openjpeg: CVE-2012-3535

Debian Bug report logs - #685970
openjpeg: CVE-2012-3535

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openjpeg: CVE-2012-3535

Date: Mon, 27 Aug 2012 08:41:07 +0200

Package: openjpeg
Severity: grave
Tags: security
Justification: user security hole

Please see http://seclists.org/oss-sec/2012/q3/299 for details.

Cheers,
        Moritz

Message #10 received at 685970@bugs.debian.org (full text, mbox, reply):

From: Mathieu Malaterre <malat@debian.org>

To: Control bugs server <control@bugs.debian.org>

Cc: 685970@bugs.debian.org

Subject: Cant reproduce 685970 with upstream

Date: Mon, 10 Sep 2012 13:01:49 +0200

found 685970 openjpeg/1.3+dfsg-3
found 685970 openjpeg/1.3+dfsg-4.1
found 685970 openjpeg/1.3+dfsg-4.5
fixed 685970 openjpeg/1.5.0-3
thanks

I cannot reproduce #685970 with openjpeg 1.5.0

$ ./bin/j2k_to_image -i test2.j2k -o test.ppm

[ERROR] 001c4ebe: expected a marker instead of d900
ERROR -> j2k_to_image: failed to decode image!

and/or openjpeg from 1.5 branch:


$ ./bin/j2k_to_image -i test2.j2k -o test.ppm

[WARNING] 001c4ebe: expected a marker instead of d900
[INFO] tile 1 of 1
[INFO] - tiers-1 took 0.032002 s
[INFO] - dwt took 0.056004 s
[WARNING] Number of components (1) is inconsistent with a MCT. Skip
the MCT step.
[INFO] - tile decoded in 0.100006 s
Generated Outfile test.ppm

Message #23 received at 685970@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Mathieu Malaterre <malat@debian.org>

Cc: 685970@bugs.debian.org

Subject: Re: Cant reproduce 685970 with upstream

Date: Wed, 12 Sep 2012 18:18:39 +0200

On Mon, Sep 10, 2012 at 01:01:49PM +0200, Mathieu Malaterre wrote:
> found 685970 openjpeg/1.3+dfsg-3
> found 685970 openjpeg/1.3+dfsg-4.1
> found 685970 openjpeg/1.3+dfsg-4.5
> fixed 685970 openjpeg/1.5.0-3
> thanks
> 
> I cannot reproduce #685970 with openjpeg 1.5.0
> 
> $ ./bin/j2k_to_image -i test2.j2k -o test.ppm
> 
> [ERROR] 001c4ebe: expected a marker instead of d900
> ERROR -> j2k_to_image: failed to decode image!
> 
> and/or openjpeg from 1.5 branch:
> 
> 
> $ ./bin/j2k_to_image -i test2.j2k -o test.ppm
> 
> [WARNING] 001c4ebe: expected a marker instead of d900
> [INFO] tile 1 of 1
> [INFO] - tiers-1 took 0.032002 s
> [INFO] - dwt took 0.056004 s
> [WARNING] Number of components (1) is inconsistent with a MCT. Skip
> the MCT step.
> [INFO] - tile decoded in 0.100006 s
> Generated Outfile test.ppm

A final upstream patch is now available, please apply:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3535

Also, since #681717 doesn't seem to be accepted at this point in the
Wheezy freeze, please proceed with a testing-proposed-updates upload
to get the security fixes into Wheezy.

Cheers,
        Moritz

Message #28 received at 685970@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 685970@bugs.debian.org

Subject: re: openjpeg: CVE-2012-3535

Date: Mon, 15 Oct 2012 21:12:21 -0400

[Message part 1 (text/plain, inline)]

I've uploaded an nmu to delayed/2 fixing this issue.  See attached
patch diffed against testing and includes the multiarch conversion as
well.

