CVE-2016-1628

EUVD-2016-2723
pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, does not validate a certain precision value, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted JPEG 2000 image in a PDF document, related to the opj_pi_next_rpcl, opj_pi_next_pcrl, and opj_pi_next_cprl functions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
Affected Products (NVD)
VendorProductVersion
googlechrome
𝑥
≤ 48.0.2564.103
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openjpeg2
bookworm
2.5.0-2
fixed
bullseye
2.4.0-3
fixed
jessie
not-affected
sid
2.5.0-2
fixed
trixie
2.5.0-2
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
chromium-browser
precise
ignored
trusty
Fixed 48.0.2564.116-0ubuntu0.14.04.1.1111
released
vivid
ignored
wily
Fixed 48.0.2564.116-0ubuntu0.15.10.1.1221
released
oxide-qt
precise
dne
trusty
dne
vivid
not-affected
wily
not-affected
Common Weakness Enumeration
References
http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html
http://rhn.redhat.com/errata/RHSA-2016-0241.html
http://www.debian.org/security/2016/dsa-3486
http://www.debian.org/security/2017/dsa-4013
http://www.securityfocus.com/bid/83125
http://www.securitytracker.com/id/1035183
http://www.zerodayinitiative.com/advisories/ZDI-16-172/
https://code.google.com/p/chromium/issues/detail?id=571479
https://codereview.chromium.org/1590593002
https://security.gentoo.org/glsa/201603-09
https://security.gentoo.org/glsa/201710-26
http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html
http://rhn.redhat.com/errata/RHSA-2016-0241.html
http://www.debian.org/security/2016/dsa-3486
http://www.debian.org/security/2017/dsa-4013
http://www.securityfocus.com/bid/83125
http://www.securitytracker.com/id/1035183
http://www.zerodayinitiative.com/advisories/ZDI-16-172/
https://code.google.com/p/chromium/issues/detail?id=571479
https://codereview.chromium.org/1590593002
https://security.gentoo.org/glsa/201603-09
https://security.gentoo.org/glsa/201710-26