Fedora has issued an advisory today (December 22): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/THY4LKGUS3D4XE5YHKLMTPVLURQ7OV57/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning to DavidG as most recent maintainer - more CVEs!
Assignee: bugsquad => geiger.david68210
new package pushed in cauldron and mageia 7: src:openjpeg2-2.3.1-1.6.mga7
CC: (none) => mageiaVersion: Cauldron => 7Assignee: geiger.david68210 => qa-bugsWhiteboard: MGA7TOO => (none)
Advisory: ======================== Updated openjpeg2 packages fix security vulnerabilities: There's a flaw in openjpeg in src/lib/openjp2/pi.c. When an attacker is able to provide crafted input to be processed by the openjpeg encoder, this could cause an out-of-bounds read. The greatest impact from this flaw is to application availability (CVE-2020-27841). There's a flaw in openjpeg's t2 encoder. An attacker who is able to provide crafted input to be processed by openjpeg could cause a null pointer dereference. The highest impact of this flaw is to application availability (CVE-2020-27842). A flaw was found in OpenJPEG. This flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability (CVE-2020-27843). There's a flaw in src/lib/openjp2/pi.c of openjpeg. If an attacker is able to provide untrusted input to openjpeg's conversion/encoding functionality, they could cause an out-of-bounds read. The highest impact of this flaw is to application availability (CVE-2020-27845). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27841 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27842 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27843 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27845 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/THY4LKGUS3D4XE5YHKLMTPVLURQ7OV57/ ======================== Updated packages in core/updates_testing: ======================== openjpeg2-2.3.1-1.6.mga7 libopenjp2_7-2.3.1-1.6.mga7 libopenjpeg2-devel-2.3.1-1.6.mga7 from openjpeg2-2.3.1-1.6.mga7.src.rpm
Mga7, x64 Not much discussion on the web - no obvious reproducers. Testing update later.
CC: (none) => tarazed25
Using bug 27822 as a guide tested some of the utilities on various jpeg files. $ opj_compress -i ikapati.ppm -o ikapati.jp2 $ opj_dump -i ikapati.jp2 $ file ikapati.jp2 ikapati.jp2: JPEG 2000 Part 1 (JP2) $ identify ikapati.jp2 ikapati.jp2 JP2 1434x717 1434x717+0+0 8-bit sRGB 0.000u 0:00.000 $ opj_decompress -i ikapati.jp2 -o ikapati.bmp Results are identical to those on the previous bug. All output files display properly with ImageMagick and eom. Green light for this.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory pushed to SVN.
CVE: (none) => CVE-2020-2784[1235]Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0478.html
Status: NEW => RESOLVEDResolution: (none) => FIXED