Vulnerability CVE-2009-5030

Vulnerability Name:

CVE-2009-5030 (CCN-74851)

Assigned:

2009-07-31

Published:

2009-07-31

Updated:

2023-02-13

Summary:

The tcd_free_encode function in tcd.c in OpenJPEG 1.3 through 1.5 allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via crafted tile information in a Gray16 TIFF image, which causes insufficient memory to be allocated and leads to an "invalid free."

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.8 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Consequences:

Gain Access

References:

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: Patch
secalert@redhat.com

Source: MITRE
Type: CNA
CVE-2009-5030

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: RHSA-2012-1068
Important: openjpeg security update

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: SA48781
OpenJPEG Gray16 TIFF Image Tile Decoding Vulnerability

Source: DEBIAN
Type: DSA-2629
openjpeg -- several issues

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: OpenJPEG Web site
OpenJPEG

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: OSVDB ID: 81343
OpenJPEG tcd.c tcd_free_encode() Function Gray16 TIFF Image Tile Information Handling Remote Memory Corruption

Source: CCN
Type: BID-53012
OpenJPEG Gray16 TIFF Image File Memory Corruption Vulnerability

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: XF
Type: UNKNOWN
openjpeg-tcdfreeencode-code-execution(74851)

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:uclouvain:openjpeg:1.5:*:*:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_linux:6:*:server:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6:*:workstation:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_hpc_node:6:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:790	P	Security update for cosign (Important)	2022-10-01
oval:org.opensuse.security:def:20095030	V	CVE-2009-5030	2022-09-02
oval:org.opensuse.security:def:679	P	Security update for buildah (Moderate)	2022-08-05
oval:org.opensuse.security:def:1371	P	Security update for the Linux Kernel (Live Patch 3 for SLE 15 SP3) (Important)	2022-06-06
oval:org.opensuse.security:def:1243	P	Security update for the Linux Kernel (Important)	2022-03-08
oval:org.opensuse.security:def:1599	P	Security update for the Linux Kernel (Important)	2022-02-02
oval:org.opensuse.security:def:1715	P	Security update for nodejs12 (Moderate)	2022-01-18
oval:org.opensuse.security:def:112738	P	libopenjpeg1-1.5.2-4.7 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:1126	P	Security update for glibc (Moderate)	2021-12-08
oval:org.opensuse.security:def:49456	P	Security update for php72 (Moderate)	2021-11-19
oval:org.opensuse.security:def:106210	P	libopenjpeg1-1.5.2-4.7 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:1482	P	Security update for ffmpeg (Important)	2021-09-23
oval:org.opensuse.security:def:71164	P	cups-filters-1.20.3-1.12 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71277	P	liblua5_3-5-32bit-5.3.4-3.3.2 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:64577	P	Security update for xen (Moderate)	2021-09-18
oval:org.opensuse.security:def:47864	P	python-cupshelpers-1.5.7-7.5 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47336	P	libcares2-1.9.1-5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48357	P	zsh-5.0.5-6.7.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48226	P	libxerces-c-3_1-3.1.1-12.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47661	P	lftp-4.7.4-3.3.20 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47312	P	libXcursor1-1.1.14-3.59 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47901	P	tar-1.27.1-15.3.7 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47447	P	mozilla-nspr-32bit-4.13.1-18.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47200	P	apache-commons-beanutils-1.9.2-1.149 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48199	P	libsrtp1-1.5.2-3.2.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47772	P	libpython2_7-1_0-2.7.13-28.11.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47215	P	bind-9.9.9P1-62.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48326	P	tpm2.0-tools-3.1.4-1.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48012	P	g3utils-1.1.36-58.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47529	P	xdg-utils-20140630-5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47311	P	libXRes1-1.0.7-3.53 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48310	P	squid-4.8-2.17 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47753	P	libopenssl-1_0_0-devel-1.0.2p-2.11 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47326	P	libXvnc1-1.6.0-18.11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48115	P	libgcrypt20-1.6.1-16.68.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47640	P	gvim-7.4.326-16.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47201	P	apache-commons-daemon-1.0.15-6.10 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48261	P	pcsc-ccid-1.4.25-4.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:100783	P	apr-util-devel-1.6.1-16.43 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72523	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62804	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101210	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1015	P	java-11-openjdk-11.0.10.0-3.53.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:48372	P	at-3.1.14-7.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48468	P	libXi6-1.7.4-9.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48428	P	glib2-lang-2.48.2-10.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48437	P	grub2-2.02~beta2-104.16 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48539	P	libpoppler44-0.24.4-12.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:64490	P	Security update for avahi (Moderate)	2021-05-04
oval:org.opensuse.security:def:66750	P	Security update for libdwarf (Low)	2021-04-22
oval:org.opensuse.security:def:70001	P	Security update for the Linux Kernel (Important)	2021-03-09
oval:org.opensuse.security:def:62688	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72179	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62460	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:89921	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72290	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:103576	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117007	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62571	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:94070	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72407	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107449	P	libopenjpeg1-1.5.2-2.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:67824	P	tcpdump on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49630	P	gnome-desktop-lang on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49567	P	libopenjpeg1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73323	P	sudo on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:67924	P	libopenjpeg1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49402	P	flatpak on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49684	P	libopenjpeg1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:66658	P	yast2-buildtools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:70106	P	libopenjpeg1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73441	P	libopenjpeg1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49513	P	flatpak on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:18382	P	DSA-2629-1 openjpeg - several issues	2014-06-23
oval:org.mitre.oval:def:23900	P	ELSA-2012:1068: openjpeg security update (Important)	2014-05-26
oval:org.mitre.oval:def:21505	P	RHSA-2012:1068: openjpeg security update (Important)	2014-02-24
oval:com.ubuntu.precise:def:20095030000	V	CVE-2009-5030 on Ubuntu 12.04 LTS (precise) - medium.	2012-07-18
oval:com.redhat.rhsa:def:20121068	P	RHSA-2012:1068: openjpeg security update (Important)	2012-07-11

BACK