.5.1-16.el7_3.ppc64le.rpm     MD5: e758956c453958ccd9e4bd3ea28500d3
SHA-256: fd7acebc482ad68f6a932c49e21ecadd88da1a1c8c31f920863a90db85ec6d76
 
s390x:
openjpeg-1.5.1-16.el7_3.s390x.rpm     MD5: 0d03e6f23379351a4f79af7c79573156
SHA-256: 9a3c11af456f6877620d0e01f79b3c1b8be404f5c149bd168ecb04320de11e9a
openjpeg-debuginfo-1.5.1-16.el7_3.s390.rpm     MD5: 8d1a24817312954f37d0c1ffa0451659
SHA-256: 5212fdfa0caa66895ca2674fe7c9f4027ccd49feb8f9a2450125608519a9cf96
openjpeg-debuginfo-1.5.1-16.el7_3.s390x.rpm     MD5: ce357fdf1f87c7032227b47f8bca4e7f
SHA-256: 78d4a1675be0a4433e9840a8cf9032b6e7e66b648844afc45d81defb3729a8d1
openjpeg-devel-1.5.1-16.el7_3.s390.rpm     MD5: 110afe35dedab81b730be58410b04cf8
SHA-256: 817819947f29fe1f6d4043da75b1ea384b24c38300438b0cfd0b94ab57eab990
openjpeg-devel-1.5.1-16.el7_3.s390x.rpm     MD5: b427c5487fcf3992ed183b3174d2788e
SHA-256: 29deb3f00dd8d2aec7ef3d023c673cf8dc107e3e9351d868aa9fffc589ca6fae
openjpeg-libs-1.5.1-16.el7_3.s390.rpm     MD5: f03274f555d6cee8236ebd207e81572e
SHA-256: 8acb2b4f8fc54a02ce3c85e5e6acbe23958c954dda046a4f8b03eba284088b23
openjpeg-libs-1.5.1-16.el7_3.s390x.rpm     MD5: 7376a563afc5b0721c20962f352cc53f
SHA-256: f2f469415a13b572b715d5f3f7f89ffa7cd1428658d2920f809d25f7534dcde3
 
x86_64:
openjpeg-1.5.1-16.el7_3.x86_64.rpm     MD5: 9ce6cdef40e7d399d3e0542a774485e9
SHA-256: 30a5dca164e88b55412fad25626615910f220bf8b7c56d14c993b97b962ddff4
openjpeg-debuginfo-1.5.1-16.el7_3.i686.rpm     MD5: c1c3fabc07c48500de4b14dc8b75f085
SHA-256: 96320af73f3bd7c206964293a273d573c91365db5200de67bf73327f2ee4cce5
openjpeg-debuginfo-1.5.1-16.el7_3.x86_64.rpm     MD5: 2d0efe6bc01d0013ea1ca0bf06f4ef88
SHA-256: 496c9c82049ae403e6563dc89a25097ec6399677d92728fd17abe6b183456956
openjpeg-devel-1.5.1-16.el7_3.i686.rpm     MD5: 64fe92638893f129197d599ff3d7fdeb
SHA-256: 71ec03a9b9d8288072a6c7c72458110e436e48db9be725486d4ec29fd31a63ad
openjpeg-devel-1.5.1-16.el7_3.x86_64.rpm     MD5: 3697c1088ec67dc9fd14fd45a84ea4b0
SHA-256: 981f1a3549233bd77d9562493deec941f19905d6f61b0e45b6eb54b073f24fda
openjpeg-libs-1.5.1-16.el7_3.i686.rpm     MD5: 5755a91a6c44d23f679e98c4b811fdd0
SHA-256: e388ff0689e2c43ba9798e0a918d96267ac145ec6576ad4b23a796c367c68d98
openjpeg-libs-1.5.1-16.el7_3.x86_64.rpm     MD5: 1f718583a871726e8e6b405166127971
SHA-256: ce65adfee897c64adf33ef96a5fea0e816314b9c2ce33ddf7c6eb31d04ea810c
 
Red Hat Enterprise Linux Server TUS (v. 7.3)

