Fedora has issued an advisory on December 10: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IT4DFBK3FQCB3UOEAZ4XYIDFSWQRMNDX/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Done for both Cauldron and mga7! fixes CVE-2020-27814 and CVE-2020-2782[34]
CC: (none) => geiger.david68210
Suggested Advisory: ======================== Updated openjpeg2 packages fix security vulnerabilities Heap-buffer-overflow in lib(64)openjp2/mqc.c could result in DoS (CVE-2020-27814). Heap-buffer-overflow write in lib(64)openjp2 (CVE-2020-27823). Global-buffer-overflow read in lib(64)openjp2 (CVE-2020-27824). references: - https://bugzilla.redhat.com/show_bug.cgi?id=1902001 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IT4DFBK3FQCB3UOEAZ4XYIDFSWQRMNDX/ - https://security-tracker.debian.org/tracker/CVE-2020-27823 - https://security-tracker.debian.org/tracker/CVE-2020-27824 ======================== Updated packages in core/updates_testing: ======================== lib(64)openjp2_7-2.3.1-1.5.mga7 lib(64)openjpeg2-devel-2.3.1-1.5.mga7 openjpeg2-2.3.1-1.5.mga7 from SRPM openjpeg2-2.3.1-1.5.mga7.src.rpm
CC: (none) => ouaurelienWhiteboard: MGA7TOO => (none)CVE: (none) => CVE-2020-27814, CVE-2020-27823, CVE-2020-27824Source RPM: openjpeg2-2.3.1-6.mga8.src.rpm => openjpeg2-2.3.1-1.4.mga7.src.rpmVersion: Cauldron => 7Assignee: bugsquad => qa-bugs
RedHat has more fleshed out CVE descriptions. Suggested Advisory: ======================== Updated openjpeg2 packages fix security vulnerabilities: A heap-buffer overwrites error was discovered in lib/openjp2/mqc.c in OpenJPEG 2.3.1. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly remote code execution (CVE-2020-27814). A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability (CVE-2020-27823). There is a flaw in openjpeg's encoder in the opj_dwt_calc_explicit_stepsizes() function. An attacker who is able to supply crafted input to decomposition levels could cause a buffer overflow, potentially causing an impact to application availability (CVE-2020-27824). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27814 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27823 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27824 https://bugzilla.redhat.com/show_bug.cgi?id=1905762 https://bugzilla.redhat.com/show_bug.cgi?id=1905723 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IT4DFBK3FQCB3UOEAZ4XYIDFSWQRMNDX/
Summary: openjpeg2 new security issue CVE-2020-27814 => openjpeg2 new security issues CVE-2020-27814 and CVE-2020-2782[34]
Fedora has issued an advisory for the newer CVEs today (December 16): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OQR4EWRFFZQDMFPZKFZ6I3USLMW6TKTP/ Suggested Advisory: ======================== Updated openjpeg2 packages fix security vulnerabilities: A heap-buffer overwrites error was discovered in lib/openjp2/mqc.c in OpenJPEG 2.3.1. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly remote code execution (CVE-2020-27814). A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability (CVE-2020-27823). There is a flaw in openjpeg's encoder in the opj_dwt_calc_explicit_stepsizes() function. An attacker who is able to supply crafted input to decomposition levels could cause a buffer overflow, potentially causing an impact to application availability (CVE-2020-27824). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27814 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27823 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27824 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IT4DFBK3FQCB3UOEAZ4XYIDFSWQRMNDX/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OQR4EWRFFZQDMFPZKFZ6I3USLMW6TKTP/
mga7, x86_64 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 No reproducers found. Updated the three packages. Exercized some of the library tools. $ opj_compress -i ikapati.ppm -o ikapati.jp2 [INFO] tile number 1 / 1 [INFO] Generated outfile ikapati.jp2 encode time: 280 ms Looks fine using ImageMagick to display. $ opj_dump -i ikapati.jp2 [INFO] Start to read j2k main header (85). [INFO] Main header has been correctly decoded. Image info { x0=0, y0=0 x1=1434, y1=717 [...] type=0xff5c, pos=150, len=21 type=0xff64, pos=171, len=39 } } $ file ikapati.jp2 ikapati.jp2: JPEG 2000 Part 1 (JP2) $ identify ikapati.jp2 ikapati.jp2 JP2 1434x717 1434x717+0+0 8-bit sRGB 0.000u 0:00.000 $ opj_decompress -i ikapati.jp2 -o ikapati.bmp [INFO] Start to read j2k main header (85). [INFO] Main header has been correctly decoded. [INFO] No decoded area parameters, set the decoded area to the whole image [INFO] Header of tile 1 / 1 has been read. [INFO] Stream reached its end ! [INFO] Generated Outfile ikapati.bmp decode time: 107 ms $ display ikapati.bmp Looks identical to original file. It is still true that the likes of eom, ristretto, gwenview and gthumb do not deal with openjpeg2 images. This can be sent on.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Best advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0464.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED