SB2018042438 - Multiple vulnerabilities in Kakadu SDK

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Out-of-bounds write (CVE-ID: CVE-2017-2811)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A code execution vulnerability exists in the Kakadu SDK 7.9's parsing of compressed JPEG 2000 images. A specially crafted JPEG 2000 file can be read by the program, and can lead to an out of bounds write causing an exploitable condition to arise.

2) Out-of-bounds write (CVE-ID: CVE-2017-2812)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A code execution vulnerability exists in the kdu_buffered_expand function of the Kakadu SDK 7.9. A specially crafted JPEG 2000 file can be read by the program and can lead to an out of bounds write causing an exploitable condition to arise.

Remediation

Install update from vendor's website.

References

• http://www.securityfocus.com/bid/100141
• https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0308
• http://www.securityfocus.com/bid/100140
• https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0309