Debian Bug report logs -
#800149
openjpeg2: CVE-2015-8871: Use-after-free in opj_j2k_write_mco
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#800149; Package src:openjpeg2.
(Sun, 27 Sep 2015 11:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Sun, 27 Sep 2015 11:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Version: 2.1.0-2
Severity: important
Tags: security upstream patch fixed-upstream
Forwarded: https://github.com/uclouvain/openjpeg/issues/563
Hi
A use-after-free vulnerability was found in openjpeg2, see
http://www.openwall.com/lists/oss-security/2015/09/15/4 for the
corresponding CVE request (no CVE assigned so far).
Upstream issue: https://github.com/uclouvain/openjpeg/issues/563
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#800149; Package src:openjpeg2.
(Fri, 13 May 2016 04:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Fri, 13 May 2016 04:45:04 GMT) (full text, mbox, link).
Message #10 received at 800149@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 openjpeg2: CVE-2015-8871: Use-after-free in opj_j2k_write_mco
Hi,
On Sun, Sep 27, 2015 at 01:54:25PM +0200, Salvatore Bonaccorso wrote:
> Source: openjpeg2
> Version: 2.1.0-2
> Severity: important
> Tags: security upstream patch fixed-upstream
> Forwarded: https://github.com/uclouvain/openjpeg/issues/563
>
> Hi
>
> A use-after-free vulnerability was found in openjpeg2, see
> http://www.openwall.com/lists/oss-security/2015/09/15/4 for the
> corresponding CVE request (no CVE assigned so far).
>
> Upstream issue: https://github.com/uclouvain/openjpeg/issues/563
This issue has been assigned CVE-2015-8871.
Regards,
Salvatore
Changed Bug title to 'openjpeg2: CVE-2015-8871: Use-after-free in opj_j2k_write_mco' from 'openjpeg2: Use-after-free in opj_j2k_write_mco'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 800149-submit@bugs.debian.org.
(Fri, 13 May 2016 04:45:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Mathieu Malaterre <malat@debian.org>
to control@bugs.debian.org.
(Sun, 10 Jul 2016 16:57:12 GMT) (full text, mbox, link).
Reply sent
to Mathieu Malaterre <malat@debian.org>:
You have taken responsibility.
(Mon, 11 Jul 2016 07:51:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 11 Jul 2016 07:51:15 GMT) (full text, mbox, link).
Message #19 received at 800149-close@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Source-Version: 2.1.1-1
We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 800149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathieu Malaterre <malat@debian.org> (supplier of updated openjpeg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 11 Jul 2016 09:28:19 +0200
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server libopenjp3d-tools libopenjp2-tools
Architecture: source
Version: 2.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Mathieu Malaterre <malat@debian.org>
Description:
libopenjp2-7 - JPEG 2000 image compression/decompression library
libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
libopenjp2-tools - command-line tools using the JPEG 2000 library
libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression librar
libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP protocol
libopenjpip-server - JPIP server for JPEG 2000 files
libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP access
libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 772889 784377 787383 800149 800453 818399 820190 822577 829734
Changes:
openjpeg2 (2.1.1-1) unstable; urgency=medium
.
* New upstream. Closes: #829734
+ d/watch points toward github now
+ Fix man page typos. Closes: #772889, #784377
+ Raise priority to optional. Closes: #822577
+ Fix multiple CVEs: Closes: #800453, #800149, #818399
* Fix pc file. Closes: #787383
* Remove reference to contrib. Closes: #820190
* Bump Std-Vers to 3.9.8, no changes needed
Checksums-Sha1:
591f57eca2f6c14f3533d3eeee9ebdf91307bb6a 2745 openjpeg2_2.1.1-1.dsc
b995742c41abe58828d72ffec52404ec91111194 1984111 openjpeg2_2.1.1.orig.tar.gz
36418e6ee0ff229fe2ddd369fb6fbb203526005d 19520 openjpeg2_2.1.1-1.debian.tar.xz
Checksums-Sha256:
5ae3c3a55b5ac4016aa4b119c13609af2f954d4765dbd21d7d49d381fe89663e 2745 openjpeg2_2.1.1-1.dsc
82c27f47fc7219e2ed5537ac69545bf15ed8c6ba8e6e1e529f89f7356506dbaa 1984111 openjpeg2_2.1.1.orig.tar.gz
b7b43c2a23d4719009dc8cc7cad01faff779d7f7ab11ae1a9c6293dbd54f00f1 19520 openjpeg2_2.1.1-1.debian.tar.xz
Files:
c9e4cda2d708ff2053242d4dfc308291 2745 libs optional openjpeg2_2.1.1-1.dsc
0cc4b2aee0a9b6e9e21b7abcd201a3ec 1984111 libs optional openjpeg2_2.1.1.orig.tar.gz
e870c7e4846c8db878e8104de6cb6e3c 19520 libs optional openjpeg2_2.1.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJXg0q9AAoJEAFx4YKK4JNFXGEP/1YjZoMLtxFADHNyZdCWfaHn
ADbvTRb9gpA/XB3NNj/9hRGjZoAfRFjVo9WwNBxA+caCZ/JGZGLOfsL6fSW4Cgxh
t0VolwsocDy1j7912hBBdrod/j5ho9ALewUVONBqNoFhnIieRy/bP9b02pmmdquV
zk97+ljWdpiVQIsy3/W3F/KcsGDLZnKjS+ILFOTru+YfthVUWn3boGq2JUlwHAUH
2PyOfWCoQqRW+ZHtPT5+Cp3poz1xa3PDFn7eON0BLZHVfyH9ImjW4U6HkFlpo3Mj
G4ds2bnkP9Er9HUtT6CV326hyomGG152pWqRmBZM0LuE1+HTGdUx/SZsnom/kegM
I4lqK8o9ybExtF8BrtnUu8UbG1mvHDdSaRzuBHr3IZCfFDTiMIn6S1y9/IiNdWaP
hQcTbb5tDhexZU81NSQG6WxnmmBWmqxEdvlCpMgMAUWc+uDl+r/4G46MDMa6Ekv5
oDJL2MI78xDgX3B3w5vLtGoD22BRvXLvLLCmNm/P3/DJmSMtBqk0eQlwc4mOBh6O
1xFtQdNA+o2uvhq3LLR0acBLhDEruCHVORd+qpxusXwFktvJpkwNGDYLtevH81yj
B+FTHFJH7cKk/0dkqO+LiYlZqM2sfxYn0VtooDF/xrsg7VqV+tjetm93CpGWdAm5
pZAxKNbz8D3BCt1cNVXv
=ObLW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 14 Aug 2016 07:44:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:57:35 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon