PT-2016-7493 · Openjpeg+2 · Openjpeg+2

Spyridon Chatzimichail

Published

2016-10-01

Updated

2022-04-19

CVE-2016-8332

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenJPEG version 2.1.1

Description A buffer overflow in the jpeg2000 image file format parser as implemented in the OpenJpeg library causes arbitrary code execution when parsing a crafted image. A specially crafted jpeg2000 file can cause an out of bound heap write resulting in heap corruption leading to arbitrary code execution. The attack requires the target user to open a malicious jpeg2000 file. The jpeg2000 image file format is mostly used for embedding images inside PDF documents, and the OpenJpeg library is used by a number of popular PDF renderers, making PDF documents a likely attack vector.

Recommendations For OpenJPEG version 2.1.1, consider avoiding the use of the jpeg2000 image file format until a patch is available, and restrict access to PDF documents that may contain malicious jpeg2000 files to minimize the risk of exploitation.

Exploit

Fix

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119

Related Identifiers

ALT-PU-2016-2055

CVE-2016-8332

DSA-3768-1

MGASA-2016-0362

OPENSUSE-SU-2017:2567-1

OPENSUSE-SU-2017_0155-1

OPENSUSE-SU-2017_0185-1

OPENSUSE-SU-2017_0207-1

OPENSUSE-SU-2024:11120-1

SUSE-SU-2016:3270-1

Affected Products

Alt Linux

Openjpeg

Suse

PT-2016-7493 · Openjpeg+2 · Openjpeg+2

CVE-2016-8332

Weakness Enumeration

Related Identifiers

Affected Products

References · 56