openSUSE has issued an advisory on September 30:
This CVE is for openjpeg2, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12973:
In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616.
Since we remove internal openjpeg2 and use the system one when we build ghostscript the problem is not with ghostscript but with openjpeg2 so I change the bug report.
ghostscript new security issue CVE-2019-12973 =>
openjpeg2 new security issue CVE-2019-12973
The updated packages fix a security vulnerability:
In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616. (CVE-2019-12973)
Updated packages in core/updates_testing:
64-bit Plasma system, Intel graphics.
urpmq --whatrequires lib64openjp2_7 indicates the package is used by both ImageMagick and The GIMP. Downloaded a sample jp2 image, and attempted to load it into both apps, both before and after updating.
ImageMagick loaded and displayed the image correctly in both instances, while The GIMP did not. A little research on the Web indicated that The GIMP switched to using openjpeg2-2 starting with version 2.10, using jasper in previous versions. Since ImageMagick works OK, the fault with The GIMP would seem to rest within The GIMP, which is beyond the scope of this bug. A separate bug is needed for that.
Giving this a 64-bit OK, and Validating. Advisory in comment 2.
An update for this issue has been pushed to the Mageia Updates repository.