Debian Bug report logs -
#983663
openjpeg2: CVE-2020-27843
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#983663; Package src:openjpeg2.
(Sun, 28 Feb 2021 09:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Sun, 28 Feb 2021 09:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Version: 2.4.0-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/uclouvain/openjpeg/issues/1297
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.3.0-2+deb10u1
Control: found -1 2.3.0-2
Hi,
The following vulnerability was published for openjpeg2.
CVE-2020-27843[0]:
| A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw
| allows an attacker to provide specially crafted input to the
| conversion or encoding functionality, causing an out-of-bounds read.
| The highest threat from this vulnerability is system availability.
The issue is prevented in 2.4.0 but as per upstream the commited
change is unlikely to be the proper fix. Thus still keeping the 2.4.0
as affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-27843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27843
[1] https://github.com/uclouvain/openjpeg/issues/1297
Regards,
Salvatore
Marked as found in versions openjpeg2/2.3.0-2+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sun, 28 Feb 2021 09:39:04 GMT) (full text, mbox, link).
Marked as found in versions openjpeg2/2.3.0-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sun, 28 Feb 2021 09:39:04 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#983663.
(Mon, 01 Mar 2021 07:21:03 GMT) (full text, mbox, link).
Message #12 received at 983663-submitter@bugs.debian.org (full text, mbox, reply):
Control: fixed -1 2.4.0-3
On Sun, Feb 28, 2021 at 10:39 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
[...]
> The issue is prevented in 2.4.0 but as per upstream the commited
> change is unlikely to be the proper fix. Thus still keeping the 2.4.0
> as affected.
[...]
Here is the correct quote from upstream:
> The security issue is solved by the fix that was committed, but I believe there's a more fundamental functional issue that, in an ideal world, would deserve to be solved
Keeping the same bug number for two different issues defeat the whole
purpose of proper bug reporting.
Marked as fixed in versions openjpeg2/2.4.0-3.
Request was from Mathieu Malaterre <malat@debian.org>
to 983663-submitter@bugs.debian.org.
(Mon, 01 Mar 2021 07:21:03 GMT) (full text, mbox, link).
Marked as fixed in versions openjpeg2/2.4.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 01 Mar 2021 07:33:02 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 01 Mar 2021 07:33:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 01 Mar 2021 07:33:03 GMT) (full text, mbox, link).
Information stored
:
Bug#983663; Package src:openjpeg2.
(Mon, 01 Mar 2021 07:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and filed, but not forwarded.
(Mon, 01 Mar 2021 07:33:05 GMT) (full text, mbox, link).
Message #25 received at 983663-quiet@bugs.debian.org (full text, mbox, reply):
Hi,
On Mon, Mar 01, 2021 at 08:16:17AM +0100, Mathieu Malaterre wrote:
> Control: fixed -1 2.4.0-3
>
> On Sun, Feb 28, 2021 at 10:39 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
> [...]
> > The issue is prevented in 2.4.0 but as per upstream the commited
> > change is unlikely to be the proper fix. Thus still keeping the 2.4.0
> > as affected.
> [...]
>
> Here is the correct quote from upstream:
>
> > The security issue is solved by the fix that was committed, but I believe there's a more fundamental functional issue that, in an ideal world, would deserve to be solved
>
> Keeping the same bug number for two different issues defeat the whole
> purpose of proper bug reporting.
Yes I do agree. As you might have noticed after filling the Debian bug
I tried to clarify this with upstream, and got later on the above
quoted reply. I did just not yet follwed up in Debian.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#983663.
(Mon, 01 Mar 2021 07:33:07 GMT) (full text, mbox, link).
Message #28 received at 983663-submitter@bugs.debian.org (full text, mbox, reply):
close 983663 2.4.0-1
notfound 983663 .2.4.0-3
thanks
No longer marked as found in versions openjpeg2/2.4.0-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 01 Mar 2021 07:36:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Mar 1 16:04:38 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon