CVE-2012-3535: Buffer Overflow
First published: Tue Jul 24 2012(Updated: )
A heap-based buffer overflow was found in the way OpenJPEG, an open-source JPEG 2000 codec written in C language, performed parsing of JPEG2000 image files. A remote attacker could provide a specially crafted JPEG 2000 file, which when opened in an application linked against openjpeg would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application. Acknowledgements: This issue was discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| uclouvain openjpeg | <=1.5 | |
| uclouvain openjpeg | =1.3 | |
| uclouvain openjpeg | =1.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://code.google.com/p/openjpeg/issues/detail?id=170
- https://access.redhat.com/security/cve/CVE-2012-3535
- http://seclists.org/oss-sec/2012/q3/300
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=851955
- http://code.google.com/p/openjpeg/issues/detail?id=170#c6
- http://code.google.com/p/openjpeg/source/detail?r=1918
- http://code.google.com/p/openjpeg/source/detail?r=1919
- https://rhn.redhat.com/errata/RHSA-2012-1283.html
- https://bugzilla.redhat.com/show_bug.cgi?id=842918
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090021.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090579.html
- http://osvdb.org/84978
- http://rhn.redhat.com/errata/RHSA-2012-1283.html
- http://secunia.com/advisories/50360
- http://secunia.com/advisories/50681
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:157
- http://www.openwall.com/lists/oss-security/2012/08/27/2
- http://www.openwall.com/lists/oss-security/2012/08/27/3
- http://www.securityfocus.com/bid/55214
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77994
Frequently Asked Questions
What is the severity of CVE-2012-3535?
CVE-2012-3535 is considered a critical vulnerability as it can lead to remote code execution due to a heap-based buffer overflow.
How do I fix CVE-2012-3535?
To fix CVE-2012-3535, update OpenJPEG to version 1.5 or later, which addresses the buffer overflow issue.
Which versions of OpenJPEG are affected by CVE-2012-3535?
CVE-2012-3535 affects OpenJPEG versions 1.3, 1.4, and all versions up to and including 1.5.
How can a remote attacker exploit CVE-2012-3535?
A remote attacker can exploit CVE-2012-3535 by providing a specially crafted JPEG 2000 file that triggers the buffer overflow when the file is opened.
What impact does CVE-2012-3535 have on applications using OpenJPEG?
CVE-2012-3535 can allow attackers to gain control over applications linked against OpenJPEG, potentially executing arbitrary code.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/severity
- agent/last-modified-date
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-3535
- agent/weakness
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/uclouvain
- canonical/uclouvain openjpeg
- version/uclouvain openjpeg/1.5
- version/uclouvain openjpeg/1.3
- version/uclouvain openjpeg/1.4