Ubuntu 16.04 ESM : OpenJPEG vulnerabilities (USN-5664-1)

2023-10-2000:00:00

www.tenable.com

division-by-zero vulnerabilities

denial of service

null pointer dereference

buffer overflow

remote code execution

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.013 Low

EPSS

Percentile

86.0%

JSON

The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5664-1 advisory.

Division-by-zero vulnerabilities in the functions opj_pi_next_cprl, opj_pi_next_pcrl, and opj_pi_next_rpcl in pi.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of service (application crash) via crafted j2k files. (CVE-2016-10506)
convert.c in OpenJPEG before 2.1.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors involving the variable s. (CVE-2016-7445)
Floating Point Exception (aka FPE or divide by zero) in opj_pi_next_cprl function in openjp2/pi.c:523 in OpenJPEG 2.1.2. (CVE-2016-9112)
In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the pgxtoimage function in jpwl/convert.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly remote code execution. (CVE-2017-17479)
OpenJPEG 2.3.0 has a NULL pointer dereference for red in the imagetopnm function of jp2/convert.c (CVE-2018-18088)
A flaw was found in OpenJPEG’s encoder in the opj_dwt_calc_explicit_stepsizes() function. This flaw allows an attacker who can supply crafted input to decomposition levels to cause a buffer overflow. The highest threat from this vulnerability is to system availability. (CVE-2020-27824)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-5664-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(183615);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/20");

  script_cve_id(
    "CVE-2016-7445",
    "CVE-2016-9112",
    "CVE-2016-10506",
    "CVE-2017-17479",
    "CVE-2018-18088",
    "CVE-2020-27824"
  );
  script_xref(name:"USN", value:"5664-1");

  script_name(english:"Ubuntu 16.04 ESM : OpenJPEG vulnerabilities (USN-5664-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in
the USN-5664-1 advisory.

  - Division-by-zero vulnerabilities in the functions opj_pi_next_cprl, opj_pi_next_pcrl, and opj_pi_next_rpcl
    in pi.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of service (application crash)
    via crafted j2k files. (CVE-2016-10506)

  - convert.c in OpenJPEG before 2.1.2 allows remote attackers to cause a denial of service (NULL pointer
    dereference and application crash) via vectors involving the variable s. (CVE-2016-7445)

  - Floating Point Exception (aka FPE or divide by zero) in opj_pi_next_cprl function in openjp2/pi.c:523 in
    OpenJPEG 2.1.2. (CVE-2016-9112)

  - In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the pgxtoimage function in
    jpwl/convert.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of
    service or possibly remote code execution. (CVE-2017-17479)

  - OpenJPEG 2.3.0 has a NULL pointer dereference for red in the imagetopnm function of jp2/convert.c
    (CVE-2018-18088)

  - A flaw was found in OpenJPEG's encoder in the opj_dwt_calc_explicit_stepsizes() function. This flaw allows
    an attacker who can supply crafted input to decomposition levels to cause a buffer overflow. The highest
    threat from this vulnerability is to system availability. (CVE-2020-27824)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-5664-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-17479");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/10/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libopenjpeg-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libopenjpeg-java");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libopenjpeg5");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjpeg-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjpip-dec-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjpip-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjpip-viewer");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjpip-viewer-xerces");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '16.04', 'pkgname': 'libopenjpeg-dev', 'pkgver': '1:1.5.2-3.1ubuntu0.1~esm2'},
    {'osver': '16.04', 'pkgname': 'libopenjpeg-java', 'pkgver': '1:1.5.2-3.1ubuntu0.1~esm2'},
    {'osver': '16.04', 'pkgname': 'libopenjpeg5', 'pkgver': '1:1.5.2-3.1ubuntu0.1~esm2'},
    {'osver': '16.04', 'pkgname': 'openjpeg-tools', 'pkgver': '1:1.5.2-3.1ubuntu0.1~esm2'},
    {'osver': '16.04', 'pkgname': 'openjpip-dec-server', 'pkgver': '1:1.5.2-3.1ubuntu0.1~esm2'},
    {'osver': '16.04', 'pkgname': 'openjpip-server', 'pkgver': '1:1.5.2-3.1ubuntu0.1~esm2'},
    {'osver': '16.04', 'pkgname': 'openjpip-viewer', 'pkgver': '1:1.5.2-3.1ubuntu0.1~esm2'},
    {'osver': '16.04', 'pkgname': 'openjpip-viewer-xerces', 'pkgver': '1:1.5.2-3.1ubuntu0.1~esm2'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libopenjpeg-dev / libopenjpeg-java / libopenjpeg5 / openjpeg-tools / etc');
}

VendorProductVersionCPE
canonicalubuntu_linuxopenjpeg-toolsp-cpe:/a:canonical:ubuntu_linux:openjpeg-tools
canonicalubuntu_linuxopenjpip-dec-serverp-cpe:/a:canonical:ubuntu_linux:openjpip-dec-server
canonicalubuntu_linuxopenjpip-serverp-cpe:/a:canonical:ubuntu_linux:openjpip-server
canonicalubuntu_linuxopenjpip-viewerp-cpe:/a:canonical:ubuntu_linux:openjpip-viewer
canonicalubuntu_linuxopenjpip-viewer-xercesp-cpe:/a:canonical:ubuntu_linux:openjpip-viewer-xerces
canonicalubuntu_linux16.04cpe:/o:canonical:ubuntu_linux:16.04:-:esm
canonicalubuntu_linuxlibopenjpeg-devp-cpe:/a:canonical:ubuntu_linux:libopenjpeg-dev
canonicalubuntu_linuxlibopenjpeg-javap-cpe:/a:canonical:ubuntu_linux:libopenjpeg-java
canonicalubuntu_linuxlibopenjpeg5p-cpe:/a:canonical:ubuntu_linux:libopenjpeg5

Vendor	Product	Version	CPE
canonical	ubuntu_linux	openjpeg-tools	p-cpe:/a:canonical:ubuntu_linux:openjpeg-tools
canonical	ubuntu_linux	openjpip-dec-server	p-cpe:/a:canonical:ubuntu_linux:openjpip-dec-server
canonical	ubuntu_linux	openjpip-server	p-cpe:/a:canonical:ubuntu_linux:openjpip-server
canonical	ubuntu_linux	openjpip-viewer	p-cpe:/a:canonical:ubuntu_linux:openjpip-viewer
canonical	ubuntu_linux	openjpip-viewer-xerces	p-cpe:/a:canonical:ubuntu_linux:openjpip-viewer-xerces
canonical	ubuntu_linux	16.04	cpe:/o:canonical:ubuntu_linux:16.04:-:esm
canonical	ubuntu_linux	libopenjpeg-dev	p-cpe:/a:canonical:ubuntu_linux:libopenjpeg-dev
canonical	ubuntu_linux	libopenjpeg-java	p-cpe:/a:canonical:ubuntu_linux:libopenjpeg-java
canonical	ubuntu_linux	libopenjpeg5	p-cpe:/a:canonical:ubuntu_linux:libopenjpeg5