Debian Bug report logs -
#837604
openjpeg2: CVE-2016-7163: Integer overflow in opj_pi_create_decode
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 12 Sep 2016 19:30:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in version openjpeg2/2.1.0-2
Fixed in versions openjpeg2/2.1.0-2+deb8u1, openjpeg2/2.1.2-1
Done: Mathieu Malaterre <malat@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#837604; Package src:openjpeg2.
(Mon, 12 Sep 2016 19:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Mon, 12 Sep 2016 19:30:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Version: 2.1.0-2
Severity: grave
Tags: security upstream patch
Control: fixed -1 2.1.0-2+deb8u1
Hi,
the following vulnerability was published for openjpeg2.
CVE-2016-7163[0]:
Integer overflow in opj_pi_create_decode
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-7163
Regards,
Salvatore
Marked as fixed in versions openjpeg2/2.1.0-2+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 12 Sep 2016 19:30:05 GMT) (full text, mbox, link).
Reply sent
to Mathieu Malaterre <malat@debian.org>:
You have taken responsibility.
(Thu, 29 Sep 2016 06:36:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 29 Sep 2016 06:36:04 GMT) (full text, mbox, link).
Message #12 received at 837604-close@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Source-Version: 2.1.2-1
We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 837604@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathieu Malaterre <malat@debian.org> (supplier of updated openjpeg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 29 Sep 2016 08:11:30 +0200
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server libopenjp3d-tools libopenjp2-tools
Architecture: source
Version: 2.1.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Mathieu Malaterre <malat@debian.org>
Description:
libopenjp2-7 - JPEG 2000 image compression/decompression library
libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
libopenjp2-tools - command-line tools using the JPEG 2000 library
libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression librar
libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP protocol
libopenjpip-server - JPIP server for JPEG 2000 files
libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP access
libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 837604 838690 839120
Changes:
openjpeg2 (2.1.2-1) unstable; urgency=medium
.
* New upstream. Closes: #839120
* Fix CVE-2016-7163. Closes: #837604
* Fix CVE-2016-7445. Closes: #838690
* Remove patches applied upstream:
Checksums-Sha1:
44f1bc5f1f6676baf487e1f9f9b340df465d3a0d 2745 openjpeg2_2.1.2-1.dsc
c8671e7f577fdc58abde1e1f32b10d372e6f9b07 1987071 openjpeg2_2.1.2.orig.tar.gz
51d463d45ad20fd23463d6b48b832d0ba65bd489 17176 openjpeg2_2.1.2-1.debian.tar.xz
Checksums-Sha256:
b2f16bb0be9a9f5b218b01252391d2280820165ab96ec3e2a6b26a8ce4f01bca 2745 openjpeg2_2.1.2-1.dsc
4ce77b6ef538ef090d9bde1d5eeff8b3069ab56c4906f083475517c2c023dfa7 1987071 openjpeg2_2.1.2.orig.tar.gz
ef4381c844169803b0512486d0fd8e0d2c82b8b77ab65e0043cb1376adcde451 17176 openjpeg2_2.1.2-1.debian.tar.xz
Files:
8cf599e64e6b3330bb78861736a3ddec 2745 libs optional openjpeg2_2.1.2-1.dsc
40a7bfdcc66280b3c1402a0eb1a27624 1987071 libs optional openjpeg2_2.1.2.orig.tar.gz
94c7d8950173a2d8b9e1205845f0899e 17176 libs optional openjpeg2_2.1.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJX7LKaAAoJEAFx4YKK4JNF73cP/1g6BzRUmuctoWr76KQ4xKpl
rVZheiE6sApKsXITDv4kipomqWTjl+Pp+5cWaGjyhf/qMJt3ZFtAHER5PJmwx+05
Y9OUvrCoO8a9mz/oA+OzQWhbxscAbIrxCEMAQfkp0dDFDY3lmjja7p+FdT5c0aLI
6dIOFvpoCCz5Sa2iz6EuCtdF69hneo5oUb4pSSYVtF4uyguqZ3lS0qNOUHC6ouWh
CnDzSvdulh4W4VkKdQylixNmYp8Jd9Mq70wmeABPxzpZMlCQAWlwh0dikJoOQ5YX
wxrfwXIlSwvgJ9vL8S+XaJABpSoCbgLbOwbtctJjnaQ97UK8b8hzJ0Jpea71Aodc
qAm4X6enwPC6oSbfTVN1KDmHKcuVntpiNE9ypUoeZK1IvDudF0PxuMAf05H2ibR4
Ewa3RM5VdGOrVOyMPM40Y8z6JprD5ecOxF1YE26VB3A/WpKx+rWN7TulAzT0o+Zv
tGPcDXn6PDW/WVLXcKCx1xVltg9/WIdvkvWnCfZf7kDvSf8siyKsZRO0jUkVezyz
XPz576O9wqUP+5LYw/FPyO7ARs5PTuifdVOsa1roRgiLr4p5guKtHO40JaKHRoVV
s0AgBXG0ofRD4+KLoMQh8YF61Snmuc/RNwk6LFjhY8rsOb7xqjCpXhTFMBrRfSfu
ErX40SIfTFd08b2KT0uW
=XMVu
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Dec 2016 07:36:57 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 07 Dec 2016 01:56:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Jan 2017 07:39:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:38:06 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon