openjpeg2 2.4.0 has been released on December 28: https://github.com/uclouvain/openjpeg/blob/master/CHANGELOG.md Release announcement said no API or ABI breakage, so it should be a safe update.
openjpeg2-2.4.0-1.mga8 uploaded for Cauldron by David. We'll probably want to update it for Mageia 7 too.
Version: Cauldron => 7
We may have most of the security fixes already (or at least the more serious ones), but it's hard to tell with them not labeling things consistently with CVEs in the changelog. At the very least we've missed on security issue, CVE-2020-27844. Debian-LTS has issued an advisory for this on February 9: https://www.debian.org/lts/security/2021/dla-2550
Severity: normal => criticalSource RPM: openjpeg2-2.3.1-8.mga8.src.rpm => openjpeg2-2.3.1-1.6.mga7.src.rpmSummary: openjpeg2 new security issues fixed upstream in 2.4.0 => openjpeg2 new security issues fixed upstream in 2.4.0 (including CVE-2020-27844)
Done for mga7!
Package list: openjpeg2-2.4.0-1.mga7 libopenjp2_7-2.4.0-1.mga7 libopenjpeg2-devel-2.4.0-1.mga7 from openjpeg2-2.4.0-1.mga7.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
The Debian advisory lists the four CVEs which were probably covered in the update under bug 27903 so you are probably right about the fixes having been done except for the "missing" CVE-2020-27844. Unfortunately there seem to be no PoC for any openjpeg2 issues going back to bug 26953 exclusive. Shall run the usual tests.
CC: (none) => tarazed25
mga7, x64 Decompressed a JP2 image before updating. Clean install for the three packages. $ opj_decompress -i Ikapati.jp2 -o Ikapati.bmp [INFO] Start to read j2k main header (85). [INFO] Main header has been correctly decoded. [INFO] No decoded area parameters, set the decoded area to the whole image [INFO] Header of tile 1 / 1 has been read. [INFO] Stream reached its end ! [INFO] Generated Outfile Ikapati.bmp decode time: 38 ms The BMP file displayed correctly with display, eom and gthumb. $ opj_dump -i Ikapati.jp2 [INFO] Start to read j2k main header (85). [INFO] Main header has been correctly decoded. Image info { x0=0, y0=0 x1=614, y1=614 [...] Codestream index from main header: { Main header start position=85 Main header end position=204 Marker list: { type=0xff4f, pos=85, len=2 .... $ opj_compress -i sunset_1.bmp -o sunset.jp2 [INFO] tile number 1 / 1 [INFO] Generated outfile sunset.jp2 encode time: 484 ms $ display sunset.jp2 <OK> According to help the utilities recognize *.pnm, *.pgm, *.ppm, *.pgx, *png, *.bmp, *.tif, *.raw or *.tga. Picking a few at random confirmed that PNM, TGA, PPM files can be compressed to JP2 format. Could not find any PNG or TIFF files which could be converted to JP2. They all come back with the message "Unable to load file: got no image". This is not a regression - it has been noted before and may indicate a project still in progress. As far as these local tests go it continues to work.
Whiteboard: (none) => MGA7-64-OK
Rider to comment 6: There may well be some PNG images which can be compressed, because they come in several flavours with different levels of compression IIRC.
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
So we have previous fixes done, adding an adv for CVE-2020-27844: Advisory: ======================== Updated openjpeg2 packages fix security vulnerability: A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-27844). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27844 https://www.debian.org/lts/security/2021/dla-2550 ======================== Updated packages in core/updates_testing: ======================== openjpeg2-2.4.0-1.mga7 libopenjp2_7-2.4.0-1.mga7 libopenjpeg2-devel-2.4.0-1.mga7 from openjpeg2-2.4.0-1.mga7.src.rpm This his commited to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0093.html
Status: NEW => RESOLVEDResolution: (none) => FIXED