SRPMS:
openjpeg-1.5.1-16.el7_3.src.rpm     MD5: 76930fb7a049542c0a0887e72d4c4760
SHA-256: bbbde2584b0b00cba1a57fe5e687be0f39449ce2236921f017f158adbcde4dc7
 
x86_64:
openjpeg-1.5.1-16.el7_3.x86_64.rpm     MD5: 9ce6cdef40e7d399d3e0542a774485e9
SHA-256: 30a5dca164e88b55412fad25626615910f220bf8b7c56d14c993b97b962ddff4
openjpeg-debuginfo-1.5.1-16.el7_3.i686.rpm     MD5: c1c3fabc07c48500de4b14dc8b75f085
SHA-256: 96320af73f3bd7c206964293a273d573c91365db5200de67bf73327f2ee4cce5
openjpeg-debuginfo-1.5.1-16.el7_3.x86_64.rpm     MD5: 2d0efe6bc01d0013ea1ca0bf06f4ef88
SHA-256: 496c9c82049ae403e6563dc89a25097ec6399677d92728fd17abe6b183456956
openjpeg-devel-1.5.1-16.el7_3.i686.rpm     MD5: 64fe92638893f129197d599ff3d7fdeb
SHA-256: 71ec03a9b9d8288072a6c7c72458110e436e48db9be725486d4ec29fd31a63ad
openjpeg-devel-1.5.1-16.el7_3.x86_64.rpm     MD5: 3697c1088ec67dc9fd14fd45a84ea4b0
SHA-256: 981f1a3549233bd77d9562493deec941f19905d6f61b0e45b6eb54b073f24fda
openjpeg-libs-1.5.1-16.el7_3.i686.rpm     MD5: 5755a91a6c44d23f679e98c4b811fdd0
SHA-256: e388ff0689e2c43ba9798e0a918d96267ac145ec6576ad4b23a796c367c68d98
openjpeg-libs-1.5.1-16.el7_3.x86_64.rpm     MD5: 1f718583a871726e8e6b405166127971
SHA-256: ce65adfee897c64adf33ef96a5fea0e816314b9c2ce33ddf7c6eb31d04ea810c
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
openjpeg-1.5.1-16.el7_3.src.rpm     MD5: 76930fb7a049542c0a0887e72d4c4760
SHA-256: bbbde2584b0b00cba1a57fe5e687be0f39449ce2236921f017f158adbcde4dc7
 
x86_64:
openjpeg-1.5.1-16.el7_3.x86_64.rpm     MD5: 9ce6cdef40e7d399d3e0542a774485e9
SHA-256: 30a5dca164e88b55412fad25626615910f220bf8b7c56d14c993b97b962ddff4
openjpeg-debuginfo-1.5.1-16.el7_3.i686.rpm     MD5: c1c3fabc07c48500de4b14dc8b75f085
SHA-256: 96320af73f3bd7c206964293a273d573c91365db5200de67bf73327f2ee4cce5
openjpeg-debuginfo-1.5.1-16.el7_3.x86_64.rpm     MD5: 2d0efe6bc01d0013ea1ca0bf06f4ef88
SHA-256: 496c9c82049ae403e6563dc89a25097ec6399677d92728fd17abe6b183456956
openjpeg-devel-1.5.1-16.el7_3.i686.rpm     MD5: 64fe92638893f129197d599ff3d7fdeb
SHA-256: 71ec03a9b9d8288072a6c7c72458110e436e48db9be725486d4ec29fd31a63ad
openjpeg-devel-1.5.1-16.el7_3.x86_64.rpm     MD5: 3697c1088ec67dc9fd14fd45a84ea4b0
SHA-256: 981f1a3549233bd77d9562493deec941f19905d6f61b0e45b6eb54b073f24fda
openjpeg-libs-1.5.1-16.el7_3.i686.rpm     MD5: 5755a91a6c44d23f679e98c4b811fdd0
SHA-256: e388ff0689e2c43ba9798e0a918d96267ac145ec6576ad4b23a796c367c68d98
openjpeg-libs-1.5.1-16.el7_3.x86_64.rpm     MD5: 1f718583a871726e8e6b405166127971
SHA-256: ce65adfee897c64adf33ef96a5fea0e816314b9c2ce33ddf7c6eb31d04ea810c
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1363982 - CVE-2016-5139 chromium-browser, openjpeg: Heap overflow in parsing of JPEG2000 precincts
1372219 - CVE-2016-5158 chromium-browser, openjpeg: heap overflow due to unsafe use of opj_aligned_malloc
1372220 - CVE-2016-5159 chromium-browser, openjpeg: heap overflow in parsing of JPEG2000 code blocks
1374329 - CVE-2016-7163 openjpeg: Integer overflow in opj_pi_create_decode
1382202 - CVE-2016-9675 openjpeg: incorrect fix for CVE-2013-6045
1402711 - CVE-2016-9573 openjpeg: heap out-of-bounds read due to insufficient check in imagetopnm()


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/