The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenJPEG: buffer overflow via JPEG2000

Synthesis of the vulnerability 

An attacker can invite the victim to open a malicious JPEG2000 image, in order to create a denial of service or to execute code in applications linked to OpenJPEG.
Impacted software: Debian, Fedora, Mandriva Linux, openSUSE, RHEL, Unix (platform) ~ not comprehensive.
Severity of this computer vulnerability: 3/4.
Creation date: 27/08/2012.
Références of this announce: BID-55214, CVE-2012-3535, DSA-2629-1, FEDORA-2012-14707, FEDORA-2012-14717, MDVSA-2012:157, MDVSA-2013:110, openSUSE-SU-2012:1370-1, RHSA-2012:1283-01, VIGILANCE-VUL-11896.

Description of the vulnerability 

The OpenJPEG library is used by applications which decode JPEG images.

However, when a JPEG2000 image contains invalid color transformation parameters, a buffer overflow occurs.

An attacker can therefore invite the victim to open a malicious JPEG2000 image, in order to create a denial of service or to execute code in applications linked to OpenJPEG.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness impacts software or systems such as Debian, Fedora, Mandriva Linux, openSUSE, RHEL, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this vulnerability announce is important.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a specialist ability can exploit this threat bulletin.

Solutions for this threat 

Debian: new openjpeg packages.
New packages are available:
  openjpeg 1.3+dfsg-4+squeeze1

Fedora: new openjpeg packages.
New packages are available:
  openjpeg-1.4-14.fc16
  openjpeg-1.4-14.fc17

Mandriva Business Server: new openjpeg packages.
New packages are available:
  openjpeg-1.5.0-2.1.mbs1

Mandriva: new openjpeg packages.
New packages are available:
  openjpeg-1.3-8.2-mdv2011

openSUSE 12.2: new openjpeg packages.
New packages are available:
  openjpeg-1.5.0-2.7.1

RHEL 6.3: new openjpeg packages.
New packages are available:
  openjpeg-1.3-9.el6_3
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a cybersecurity watch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.