Best wishes,
Mike

[openjpeg.patch (application/octet-stream, attachment)]

Message #33 received at 685970-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 685970-close@bugs.debian.org

Subject: Bug#685970: fixed in openjpeg 1.3+dfsg-4.6

Date: Thu, 18 Oct 2012 00:02:32 +0000

Source: openjpeg
Source-Version: 1.3+dfsg-4.6

We believe that the bug you reported is fixed in the latest version of
openjpeg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 685970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated openjpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 19 Sep 2012 00:34:07 -0400
Source: openjpeg
Binary: libopenjpeg-dev libopenjpeg2 libopenjpeg2-dbg openjpeg-tools
Architecture: source amd64
Version: 1.3+dfsg-4.6
Distribution: unstable
Urgency: low
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 libopenjpeg-dev - development files for libopenjpeg2, a JPEG 2000 image library
 libopenjpeg2 - JPEG 2000 image compression/decompression library
 libopenjpeg2-dbg - debug symbols for libopenjpeg2, a JPEG 2000 image library
 openjpeg-tools - command-line tools using the JPEG 2000 library
Closes: 685970
Changes: 
 openjpeg (1.3+dfsg-4.6) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Reduce debhelper dependency and debian/compat to 5
     - Don't include openjpeg-tools binaries in the debug package since
       those files are not multiarch co-installable at this compat level.
   * Fix cve-2012-3535: buffer overflow in JPEG2000 decoding (closes: #685970).
Checksums-Sha1: 
 6a9d21a67b621fc6e0a824aab4831ec6a789e7bd 2869 openjpeg_1.3+dfsg-4.6.dsc
 110bd7142a9915ae8a45525198c8e71b814389d7 13822 openjpeg_1.3+dfsg-4.6.diff.gz
 577c713dafeab5e5ec76aae1dc16c40e6f87953a 98670 libopenjpeg-dev_1.3+dfsg-4.6_amd64.deb
 2683b40b30d7ef450623f41eaa05b2dfe5595f15 85892 libopenjpeg2_1.3+dfsg-4.6_amd64.deb
 d4f8cea18589cb22bb103f3c02785e9c12d1a598 161766 libopenjpeg2-dbg_1.3+dfsg-4.6_amd64.deb
 9232d647014f988d4bfd5dc0a84bd7c067ac84e3 217470 openjpeg-tools_1.3+dfsg-4.6_amd64.deb
Checksums-Sha256: 
 3a0d48e3db703daa3023a859f202cc4e742b85fcb16c01c1ad8ae8ae062083bf 2869 openjpeg_1.3+dfsg-4.6.dsc
 5e3481bcbb3e30b0a35277ef4f7783935eab9af7aa5060851a7458247e2c7a0e 13822 openjpeg_1.3+dfsg-4.6.diff.gz
 aeaa6eb822a68725edd3dfa720dc57a5ccfb99b252181b66ffdc14b136e80dc9 98670 libopenjpeg-dev_1.3+dfsg-4.6_amd64.deb
