The tcd_free_encode function in tcd.c in OpenJPEG 1.3 through 1.5 allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via crafted tile information in a Gray16 TIFF image, which causes insufficient memory to be allocated and leads to an "invalid free."

The remote host is affected by the vulnerability described in GLSA-201310-07 (OpenJPEG: User-assisted execution of arbitrary code)

    OpenJPEG contains an invalid free error and multiple buffer overflow       flaws. Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to open a specially crafted JPEG       file, possibly resulting in execution of arbitrary code or a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

An input validation flaw, leading to a heap-based buffer overflow, was found in the way OpenJPEG handled the tile number and size in an image tile header. A remote attacker could provide a specially crafted image file that, when decoded using an application linked against OpenJPEG, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-3358)

OpenJPEG allocated insufficient memory when encoding JPEG 2000 files from input images that have certain color depths. A remote attacker could provide a specially crafted image file that, when opened in an application linked against OpenJPEG (such as image_to_j2k), would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
(CVE-2009-5030)

From Red Hat Security Advisory 2012:1068 :

Updated openjpeg packages that fix two security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

OpenJPEG is an open source library for reading and writing image files in JPEG 2000 format.

An input validation flaw, leading to a heap-based buffer overflow, was found in the way OpenJPEG handled the tile number and size in an image tile header. A remote attacker could provide a specially crafted image file that, when decoded using an application linked against OpenJPEG, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-3358)

OpenJPEG allocated insufficient memory when encoding JPEG 2000 files from input images that have certain color depths. A remote attacker could provide a specially crafted image file that, when opened in an application linked against OpenJPEG (such as image_to_j2k), would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
(CVE-2009-5030)

Users of OpenJPEG should upgrade to these updated packages, which contain patches to correct these issues. All running applications using OpenJPEG must be restarted for the update to take effect.

Updated openjpeg packages fix security vulnerability :

An out-of heap-based buffer bounds read and write flaw, leading to invalid free, was found in the way a tile coder / decoder (TCD) implementation of OpenJPEG, an open source JPEG 2000 codec written in C language, performed releasing of previously allocated memory for the TCD encoder handle by processing certain Gray16 TIFF images. A remote attacker could provide a specially crafted TIFF image file, which once converted into the JPEG 2000 file format with an application linked against OpenJPEG (such as 'image_to_j2k'), would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application (CVE-2009-5030).

An input validation flaw, leading to a heap-based buffer overflow, was found in the way OpenJPEG handled the tile number and size in an image tile header. A remote attacker could provide a specially crafted image file that, when decoded using an application linked against OpenJPEG, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application (CVE-2012-3358).

It was found that OpenJPEG failed to sanity-check an image header field before using it. A remote attacker could provide a specially crafted image file that could cause an application linked against OpenJPEG to crash or, possibly, execute arbitrary code (CVE-2012-3535).

- CVE-2009-5030     Heap memory corruption leading to invalid free when     processing certain Gray16 TIFF images.

  - CVE-2012-3358     Huzaifa Sidhpurwala of the Red Hat Security Response     Team found a heap-based buffer overflow in JPEG2000     image parsing.

  - CVE-2012-3535     Huzaifa Sidhpurwala of the Red Hat Security Response     Team found a heap-based buffer overflow when decoding     JPEG2000 images.

Multiple vulnerabilities has been discovered and corrected in openjpeg :

OpenJPEG allocated insufficient memory when encoding JPEG 2000 files from input images that have certain color depths. A remote attacker could provide a specially crafted image file that, when opened in an application linked against OpenJPEG (such as image_to_j2k), would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application (CVE-2009-5030).

An input validation flaw, leading to a heap-based buffer overflow, was found in the way OpenJPEG handled the tile number and size in an image tile header. A remote attacker could provide a specially crafted image file that, when decoded using an application linked against OpenJPEG, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application (CVE-2012-3358).

The updated packages have been patched to correct these issues.

OpenJPEG is an open source library for reading and writing image files in JPEG 2000 format.

An input validation flaw, leading to a heap-based buffer overflow, was found in the way OpenJPEG handled the tile number and size in an image tile header. A remote attacker could provide a specially crafted image file that, when decoded using an application linked against OpenJPEG, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-3358)

OpenJPEG allocated insufficient memory when encoding JPEG 2000 files from input images that have certain color depths. A remote attacker could provide a specially crafted image file that, when opened in an application linked against OpenJPEG (such as image_to_j2k), would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
(CVE-2009-5030)

Users of OpenJPEG should upgrade to these updated packages, which contain patches to correct these issues. All running applications using OpenJPEG must be restarted for the update to take effect.

Updated openjpeg packages that fix two security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

OpenJPEG is an open source library for reading and writing image files in JPEG 2000 format.

An input validation flaw, leading to a heap-based buffer overflow, was found in the way OpenJPEG handled the tile number and size in an image tile header. A remote attacker could provide a specially crafted image file that, when decoded using an application linked against OpenJPEG, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-3358)

OpenJPEG allocated insufficient memory when encoding JPEG 2000 files from input images that have certain color depths. A remote attacker could provide a specially crafted image file that, when opened in an application linked against OpenJPEG (such as image_to_j2k), would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
(CVE-2009-5030)

Users of OpenJPEG should upgrade to these updated packages, which contain patches to correct these issues. All running applications using OpenJPEG must be restarted for the update to take effect.

Backport fixes for security issues

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
70380	GLSA-201310-07 : OpenJPEG: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	critical
69601	Amazon Linux AMI : openjpeg (ALAS-2012-111)	Nessus	Amazon Linux Local Security Checks	critical
68576	Oracle Linux 6 : openjpeg (ELSA-2012-1068)	Nessus	Oracle Linux Local Security Checks	critical
66122	Mandriva Linux Security Advisory : openjpeg (MDVSA-2013:110)	Nessus	Mandriva Local Security Checks	critical
64880	Debian DSA-2629-1 : openjpeg - several issues	Nessus	Debian Local Security Checks	critical
61558	Mandriva Linux Security Advisory : openjpeg (MDVSA-2012:104)	Nessus	Mandriva Local Security Checks	critical
61362	Scientific Linux Security Update : openjpeg on SL6.x i386/x86_64 (20120711)	Nessus	Scientific Linux Local Security Checks	critical
59960	CentOS 6 : openjpeg (CESA-2012:1068)	Nessus	CentOS Local Security Checks	critical
59952	RHEL 6 : openjpeg (RHSA-2012:1068)	Nessus	Red Hat Local Security Checks	critical
59741	Fedora 16 : openjpeg-1.4-13.fc16 (2012-9628)	Nessus	Fedora Local Security Checks	high
59740	Fedora 17 : openjpeg-1.4-13.fc17 (2012-9602)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2009-5030

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

high

high