CVE-2020-6851

openjpeg: Heap-based buffer overflow in opj_t1_clbl_decode_processor()

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of opj_j2k_update_image_dimensions validation.

OpenJPEG hasta la versión 2.3.1 tiene un desbordamiento de búfer basado en almacenamiento dinámico en opj_t1_clbl_decode_processor en openjp2 / t1.c debido a la falta de validación de opj_j2k_update_image_dimensions.

A heap-based buffer overflow flaw was found in openjpeg in the opj_t1_clbl_decode_processor in libopenjp2.so. Affecting versions through 2.3.1, the highest threat from this vulnerability is to file confidentiality and integrity as well as system availability.

An update that fixes 13 vulnerabilities is now available. This update for openjpeg2 fixes the following issues. Fixed integer overflow vulnerability in theopj_t1_encode_cblks function. Fixed integer overflow caused by an out-of-bounds leftshift in the opj_j2k_setup_encoder function. Fixed excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c. Fixed missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c. Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c. Fixed division-by-zero in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.ci. Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor. Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c. Fixed use-after-free if t a mix of valid and invalid files in a directory operated on by the decompressor. Fixed heap buffer over-write in opj_tcd_dc_level_shift_encode. Fixed integer overflow that allows remote attackers to crash the application. Fixed segmentation fault in opj2_decompress due to uninitialized pointer.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-13 CVE Reserved
2020-01-13 CVE Published
2024-08-04 CVE Updated
2024-08-04 First Exploit
2025-04-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-122: Heap-based Buffer Overflow
CWE-787: Out-of-bounds Write

CAPEC

References (12)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2020/01/msg00025.html	Mailing List
https://lists.debian.org/debian-lts-announce/2020/07/msg00008.html	Mailing List

URL	Date	SRC
https://github.com/uclouvain/openjpeg/issues/1228	2024-08-04

URL	Date	SRC
https://www.oracle.com/security-alerts/cpujul2020.html	2023-11-07

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2020:0262	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0274	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0296	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LACIIDDCKZJEPKTTFILSOSBQL7L3FC6V	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XBRMI2D3XPVWKE3V52KRBW7BJVLS5LD3	2023-11-07
https://www.debian.org/security/2021/dsa-4882	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-6851	2020-01-30
https://bugzilla.redhat.com/show_bug.cgi?id=1790511	2020-01-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Uclouvain Search vendor "Uclouvain"		Openjpeg Search vendor "Uclouvain" for product "Openjpeg"				<= 2.3.1 Search vendor "Uclouvain" for product "Openjpeg" and version " <= 2.3.1"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				7.7 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "7.7"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				8.1 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "8.1"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				8.2 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "8.2"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				8.4 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "8.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				7.7 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.7"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				8.2 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "8.2"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				8.4 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "8.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				7.7 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.7"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				8.2 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "8.2"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				8.4 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "8.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected
Oracle Search vendor "Oracle"		Georaster Search vendor "Oracle" for product "Georaster"				18c Search vendor "Oracle" for product "Georaster" and version "18c"		-		Affected
Oracle Search vendor "Oracle"		Outside In Technology Search vendor "Oracle" for product "Outside In Technology"				8.5.4 Search vendor "Oracle" for product "Outside In Technology" and version "8.5.4"		-		Affected
Oracle Search vendor "Oracle"		Outside In Technology Search vendor "Oracle" for product "Outside In Technology"				8.5.5 Search vendor "Oracle" for product "Outside In Technology" and version "8.5.5"		-		Affected