Bug 30263

Summary: openjpeg2 new security issue CVE-2018-16376
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: David GEIGER <geiger.david68210>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: nicolas.salguero
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO
Source RPM: openjpeg2-2.4.0-5.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-04-08 19:09:51 CEST 
SUSE has issued an advisory on April 7:
https://lists.suse.com/pipermail/sle-security-updates/2022-April/010666.html

I'm not sure what SUSE did to address this issue.  It looks like upstream removed the affected code in May 2021.

Mageia 8 is also affected.
David Walser 2022-04-08 19:10:07 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-04-08 21:35:20 CEST 
Our version 2.4.0 goes back to Dec 2020, since patched April 2021, June 2021, April 2022, none referring to this old CVE.

'openjpeg2' is officially with DavidG, so assigning the bug thus; but CC'ing NicolasS because you very recently did a CVE patch for bug 30229, and might want to do this one too.

Assignee: bugsquad => geiger.david68210
CC: (none) => nicolas.salguero

Comment 2 Nicolas Salguero 2022-04-11 10:20:15 CEST 
Hi,

We build neither MJ2 nor JP3D so it seems the bugs described in https://github.com/uclouvain/openjpeg/issues/1127 (CVE-2018-16376) and https://github.com/uclouvain/openjpeg/issues/1272 cannot affect the binaries that come from our packages.

Best regards,

Nico.
Comment 3 David Walser 2022-04-11 15:46:01 CEST 
Thanks.

Resolution: (none) => INVALID
Status: NEW => RESOLVED