CVE-2014-0158

10.04.2018, 15:29

Heap-based buffer overflow in the JPEG2000 image tile decoder in OpenJPEG before 1.5.2 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file because of incorrect j2k_decode, j2k_read_eoc, and tcd_decode_tile interaction, a related issue to CVE-2013-6045. NOTE: this is not a duplicate of CVE-2013-1447, because the scope of CVE-2013-1447 was specifically defined in http://openwall.com/lists/oss-security/2013/12/04/6 as only "null pointer dereferences, division by zero, and anything that would just fit as DoS."

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
redhat	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 65%

Vendor	Product	Version
uclouvain	openjpeg	𝑥 < 1.5.2
opensuse	opensuse	12.3
opensuse	opensuse	13.1

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

openjpeg

saucy	not-affected
quantal	not-affected
precise	not-affected
lucid	not-affected

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1082925

https://bugzilla.suse.com/show_bug.cgi?id=871412

https://bugzilla.redhat.com/show_bug.cgi?id=1082925

https://bugzilla.suse.com/show_bug.cgi?id=871412