 314499fa725984097546ab3bc790de59ee3ae274c78ebf4f59b4a113295b0d05 85892 libopenjpeg2_1.3+dfsg-4.6_amd64.deb
 6d24dece02cf6fe9a1234ee3e707768e8dd52e0d1647f05bc5897b4fa99ab134 161766 libopenjpeg2-dbg_1.3+dfsg-4.6_amd64.deb
 625a24a47f4e2186ab1fc87def3a22644942c27d373f4e5f381cf2e99f56525c 217470 openjpeg-tools_1.3+dfsg-4.6_amd64.deb
Files: 
 2e524dba9906158cf42fdd527e9cf036 2869 libs extra openjpeg_1.3+dfsg-4.6.dsc
 2db26d52ae818424bda30d86c0125f56 13822 libs extra openjpeg_1.3+dfsg-4.6.diff.gz
 27327cc377d67bde35ef512cb0c63e55 98670 libdevel extra libopenjpeg-dev_1.3+dfsg-4.6_amd64.deb
 12c77ff028d906e38620400ac59e60f3 85892 libs extra libopenjpeg2_1.3+dfsg-4.6_amd64.deb
 8416510c5c1667b5260ca5db2a6a0e7a 161766 libdevel extra libopenjpeg2-dbg_1.3+dfsg-4.6_amd64.deb
 1034da49c2ad6c4ce241681e71374441 217470 graphics extra openjpeg-tools_1.3+dfsg-4.6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCAAGBQJQeeNcAAoJELjWss0C1vRzIjsf/36OXEVQjeRFLkSAMxAgL5Ku
ztjm2sNLhnOqhswESGi70mHM23AYBnvUt+TuPUvfhzwik8LOnz4LIYrCcc+MGbt1
cKWrwkyYckyIKJs815AVQZXhHtzNK60HTOx008UjJeNYg52lLoqZq2oKJxvK2PZV
JJ61d36teUeXfr7XtgYo07Q4biOdc3Yca2S6KZqPATim19e8sol38wsU6t+jETBr
uJzqTWEktreNJrvai19Ttub8+vEHRjA3WQ+uU5HMZbt/4kk8KqHLiLRUQyszHSWZ
Pk2B9QS6vBSxFUjHu80ZsPP7AhwaWzNSQfu9ZkjMclgDIIVw4rKfArDdsxUQlfyo
FVq9LXu3vs7n1dUx/femKNsyTIAs1xSRUtvDMTTvadUuCG0qzwvZBQoAwtAVGPPW
rY5KKBxxxNQhyQ4ngsXRwzGLAbmPaw5OBMm6vw7hyAaOkzHGBeQaTD2KPT4TlUcL
j9l4yaKj2owMOEPEkdBcWul8ATt4qIyxm/28tc8uNfGEbjC0bR69HdWGDik4n08r
QXbXuSBZofwcpkK+jbfE/ULWAGlW/r6plRFgVE0vaInOvG/f/DoHEjwAZgW1Tppt
izIITgjuoUyVQRCDPoJ0kmkrMNqon2NIZz/iV4IJmVjrH9NtG/hYyGs2QVfrLVQc
sJdQ/neWNaa/gMUvw9q6TgRtskZr4OescS30XH9II6hjGFQfxCl/ZOYNk4Z+AyXj
h4IT1UHJoNgWgxv4DzNpBQ9XuxhJQqJMsjkxYKGftTMXHv5qr+klkGgPd6lCN0Kw
LW4XmG1dzPHbOH5CIs4rkhQ2Wq5XXrx0m8SyRS3qZixFNu8bCoAxc61uhk0H/EaW
jtFDXGWyPQPkqxZ0tu8AJZWL/NuAcHhR3FCg7FVL1ernnt5I5VhFfPr7YmMK9v/6
/ndPJwoAFiMKPKHPpfuN4gEsr95iLpVBn68BNdli0M6iSjlZmS7G1qxiTkYcuXo4
76KWU/QuVpuaH1iAFNkO+KnLzWFnQ6dd+YyVIK+sSNrn0FXVyvEuOK81a2ZwnEMr
h5JJfukYxxJnCiz6x0c2+rDfuPj2+Xohk0JG1zVILFLpMJJz4N6brX616MkwEfhK
acWsTmR10S2RXPrCqONj0QtO92yn7nG3FZ348rOUezwBQ2pGE25PnDK+4zzx7Wa+
e3sKoURB4ywIqxqCklYEI64DnLLe+XX+Du3tRZ64xb8ezttdVXW0iNboN80S/jTV
gVprDdAlrMKlxylpdTdl/EsNbHYrMY736CG+YkMWVblXXB0vAc2ZjRttm9diliiS
ffdEIUm4wqQwosxucBidMvQeSNjTuzL2iZiQ+kHfyjD7weaiFNaKa5N13yOtkkY=
=hMmV
-----END PGP SIGNATURE-----

