Bug 30263 - openjpeg2 new security issue CVE-2018-16376
Summary: openjpeg2 new security issue CVE-2018-16376
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: David GEIGER
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-08 19:09 CEST by David Walser
Modified: 2022-04-11 15:46 CEST (History)
1 user (show)

See Also:
Source RPM: openjpeg2-2.4.0-5.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-04-08 19:09:51 CEST 
SUSE has issued an advisory on April 7:
https://lists.suse.com/pipermail/sle-security-updates/2022-April/010666.html

I'm not sure what SUSE did to address this issue.  It looks like upstream removed the affected code in May 2021.

Mageia 8 is also affected.
David Walser 2022-04-08 19:10:07 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-04-08 21:35:20 CEST 
Our version 2.4.0 goes back to Dec 2020, since patched April 2021, June 2021, April 2022, none referring to this old CVE.

'openjpeg2' is officially with DavidG, so assigning the bug thus; but CC'ing NicolasS because you very recently did a CVE patch for bug 30229, and might want to do this one too.

Assignee: bugsquad => geiger.david68210
CC: (none) => nicolas.salguero

Comment 2 Nicolas Salguero 2022-04-11 10:20:15 CEST 
Hi,

We build neither MJ2 nor JP3D so it seems the bugs described in https://github.com/uclouvain/openjpeg/issues/1127 (CVE-2018-16376) and https://github.com/uclouvain/openjpeg/issues/1272 cannot affect the binaries that come from our packages.

Best regards,

Nico.
Comment 3 David Walser 2022-04-11 15:46:01 CEST 
Thanks.

Resolution: (none) => INVALID
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.