製品・ソフトウェアに関する情報

JVN脆弱性詳細

OpenJPEG における境界外読み取りに関する脆弱性

Title	OpenJPEG における境界外読み取りに関する脆弱性
Summary	OpenJPEG には、境界外読み取りに関する脆弱性が存在します。
Possible impacts	情報を取得される、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 28, 2016, midnight
Registration Date	Nov. 1, 2018, 6:20 p.m.
Last Update	Nov. 1, 2018, 6:20 p.m.

Affected System

レッドハット

Red Hat Enterprise Linux Desktop

Red Hat Enterprise Linux Server

Red Hat Enterprise Linux Server AUS

Red Hat Enterprise Linux Server EUS

Red Hat Enterprise Linux Workstation

Debian

Debian GNU/Linux

OpenJPEG project

OpenJPEG 2.1.2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-9573	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9573
National Vulnerability Database (NVD)
2	CVE-2016-9573	https://nvd.nist.gov/vuln/detail/CVE-2016-9573

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-125	https://cwe.mitre.org/data/definitions/125.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-3768	https://www.debian.org/security/2017/dsa-3768
GitHub
2	Changes for issues uclouvain#863 and uclouvain#862	https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d
3	Openjpeg-2.1.2 Heap Buffer Overflow Vulnerability due to Insufficient check #862	https://github.com/uclouvain/openjpeg/issues/862
Red Hat Bugzilla
4	Bug 1402711	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9573
Red Hat Security Advisory
5	RHSA-2017:0838	http://rhn.redhat.com/errata/RHSA-2017-0838.html

Change Log

No	Changed Details	Date of change
1	[2018年11月01日] 掲載	Nov. 1, 2018, 6:20 p.m.

NVD Vulnerability Information

CVE-2016-9573

Summary	An out-of-bounds read vulnerability was found in OpenJPEG 2.1.2, in the j2k_to_image tool. Converting a specially crafted JPEG2000 file to another format could cause the application to crash or, potentially, disclose some data from the heap.
Publication Date	Aug. 1, 2018, 3:29 p.m.
Registration Date	Jan. 26, 2021, 2:20 p.m.
Last Update	Nov. 21, 2024, 12:01 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:uclouvain:openjpeg:2.1.2:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://rhn.redhat.com/errata/RHSA-2017-0838.html	Third Party Advisory
2	http://rhn.redhat.com/errata/RHSA-2017-0838.html	Third Party Advisory
3	http://www.securityfocus.com/bid/97073	Third Party Advisory VDB Entry
4	http://www.securityfocus.com/bid/97073	Third Party Advisory VDB Entry
5	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9573	Exploit Issue Tracking Patch Third Party Advisory
6	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9573	Exploit Issue Tracking Patch Third Party Advisory
7	https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d	Patch Third Party Advisory
8	https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d	Patch Third Party Advisory
9	https://github.com/uclouvain/openjpeg/issues/862	Exploit Third Party Advisory
10	https://github.com/uclouvain/openjpeg/issues/862	Exploit Third Party Advisory
11	https://security.gentoo.org/glsa/201710-26	Third Party Advisory
12	https://security.gentoo.org/glsa/201710-26	Third Party Advisory
13	https://www.debian.org/security/2017/dsa-3768	Third Party Advisory
14	https://www.debian.org/security/2017/dsa-3768	Third Party Advisory

Common Vulnerabilities List

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:::::::*