[opensource-dev] openjpeg 1.4 lib used with second life - CVE

Henri Beauchamp sldev at free.fr
Fri Mar 21 03:19:02 PDT 2014


On Thu, 20 Mar 2014 21:55:31 +0000, Phil Wyett wrote:

> Hi all,
> 
> SL uses the openjpeg library 1.4. This is quite an aged release.

Yes, but newer versions plain fail to decode images in SL... See below.

> Has the version bundled with SL been fixed or update arranged for the
> known CVE against it?
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3535
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3358

That's an interesting question... And the reply is no !

I therefor tried to apply the various patches In found in Linux distro
repositories for the packages they provide for libopenjpeg v1.4. I found
three patches: CVE-2009-5030, CVE-2012-3535 and CVE-2012-3358.

While the fixes for CVE-2009-5030 and CVE-2012-3535 don't pose an issue
once applied, CVE-2012-3358 definitely breaks image decoding in SL: it's
probably the reason why all newer/"fixed" versions of lipopenjpeg fail
to work with the viewer !

The culprit code is the added check done on "totlen" in j2k_read_sot()
when USE_JPWL is disabled (which is the case for the viewer): totlen
*does* get larger than the actual total length when decoding at non-zero
discard levels !!!

You will find the working patches attached (untouched CVE-2009-5030 and
CVE-2012-3535 patches and fixed CVE-2012-3358 patch).

Note that more fixes went into the OpenJPEG library used by most TPVs
(I fixed gcc v4.5+ warnings in mine, for example) the latter now
including the library sources into their source tree (in
indra/libopenjpeg) rather than using LL's pre-compiled library...

Regards,

Henri.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenJPEG_v1_3-CVE-2009-5030.diff
Type: application/octet-stream
Size: 913 bytes
Desc: not available
Url : http://lists.secondlife.com/pipermail/opensource-dev/attachments/20140321/871a7343/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenJPEG_v1_3-CVE-2012-3358-fixed.diff
Type: application/octet-stream
Size: 2054 bytes
Desc: not available
Url : http://lists.secondlife.com/pipermail/opensource-dev/attachments/20140321/871a7343/attachment-0001.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenJPEG_v1_3-CVE-2012-3535.patch
Type: application/octet-stream
Size: 609 bytes
Desc: not available
Url : http://lists.secondlife.com/pipermail/opensource-dev/attachments/20140321/871a7343/attachment-0002.obj 


More information about the opensource-dev mailing list