【CESA-2017:0838】最新バージョンのopenjpegが、Red Hat Enterprise Linux 7 からご利用いただけるようになりました

CESA-2017:0838

最新バージョンのopenjpegが、Red Hat Enterprise Linux 7 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

OpenJPEG is an open source library for reading and writing image files in
JPEG2000 format.

Security Fix(es):

* Multiple integer overflow flaws, leading to heap-based buffer overflows, were
found in OpenJPEG. A specially crafted JPEG2000 image could cause an application
using OpenJPEG to crash or, potentially, execute arbitrary code. (CVE-2016-5139,
CVE-2016-5158, CVE-2016-5159, CVE-2016-7163)

* An out-of-bounds read vulnerability was found in OpenJPEG, in the j2k_to_image
tool. Converting a specially crafted JPEG2000 file to another format could cause
the application to crash or, potentially, disclose some data from the heap.
(CVE-2016-9573)

* A heap-based buffer overflow vulnerability was found in OpenJPEG. A specially
crafted JPEG2000 image, when read by an application using OpenJPEG, could cause
the application to crash or, potentially, execute arbitrary code.
(CVE-2016-9675)

Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-9573. The
CVE-2016-9675 issue was discovered by Doran Moppert (Red Hat Product Security).

Bugs Fixed

1363982 – CVE-2016-5139 chromium-browser, openjpeg: Heap overflow in parsing of JPEG2000 precincts
1372219 – CVE-2016-5158 chromium-browser, openjpeg: heap overflow due to unsafe use of opj_aligned_malloc
1372220 – CVE-2016-5159 chromium-browser, openjpeg: heap overflow in parsing of JPEG2000 code blocks
1374329 – CVE-2016-7163 openjpeg: Integer overflow in opj_pi_create_decode
1382202 – CVE-2016-9675 openjpeg: incorrect fix for CVE-2013-6045
1402711 – CVE-2016-9573 openjpeg: heap out-of-bounds read due to insufficient check in imagetopnm()