[opensource-dev] openjpeg 1.4 lib used with second life - CVE
Henri Beauchamp
sldev at free.fr
Fri Mar 21 03:19:02 PDT 2014
On Thu, 20 Mar 2014 21:55:31 +0000, Phil Wyett wrote:
> Hi all,
>
> SL uses the openjpeg library 1.4. This is quite an aged release.
Yes, but newer versions plain fail to decode images in SL... See below.
> Has the version bundled with SL been fixed or update arranged for the
> known CVE against it?
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3535
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3358
That's an interesting question... And the reply is no !
I therefor tried to apply the various patches In found in Linux distro
repositories for the packages they provide for libopenjpeg v1.4. I found
three patches: CVE-2009-5030, CVE-2012-3535 and CVE-2012-3358.
While the fixes for CVE-2009-5030 and CVE-2012-3535 don't pose an issue
once applied, CVE-2012-3358 definitely breaks image decoding in SL: it's
probably the reason why all newer/"fixed" versions of lipopenjpeg fail
to work with the viewer !
The culprit code is the added check done on "totlen" in j2k_read_sot()
when USE_JPWL is disabled (which is the case for the viewer): totlen
*does* get larger than the actual total length when decoding at non-zero
discard levels !!!
You will find the working patches attached (untouched CVE-2009-5030 and
CVE-2012-3535 patches and fixed CVE-2012-3358 patch).
Note that more fixes went into the OpenJPEG library used by most TPVs
(I fixed gcc v4.5+ warnings in mine, for example) the latter now
including the library sources into their source tree (in
indra/libopenjpeg) rather than using LL's pre-compiled library...
Regards,
Henri.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenJPEG_v1_3-CVE-2009-5030.diff
Type: application/octet-stream
Size: 913 bytes
Desc: not available
Url : http://lists.secondlife.com/pipermail/opensource-dev/attachments/20140321/871a7343/attachment.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenJPEG_v1_3-CVE-2012-3358-fixed.diff
Type: application/octet-stream
Size: 2054 bytes
Desc: not available
Url : http://lists.secondlife.com/pipermail/opensource-dev/attachments/20140321/871a7343/attachment-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenJPEG_v1_3-CVE-2012-3535.patch
Type: application/octet-stream
Size: 609 bytes
Desc: not available
Url : http://lists.secondlife.com/pipermail/opensource-dev/attachments/20140321/871a7343/attachment-0002.obj
More information about the opensource-dev
mailing list