Amazon Linux AMI : openjpeg (ALAS-2012-111)

critical Nessus Plugin ID 69601

Synopsis

The remote Amazon Linux AMI host is missing a security update.

Description

An input validation flaw, leading to a heap-based buffer overflow, was found in the way OpenJPEG handled the tile number and size in an image tile header. A remote attacker could provide a specially crafted image file that, when decoded using an application linked against OpenJPEG, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-3358)

OpenJPEG allocated insufficient memory when encoding JPEG 2000 files from input images that have certain color depths. A remote attacker could provide a specially crafted image file that, when opened in an application linked against OpenJPEG (such as image_to_j2k), would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
(CVE-2009-5030)

Solution

Run 'yum update openjpeg' to update your system.

See Also

https://alas.aws.amazon.com/ALAS-2012-111.html

Plugin Details

Severity: Critical

ID: 69601

File Name: ala_ALAS-2012-111.nasl

Version: 1.6

Type: local

Agent: unix

Published: 9/4/2013

Updated: 4/18/2018

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:openjpeg-libs, p-cpe:/a:amazon:linux:openjpeg-devel, p-cpe:/a:amazon:linux:openjpeg, p-cpe:/a:amazon:linux:openjpeg-debuginfo, cpe:/o:amazon:linux

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Patch Publication Date: 7/30/2012

Reference Information

CVE: CVE-2009-5030, CVE-2012-3358

ALAS: 2012-111

RHSA: 2012:1068