Debian Bug report logs -
#672455
CVE-2009-5030: Heap memory corruption leading to invalid free
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#672455; Package libopenjpeg2.
(Fri, 11 May 2012 08:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Fri, 11 May 2012 08:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libopenjpeg2
Version: 1.3+dfsg-4
Severity: important
Tags: security
CVE-2009-5030 openjpeg: Heap memory corruption leading to invalid free by processing certain Gray16 TIFF images
https://bugzilla.redhat.com/show_bug.cgi?id=812317
"""
An out-of heap-based buffer bounds read and write flaw, leading to invalid
free, was found in the way a tile coder / decoder (TCD) implementation of
OpenJPEG, an open-source JPEG 2000 codec written in C language, performed
releasing of previously allocated memory for the TCD encoder handle by
processing certain Gray16 TIFF images. A remote attacker could provide a
specially-crafted TIFF image file, which once converted into the JPEG 2000 file
format with an application linked against OpenJPEG (such as 'image_to_j2k'),
would lead to that application crash, or, potentially arbitrary code execution
with the privileges of the user running the application.
Upstream ticket:
http://code.google.com/p/openjpeg/issues/detail?id=5
CVE Request:
http://www.openwall.com/lists/oss-security/2012/04/13/1
"""
-- System Information:
Debian Release: 6.0.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libopenjpeg2 depends on:
ii libc6 2.11.3-3 Embedded GNU C Library: Shared lib
libopenjpeg2 recommends no packages.
libopenjpeg2 suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#672455; Package libopenjpeg2.
(Wed, 30 May 2012 07:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Mathieu Malaterre <malat@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Wed, 30 May 2012 07:21:04 GMT) (full text, mbox, link).
Message #10 received at 672455@bugs.debian.org (full text, mbox, reply):
tags 672455 fixed-upstream
forwarded 672455 http://code.google.com/p/openjpeg/issues/detail?id=5
thanks
Here is the commit which hides the symptoms:
http://code.google.com/p/openjpeg/source/detail?r=1703
Added tag(s) fixed-upstream.
Request was from Mathieu Malaterre <malat@debian.org>
to control@bugs.debian.org.
(Wed, 30 May 2012 07:21:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#672455; Package libopenjpeg2.
(Sat, 23 Jun 2012 16:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Sat, 23 Jun 2012 16:33:03 GMT) (full text, mbox, link).
Message #19 received at 672455@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 672455 + patch
tags 672455 + pending
thanks
Dear maintainer,
I've prepared an NMU for openjpeg (versioned as 1.3+dfsg-4.1) and
uploaded it to DELAYED/02. Please feel free to tell me if I
should delay it longer.
Cheers
Luk
[openjpeg-1.3+dfsg-4.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Luk Claes <luk@debian.org>
to control@bugs.debian.org.
(Sat, 23 Jun 2012 16:33:09 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Luk Claes <luk@debian.org>
to control@bugs.debian.org.
(Sat, 23 Jun 2012 16:33:10 GMT) (full text, mbox, link).
Reply sent
to Luk Claes <luk@debian.org>:
You have taken responsibility.
(Mon, 25 Jun 2012 16:54:09 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Mon, 25 Jun 2012 16:54:09 GMT) (full text, mbox, link).
Message #28 received at 672455-close@bugs.debian.org (full text, mbox, reply):
Source: openjpeg
Source-Version: 1.3+dfsg-4.1
We believe that the bug you reported is fixed in the latest version of
openjpeg, which is due to be installed in the Debian FTP archive:
libopenjpeg-dev_1.3+dfsg-4.1_i386.deb
to main/o/openjpeg/libopenjpeg-dev_1.3+dfsg-4.1_i386.deb
libopenjpeg2-dbg_1.3+dfsg-4.1_i386.deb
to main/o/openjpeg/libopenjpeg2-dbg_1.3+dfsg-4.1_i386.deb
libopenjpeg2_1.3+dfsg-4.1_i386.deb
to main/o/openjpeg/libopenjpeg2_1.3+dfsg-4.1_i386.deb
openjpeg-tools_1.3+dfsg-4.1_i386.deb
to main/o/openjpeg/openjpeg-tools_1.3+dfsg-4.1_i386.deb
openjpeg_1.3+dfsg-4.1.diff.gz
to main/o/openjpeg/openjpeg_1.3+dfsg-4.1.diff.gz
openjpeg_1.3+dfsg-4.1.dsc
to main/o/openjpeg/openjpeg_1.3+dfsg-4.1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 672455@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated openjpeg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 23 Jun 2012 18:26:27 +0200
Source: openjpeg
Binary: libopenjpeg-dev libopenjpeg2 libopenjpeg2-dbg openjpeg-tools
Architecture: source i386
Version: 1.3+dfsg-4.1
Distribution: unstable
Urgency: high
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Luk Claes <luk@debian.org>
Description:
libopenjpeg-dev - development files for libopenjpeg2, a JPEG 2000 image library
libopenjpeg2 - JPEG 2000 image compression/decompression library
libopenjpeg2-dbg - debug symbols for libopenjpeg2, a JPEG 2000 image library
openjpeg-tools - command-line tools using the JPEG 2000 library
Closes: 672455
Changes:
openjpeg (1.3+dfsg-4.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix CVE-2009-5030: Avoid memory overrun (Closes: #672455).
Checksums-Sha1:
1eef82b193da7229a3f46aa9457e7f72d1c89c3e 1513 openjpeg_1.3+dfsg-4.1.dsc
4dc8b8f6276c38b41ecad15e18b9388ac4774b6d 12320 openjpeg_1.3+dfsg-4.1.diff.gz
7e582c958ceb305db2ed055c0adb40bf3852b00d 95692 libopenjpeg-dev_1.3+dfsg-4.1_i386.deb
b15722be0375b329bd36517c4d3624c2d866eb71 82258 libopenjpeg2_1.3+dfsg-4.1_i386.deb
afc73248a54340bed910c25e404bc9a87aea6c94 444790 libopenjpeg2-dbg_1.3+dfsg-4.1_i386.deb
8ef473316a8134513324e5d2e04bd9816558ff1f 205222 openjpeg-tools_1.3+dfsg-4.1_i386.deb
Checksums-Sha256:
4ccb96422036c34e97a77ca58098642897e15d75720ff270292f86212327cbbe 1513 openjpeg_1.3+dfsg-4.1.dsc
9d2910419168439d130a177d46cb478272672e2388cf2aaa8f6ffeb30663efdf 12320 openjpeg_1.3+dfsg-4.1.diff.gz
c9f0a1fe2d65a36ddff7e52e8bea473807f90fe261301c158a2eee94691a0962 95692 libopenjpeg-dev_1.3+dfsg-4.1_i386.deb
9375800186f4932779c40a490286261afb0c16503489b978ca10593a1b572735 82258 libopenjpeg2_1.3+dfsg-4.1_i386.deb
cc48f48430cb01d6de58c640e85e8d1ce98acb81e4b4b2b1c4fb590ee1688f0d 444790 libopenjpeg2-dbg_1.3+dfsg-4.1_i386.deb
436ca9c71276d45f2eb846645b84821324306a8d6f18fffc9288bb0dbcfd338e 205222 openjpeg-tools_1.3+dfsg-4.1_i386.deb
Files:
293216ee9c0d303af1751772d6aeda94 1513 libs extra openjpeg_1.3+dfsg-4.1.dsc
1fac18469bd1384e926e996f33bd687d 12320 libs extra openjpeg_1.3+dfsg-4.1.diff.gz
13d6f9ed5bf1c6e2e25f53e7c5ef2cb7 95692 libdevel extra libopenjpeg-dev_1.3+dfsg-4.1_i386.deb
dbf86af21aa5ccc606e3cfeef5c1267a 82258 libs extra libopenjpeg2_1.3+dfsg-4.1_i386.deb
cee090c93e0a9916ac56495053b7a1ee 444790 libdevel extra libopenjpeg2-dbg_1.3+dfsg-4.1_i386.deb
fc199ed026efc74fb6d02b310a196092 205222 graphics extra openjpeg-tools_1.3+dfsg-4.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk/l72YACgkQ5UTeB5t8Mo1RGQCfe6uROZJs/c+nZe0KxLUgNGvh
yBgAn2hgCAKqeyNcusL4pO/utH2vmx7r
=f5hD
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 26 Jul 2012 07:33:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:41:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon