CVE-2016-4797 Fedoraproject CVE debrief

Who should care

Security and platform teams that package, deploy, or embed OpenJPEG; Fedora maintainers and users of Fedora 23/24 packages identified as vulnerable; and any application that accepts untrusted JP2 files for preview, conversion, or analysis.

Technical summary

According to the NVD description, OpenJPEG versions before 2.1.1 can divide by zero in opj_tcd_init_tile within tcd.c when processing a crafted JP2 file. The weakness is categorized as CWE-369. The supplied NVD record also notes that the flaw exists because of an incorrect fix for CVE-2014-7947. The NVD CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a crash-oriented availability impact with user interaction required.

Defensive priority

Medium

Recommended defensive actions

• Upgrade OpenJPEG to a version that includes the 2.1.1 fix or later.
• Review downstream packages and appliances that ship OpenJPEG, including Fedora 23/24 builds listed in the NVD CPE data.
• Restrict or sandbox handling of untrusted JP2 files in applications that use OpenJPEG.
• Validate vendor advisories and package announcements for patched builds before re-enabling JP2 ingestion workflows.

Evidence notes

Primary evidence comes from the official NVD record and its linked references. The NVD description states the divide-by-zero in opj_tcd_init_tile affects OpenJPEG before 2.1.1 and that it is tied to an incorrect prior fix for CVE-2014-7947. Supporting references include the oss-security mailing list post, a Red Hat bug record, the upstream OpenJPEG commit, an upstream issue, and Fedora package announcements. The NVD CPE criteria list vulnerable OpenJPEG versions up to 2.1.0 and Fedora 23/24 as affected.

Official resources