Fedora has issued an advisory today (March 31): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NJDRJXCWHDJSXVXOZ6D4UKSSNPNLDOE/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patch available from Fedora
Suggested advisory: ======================== The updated packages fix a security vulnerability: A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service. (CVE-2022-1122) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1122 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NJDRJXCWHDJSXVXOZ6D4UKSSNPNLDOE/ ======================== Updated packages in core/updates_testing: ======================== lib(64)openjp2_7-2.4.0-1.3.mga8 lib(64)openjpeg2-devel-2.4.0-1.3.mga8 openjpeg2-2.4.0-1.3.mga8 from SRPM: openjpeg2-2.4.0-1.3.mga8.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 8CC: (none) => nicolas.salgueroAssignee: bugsquad => qa-bugsStatus comment: Patch available from Fedora => (none)CVE: (none) => CVE-2022-1122Source RPM: openjpeg2-2.4.0-4.mga9.src.rpm => openjpeg2-2.4.0-1.2.mga8.src.rpmWhiteboard: MGA8TOO => (none)
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. $ opj_compress -i IMG_1271.tif -o IMG_1271.jp2 Unable to load file: got no image That"s strange because I just saved this to tif format with gwenview from a jpg file. But I don't know what gwenview does exactly here, so pass on $ opj_compress -i IMG_1271.jpg -o IMG_1271.jp2 [ERROR] Unknown input file format: IMG_1271.jpg Known file formats are *.pnm, *.pgm, *.ppm, *.pgx, *png, *.bmp, *.tif, *.raw or *.tga Fair enough Created bmp file from same jpg again with gwenview. $ opj_compress -i IMG_1271.bmp -o IMG_1271.jp2 [INFO] tile number 1 / 1 [INFO] Generated outfile IMG_1271.jp2 encode time: 3666 ms I can open this file only with GIMP, not with gwenview or kolourpaint. But in Gimp its OK. $ opj_dump -i IMG_1271.jp2 -o imagedata [INFO] Start to read j2k main header (85). [INFO] Main header has been correctly decoded. $ less imagedata Image info { x0=0, y0=0 x1=4608, y1=3456 numcomps=3 component 0 { dx=1, dy=1 prec=8 sgnd=0 } component 1 { dx=1, dy=1 prec=8 sgnd=0 } component 2 { dx=1, dy=1 prec=8 sgnd=0 } } Codestream info from main header: { tx0=0, ty0=0 tdx=4608, tdy=3456 tw=1, th=1 and a lot more ...... $ opj_decompress -i IMG_1271.jp2 -o opj.bmp [INFO] Start to read j2k main header (85). [INFO] Main header has been correctly decoded. [INFO] No decoded area parameters, set the decoded area to the whole image [INFO] Header of tile 1 / 1 has been read. [INFO] Stream reached its end ! [INFO] Generated Outfile opj.bmp decode time: 2879 ms generated file looks OK $ file *.bmp IMG_1271.bmp: data opj.bmp: data That's weird as these come from two different sources, but this can be dependent on my desktop settings? in all, its OK with me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0129.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED