Fedora has issued an advisory today (December 22):
Mageia 7 is also affected.
Assigning to DavidG as most recent maintainer - more CVEs!
new package pushed in cauldron and mageia 7:
Updated openjpeg2 packages fix security vulnerabilities:
There's a flaw in openjpeg in src/lib/openjp2/pi.c. When an attacker is able to
provide crafted input to be processed by the openjpeg encoder, this could cause
an out-of-bounds read. The greatest impact from this flaw is to application
There's a flaw in openjpeg's t2 encoder. An attacker who is able to provide
crafted input to be processed by openjpeg could cause a null pointer
dereference. The highest impact of this flaw is to application availability
A flaw was found in OpenJPEG. This flaw allows an attacker to provide specially
crafted input to the conversion or encoding functionality, causing an
out-of-bounds read. The highest threat from this vulnerability is system
There's a flaw in src/lib/openjp2/pi.c of openjpeg. If an attacker is able to
provide untrusted input to openjpeg's conversion/encoding functionality, they
could cause an out-of-bounds read. The highest impact of this flaw is to
application availability (CVE-2020-27845).
Updated packages in core/updates_testing:
Not much discussion on the web - no obvious reproducers. Testing update later.
Using bug 27822 as a guide tested some of the utilities on various jpeg files.
$ opj_compress -i ikapati.ppm -o ikapati.jp2
$ opj_dump -i ikapati.jp2
$ file ikapati.jp2
ikapati.jp2: JPEG 2000 Part 1 (JP2)
$ identify ikapati.jp2
ikapati.jp2 JP2 1434x717 1434x717+0+0 8-bit sRGB 0.000u 0:00.000
$ opj_decompress -i ikapati.jp2 -o ikapati.bmp
Results are identical to those on the previous bug.
All output files display properly with ImageMagick and eom.
Green light for this.
Validating. Advisory in Comment 3.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.