Message #38 received at 685970-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 685970-close@bugs.debian.org

Subject: Bug#685970: fixed in openjpeg 1.3+dfsg-4+squeeze1

Date: Tue, 26 Feb 2013 12:17:04 +0000

Source: openjpeg
Source-Version: 1.3+dfsg-4+squeeze1

We believe that the bug you reported is fixed in the latest version of
openjpeg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 685970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated openjpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 18 Feb 2013 18:55:32 +0000
Source: openjpeg
Binary: libopenjpeg-dev libopenjpeg2 libopenjpeg2-dbg openjpeg-tools
Architecture: source amd64
Version: 1.3+dfsg-4+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 libopenjpeg-dev - development files for libopenjpeg2, a JPEG 2000 image library
 libopenjpeg2 - JPEG 2000 image compression/decompression library
 libopenjpeg2-dbg - debug symbols for libopenjpeg2, a JPEG 2000 image library
 openjpeg-tools - command-line tools using the JPEG 2000 library
Closes: 672455 685970
Changes: 
 openjpeg (1.3+dfsg-4+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix cve-2012-3535: buffer overflow in JPEG2000 decoding (closes: #685970).
   * Fix cve-2012-3358: another buffer overflow in JPEG2000 image file handling.
     Fix cve-2009-5030: avoid memory overrun (Closes: #672455).
Checksums-Sha1: 
 732749852ee1b24b438f2854ceec736c34cfd5cd 2721 openjpeg_1.3+dfsg-4+squeeze1.dsc
 bac94ef1e288aaf122f1c45605236bac6b47dabd 895482 openjpeg_1.3+dfsg.orig.tar.gz
 af209d8cfef4cab04c62937cf52c5edaff675aa5 13429 openjpeg_1.3+dfsg-4+squeeze1.diff.gz
 8960d632bba1407d580c359c02925322fa26e415 95034 libopenjpeg-dev_1.3+dfsg-4+squeeze1_amd64.deb
 775e3e8c22315d9a1721e17754ff36ca49b7b62e 82040 libopenjpeg2_1.3+dfsg-4+squeeze1_amd64.deb
 a5b3f6c3d681c97e736ed28f104a5904598b7d01 315416 libopenjpeg2-dbg_1.3+dfsg-4+squeeze1_amd64.deb
 d8b24ad9b0e88e3b64e62a955856e753799fe122 210010 openjpeg-tools_1.3+dfsg-4+squeeze1_amd64.deb
Checksums-Sha256: 
 98d749a3c8607d00b8a63e79a00b30968d0c67b14e0c83ca833e353c8f9448ca 2721 openjpeg_1.3+dfsg-4+squeeze1.dsc
 5ba9a6653931907c5b7cc67443470f1b23a5be846ab11ccaf8ca7e2ffa6387af 895482 openjpeg_1.3+dfsg.orig.tar.gz
 15a3c457f5770575cf6a2b23353cb8b852bc3c992155bb261559f56d8cbd904b 13429 openjpeg_1.3+dfsg-4+squeeze1.diff.gz
 92924f30eb78ab612719b2ddec4a54a30341ac1c6b0006c008a6b7447b466182 95034 libopenjpeg-dev_1.3+dfsg-4+squeeze1_amd64.deb
 dfc7a895749150eedcea53eeca1fe90a817e913fe70087d830434c2b375ae998 82040 libopenjpeg2_1.3+dfsg-4+squeeze1_amd64.deb
 ea1f1fad67e57f6c543edff429952d02da610f7b7aeeec04702dec9735d774e7 315416 libopenjpeg2-dbg_1.3+dfsg-4+squeeze1_amd64.deb
 51fa15cf42d6fc9580ed0249131fcf209cdd88661dbdfdc25723a77331f49cc2 210010 openjpeg-tools_1.3+dfsg-4+squeeze1_amd64.deb
Files: 
 e0e28bafe79e4ceb345aa1382462a527 2721 libs extra openjpeg_1.3+dfsg-4+squeeze1.dsc
 5fd807abf8a71adb021181d2790eda86 895482 libs extra openjpeg_1.3+dfsg.orig.tar.gz
 d0960b4d7a4911c4778c9e9a2d8d31d5 13429 libs extra openjpeg_1.3+dfsg-4+squeeze1.diff.gz
 84a7a3719f6d3e8847778d6f3eca83c5 95034 libdevel extra libopenjpeg-dev_1.3+dfsg-4+squeeze1_amd64.deb
 538b78e4b7e38c4064e7c25f2a5b0c78 82040 libs extra libopenjpeg2_1.3+dfsg-4+squeeze1_amd64.deb
 a08d5395af6ccd86e0301bf1e513a260 315416 libdevel extra libopenjpeg2-dbg_1.3+dfsg-4+squeeze1_amd64.deb
 c85abfdfe50560033abb34ad4e8aea9c 210010 graphics extra openjpeg-tools_1.3+dfsg-4+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQQcBAEBAgAGBQJRInlIAAoJELjWss0C1vRz+Jgf/j7zqlWpVGp7UNusQdozofjf
6sHJZPKKr0FL0rIgXDwt/P83KJ6bwN+JKRCzODabGSeO4yIBzBFhCh86tAqwP+vO
3p5ij4WnXLNxVpQEuzCZH+iD0w8celgfzN/PN7/YHZRQiLoG4Ee1CRqyyIm27rOb
Mq0o2XWP0UsajoTnUuf6ThHNJiCE5PytrKe2QI6RhEHPIYzer0s2Z9Imc7x76GQA
E5C/EaBLLSrl7cm9La13DB1d9yljbZfDiIu8SvwhTu5JNdN/e2aAX5HPVC3BThr4
qQ7O1OLyhjz5yhLDJTGr2kz971sm1bj+JIqSB+Vze7r8CxRyTjHIPkFvC9KwoIT3
eUlXUWXBKa2bMy/jmv/wLTDucWXMy34gSgM62RXlnLdODroaiPDmKYHDGx0FovF0
L1ldGzyvxKHF1G3kkAil1p5qHgAyQW43dJ6wgBDuJcX75J3tUJbduZMSh+ZeJLzd
1M3dclnf8BErZFci+InwL0e9G5wiE+sn2Nkwx33Zl2+hae4s16GhiYKle41eLWXI
5oTZWwDMOWx43hRufEQsfg842SrxVVdwceBLKSDxjYUUr17X9hdk/x088c2jsQAt
nJAWuxCdW769UQjcDMgRhlqHEH3PwUF0XnCsk5S5pHzulH3D+2S4HGCg64Kkzcv8
FoNkVEskXzHJP3zVKzhzwBXkUH40+Ahf6CuvC0xUhFl3A6SuqgxCbhVXubtC1Pc6
WKe9VToHKzj7Wzxoy38SKpASB5nCEr54F0H8/lU2uXLdzdjRq7CHyAGgiqVPx8ko
YdWXYD0HqPuiCxeuAYJUpxRfxJ//+vRfvBo7e9r++QqZNDjOQnHs1dP0TLASEWCy
o74/vGlrcx1cmUku1NbOnYvjrwOhrvnqluvvkfJANxjzc11zSzljqLJ4surgKmOo
/9azDhqShmZXIr8Bxd/FgBCPvVEI3GS4t9yRSbQPSlM833GBUdRv6q5bgIkYoStm
76ART5dEvndYZpYXJZNRhy1+7li1DlJZdrrAc0JjvDU5VN54ePbmx+xA4+gEUDyG
pNjpvx/fiaB3NCeDryxdW1bVMdgzLU+BNyIHfIFmWEjnXKC/anN++i6BnjZMW7KF
P/mfVZ8WJ0t/FvB7jItsjg2Iz3FBehnZC8F6vjz/pZyE/++Gh9CSTA6DaX2em035
+TJd4kWBbWHgeiUaCZf7X4wArJ09z5lMbrok1Man4vsFCQ5JhvV4YNMuLG63cchW
BbAalahTSrxeVIEXJSNUZKuh5Ldbx9cAd5qlkUxryPtQro+HuSPdDcgbuZ9cuhcW
bKKDaKd0FQ4N2PHPgCSMgC8epV4OpBD3cJSaBeT2qKfcCS3kyC9zkAID1murwWE=
=nT6y
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.