Integer overflow in openjpeg (Alpine package)

1) Integer overflow

EUVDB-ID: #VU33222

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-9580

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An integer overflow vulnerability was found in tiftoimage function in openjpeg 2.1.2, resulting in heap buffer overflow.

Mitigation

Install update from vendor's website.

Vulnerable software versions

openjpeg (Alpine package): 2.1.2-r0

CPE2.3

• cpe:2.3:o:alpine:openjpeg_alpine_package:2.1.2-r0:*:*:*:*:alpine_linux:*:3.1

External links

https://git.alpinelinux.org/aports/commit/?id=5b27b635acbe69cadaffce1fbe4b69d8256c1315
https://git.alpinelinux.org/aports/commit/?id=6dd49eeff4953456d2d668b4e7653967a44a4972
https://git.alpinelinux.org/aports/commit/?id=9574a8725a5423a3ccb0587849eb919baef6a3a3
https://git.alpinelinux.org/aports/commit/?id=d7a2fa12058eff3d4923043ff590abc2d5bf725e
https://git.alpinelinux.org/aports/commit/?id=26c51e95735136152ea52cc8db8eed2b6f31fde0
https://git.alpinelinux.org/aports/commit/?id=8ec2fb4b30f7ca2c630314798bd2f53835e58d57
https://git.alpinelinux.org/aports/commit/?id=d19c71fc81362c23e49997259591524b35e2eb1b
https://git.alpinelinux.org/aports/commit/?id=2fdeb6b9f30446dad66fe173663c79d9ff38c4d6
https://git.alpinelinux.org/aports/commit/?id=91f0ed50281f76fcbbc7760fd7617e01b9a50c47
https://git.alpinelinux.org/aports/commit/?id=d3f4eafef5b5094a849b82c29be2bc7c796f213d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.