Fedora has issued an advisory on January 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AWMGURRKWFOTMCKEBHYWF7HHDJSY7BTR/ openSUSE has issued an advisory on January 8: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/XKBM37J7PMJ763EKO4IP3FLOLF4U26HW/ Fixes: https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2 https://github.com/uclouvain/openjpeg/commit/e492644fbded4c820ca55b5e50e598d346e850e8
Status comment: (none) => Fixed upstream in 2.5.3 and patches available from upstreamSource RPM: (none) => openjpeg2-2.5.0-1.1.mga9.src.rpmCVE: (none) => CVE-2024-56826, CVE-2024-56827
I see you Nicolas last touched it. Assigning to you, if you do not want to take it please assign all packagers.
CC: (none) => friAssignee: bugsquad => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Heap buffer overflow in bin/common/color.c. (CVE-2024-56826) Heap buffer overflow in lib/openjp2/j2k.c. (CVE-2024-56827) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AWMGURRKWFOTMCKEBHYWF7HHDJSY7BTR/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/XKBM37J7PMJ763EKO4IP3FLOLF4U26HW/ ======================== Updated packages in core/updates_testing: ======================== lib(64)openjp2_7-2.5.0-1.2.mga9 lib(64)openjpeg2-devel-2.5.0-1.2.mga9 openjpeg2-2.5.0-1.2.mga9 from SRPM: openjpeg2-2.5.0-1.2.mga9.src.rpm
Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNEDSummary: openjpeg2 new security issues, including CVE-2024-5682[67] => openjpeg2 new security issues CVE-2024-5682[67]Status comment: Fixed upstream in 2.5.3 and patches available from upstream => (none)
Keywords: (none) => advisory
RH x86_64 installing lib64openjp2_7-2.5.0-1.2.mga9.x86_64.rpm openjpeg2-2.5.0-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: lib64openjp2_7 ################################################################################################## 2/2: openjpeg2 ################################################################################################## 1/2: removing openjpeg2-2.5.0-1.1.mga9.x86_64 ################################################################################################## 2/2: removing lib64openjp2_7-2.5.0-1.1.mga9.x86_64 ################################################################################################## The output of the poc command with the test file is similar before and after update and looks like this other bug where you have to recompile to reproduce strace chromium-browser contain openat(AT_FDCWD, "/lib64/libopenjp2.so.7", O_RDONLY|O_CLOEXEC) = 3
installed Ran utilities against sample file $ opj_decompress -i sample1.jp2 -o sample1.bmp able to view output file $ opj_compress -i sample1.bmp -o smp.jp2 compression worked - I don't have a viewer $ opj_dump -i sample1.jp dumped
CC: (none) => brtians1Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0012.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED