Bug 30229

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service. (CVE-2022-1122)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1122
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NJDRJXCWHDJSXVXOZ6D4UKSSNPNLDOE/
========================

Updated packages in core/updates_testing:
========================
lib(64)openjp2_7-2.4.0-1.3.mga8
lib(64)openjpeg2-devel-2.4.0-1.3.mga8
openjpeg2-2.4.0-1.3.mga8

from SRPM:
openjpeg2-2.4.0-1.3.mga8.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Assignee: bugsquad => qa-bugs
Status comment: Patch available from Fedora => (none)
CVE: (none) => CVE-2022-1122
Source RPM: openjpeg2-2.4.0-4.mga9.src.rpm => openjpeg2-2.4.0-1.2.mga8.src.rpm
Whiteboard: MGA8TOO => (none)

MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
$ opj_compress -i  IMG_1271.tif -o IMG_1271.jp2

Unable to load file: got no image

That"s strange because I just saved this to tif format with gwenview from a jpg file. But I don't know what gwenview does exactly here, so pass on
$ opj_compress -i  IMG_1271.jpg -o IMG_1271.jp2
[ERROR] Unknown input file format: IMG_1271.jpg 
        Known file formats are *.pnm, *.pgm, *.ppm, *.pgx, *png, *.bmp, *.tif, *.raw or *.tga
Fair enough
Created bmp file from same jpg again with gwenview.

$ opj_compress -i  IMG_1271.bmp -o IMG_1271.jp2

[INFO] tile number 1 / 1
[INFO] Generated outfile IMG_1271.jp2
encode time: 3666 ms 
I can open this file only with GIMP, not with gwenview or kolourpaint. But in Gimp its OK.
$ opj_dump -i  IMG_1271.jp2 -o imagedata

[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.

$ less imagedata
Image info {
         x0=0, y0=0
         x1=4608, y1=3456
         numcomps=3
                 component 0 {
                 dx=1, dy=1
                 prec=8
                 sgnd=0
        }
                 component 1 {
                 dx=1, dy=1
                 prec=8
                 sgnd=0
        }
                 component 2 {
                 dx=1, dy=1
                 prec=8
                 sgnd=0
        }
}
Codestream info from main header: {
         tx0=0, ty0=0
         tdx=4608, tdy=3456
         tw=1, th=1
and a lot more ......

$ opj_decompress -i  IMG_1271.jp2 -o opj.bmp

[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[INFO] Stream reached its end !
[INFO] Generated Outfile opj.bmp
decode time: 2879 ms
generated file looks OK

$ file *.bmp
IMG_1271.bmp: data
opj.bmp:      data
That's weird as these come from two different sources, but this can be dependent on my desktop settings?
in all, its OK with me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0129.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED