openjpeg: CVE-2013-1447 CVE-2013-6045 CVE-2013-6052 CVE-2013-6054 CVE-2013-6053 CVE-2013-6887

Debian Bug report logs - #731237
openjpeg: CVE-2013-1447 CVE-2013-6045 CVE-2013-6052 CVE-2013-6054 CVE-2013-6053 CVE-2013-6887

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openjpeg: CVE-2013-1447 CVE-2013-6045 CVE-2013-6052 CVE-2013-6054

Date: Tue, 03 Dec 2013 14:29:09 +0100

Package: openjpeg
Severity: grave
Tags: security upstream patch

Hi

This is to track the issues released with DSA-2808-1 for openjpeg in
the BTS. See

 http://lists.debian.org/debian-security-announce/2013/msg00222.html
 http://www.debian.org/security/2013/dsa-2808

Regards,
Salvatore

Message #10 received at 731237@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 731237@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#731237: openjpeg: CVE-2013-1447 CVE-2013-6045 CVE-2013-6052 CVE-2013-6054

Date: Tue, 3 Dec 2013 16:08:46 +0100

Hi,

There are also some other issues that are specific to 1.5.1 (or at
least they do not affect 1.3):

CVE-2013-6053: information leaks
CVE-2013-6887: DoS

All the patches will be available as soon as I forward to oss-sec the
messages I sent to the distros list.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #29 received at 731237@bugs.debian.org (full text, mbox, reply):

From: Mathieu Malaterre <malat@debian.org>

To: 731237@bugs.debian.org

Date: Wed, 19 Mar 2014 08:59:44 +0100

Control: forwarded -1 http://code.google.com/p/openjpeg/issues/detail?id=297
Control: tag -1 fixed-upstream pending

Will be fixed when 1.5.2 comes out.

Message #36 received at 731237@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Mathieu Malaterre <malat@debian.org>, 731237@bugs.debian.org

Subject: Re: Bug#731237:

Date: Mon, 24 Mar 2014 23:25:55 +0100

[Message part 1 (text/plain, inline)]

On Wed, Mar 19, 2014 at 08:59:44 +0100, Mathieu Malaterre wrote:

> Will be fixed when 1.5.2 comes out.

Is there an ETA?  It'd be nice to not wait too long to fix this bug, as
currently this blocks the transition of openjpeg and its rdeps to
jessie.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 731237@bugs.debian.org (full text, mbox, reply):

From: Mathieu Malaterre <malat@debian.org>

To: Julien Cristau <jcristau@debian.org>

Cc: 731237 <731237@bugs.debian.org>, Antonin Descampe <info@openjpeg.org>

Subject: Re: Bug#731237:

Date: Tue, 25 Mar 2014 09:17:21 +0100

On Mon, Mar 24, 2014 at 11:25 PM, Julien Cristau <jcristau@debian.org> wrote:
> On Wed, Mar 19, 2014 at 08:59:44 +0100, Mathieu Malaterre wrote:
>
>> Will be fixed when 1.5.2 comes out.
>
> Is there an ETA?  It'd be nice to not wait too long to fix this bug, as
> currently this blocks the transition of openjpeg and its rdeps to
> jessie.

Ooops. I forgot this would hold the transition.

We've discussed the 1.5.2 release yesterday and we are aiming at a
release this Thursday (03/27).

Thanks for your patience,

Message #46 received at 731237-close@bugs.debian.org (full text, mbox, reply):

From: Mathieu Malaterre <malat@debian.org>

To: 731237-close@bugs.debian.org

Subject: Bug#731237: fixed in openjpeg 1.5.2-1

Date: Thu, 27 Mar 2014 21:23:09 +0000

Source: openjpeg
Source-Version: 1.5.2-1

We believe that the bug you reported is fixed in the latest version of
openjpeg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 731237@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathieu Malaterre <malat@debian.org> (supplier of updated openjpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 27 Mar 2014 20:19:41 +0100
Source: openjpeg
Binary: libopenjpeg-dev libopenjpeg5 libopenjpeg-java libopenjpeg5-dbg openjpip-dec-server openjpip-viewer-xerces openjpip-viewer openjpip-server openjpeg-tools
Architecture: source amd64 all
Version: 1.5.2-1
Distribution: unstable
Urgency: low
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Mathieu Malaterre <malat@debian.org>
Description: 
 libopenjpeg-dev - development files for OpenJPEG, a JPEG 2000 image library - dev
 libopenjpeg-java - java bindings for libopenjpeg, a JPEG 2000 image library
 libopenjpeg5 - JPEG 2000 image compression/decompression library - runtime
 libopenjpeg5-dbg - debug symbols for libopenjpeg5, a JPEG 2000 image library
 openjpeg-tools - command-line tools using the JPEG 2000 library
 openjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP protocol
 openjpip-server - JPIP server for JPEG 2000 files
 openjpip-viewer - JPEG 2000 java based viewer for basic remote JPIP access
 openjpip-viewer-xerces - JPEG 2000 java based viewer for advanced remote JPIP access
Closes: 697806 716594 716595 731237 741915 741916 741974
Changes: 
 openjpeg (1.5.2-1) unstable; urgency=low
 .
   * New upstream.
     Closes: #731237, #697806, #716594, #716595, #741915, #741974, #741916
   * Update watch file to now point to sf.net mirror
Checksums-Sha1: 
 8cdc68780cbcbb1047a6f10dd285907223fd7b98 2639 openjpeg_1.5.2-1.dsc
 a68c1c9eae29c99b7cca582bd434e6bcd406568e 615450 openjpeg_1.5.2.orig.tar.gz
 4f98e95d1eac8f3c499aad1596b1a35bba0c3c9e 17848 openjpeg_1.5.2-1.debian.tar.xz
 cbfda437b15802a10bad649ba2d2aa19c85201d2 20782 libopenjpeg-dev_1.5.2-1_amd64.deb
 177b29fbb48709d249225aae4a67421f8da11ddd 108584 libopenjpeg5_1.5.2-1_amd64.deb
 9d675a4ca5541ee22ab9c627a0260e8909c113df 48042 libopenjpeg-java_1.5.2-1_amd64.deb
 d3fd4310ac8fa04080c4a4caa3add6efb5042e60 1986888 libopenjpeg5-dbg_1.5.2-1_amd64.deb
 fee7b63ca2e9548da36bacbfb4db74f58b5af3d1 55252 openjpip-dec-server_1.5.2-1_amd64.deb
 ca48dd1c89574b722f2b8e64625ac9a83489f63a 34300 openjpip-viewer-xerces_1.5.2-1_all.deb
 ed162265116967fc8ee1dc173660a40c55a74a49 29592 openjpip-viewer_1.5.2-1_all.deb
 602021bf2311e3e10706827fbafa38788b4d1ca4 43118 openjpip-server_1.5.2-1_amd64.deb
 18d158fba6dbbce047c6caf891cf1722e52eafa4 202576 openjpeg-tools_1.5.2-1_amd64.deb
Checksums-Sha256: 
 9eaa1e37371a5a5951992f5e440a66f46e801db3320333b4db96798053f20360 2639 openjpeg_1.5.2-1.dsc
 aef498a293b4e75fa1ca8e367c3f32ed08e028d3557b069bf8584d0c1346026d 615450 openjpeg_1.5.2.orig.tar.gz
 5ead6669e10b36a7af520fd133149681387d7e58d11fa858365a6553182d69dd 17848 openjpeg_1.5.2-1.debian.tar.xz
 31c83b12f8483bb089cc54a75cc254b1d94f84d69a7c282773d5bcd06df56742 20782 libopenjpeg-dev_1.5.2-1_amd64.deb
 5934e54721053351df5cdd79cf2b84db936acfe04c7d69152c328b66e7278f88 108584 libopenjpeg5_1.5.2-1_amd64.deb
 a3be6ef6fff3d11cb152c16c70a259cf7068eb49b101d6412fef33312501718e 48042 libopenjpeg-java_1.5.2-1_amd64.deb
 38a9cc8832276944fb5f812f7a91fc45e451e046457e264cca48073013250aff 1986888 libopenjpeg5-dbg_1.5.2-1_amd64.deb
 44470b27454b7d8f775b917c2951ced180438d632ed37b843db30ba563722ea0 55252 openjpip-dec-server_1.5.2-1_amd64.deb
 21bf7f9847cf4fa4f2b73f60c5b36b440bbdeaffcb93a8048df308215455ca28 34300 openjpip-viewer-xerces_1.5.2-1_all.deb
 653f6a3410eca6711030c85040d9b23d4f252afe79fdcf224921c0cd15c17438 29592 openjpip-viewer_1.5.2-1_all.deb
 0ca10acc92531f5aa4f1ad57a0d667f229818c45a03c9c6846a58bceb4dc6ace 43118 openjpip-server_1.5.2-1_amd64.deb
 e5df16e9064e8a10952b0a4c134b22d814fbabaf1ccb37becb1a9f6ac337de59 202576 openjpeg-tools_1.5.2-1_amd64.deb
Files: 
 7878513d4ba95b79f89a5630d4996ed7 2639 libs extra openjpeg_1.5.2-1.dsc
 263a6d70faa61ff910a103dcd5660cc8 615450 libs extra openjpeg_1.5.2.orig.tar.gz
 cf5a9c3110a09c672cbdb41f661687f8 17848 libs extra openjpeg_1.5.2-1.debian.tar.xz
 32025f99c56b9d0218e9769068f3cfcb 20782 libdevel extra libopenjpeg-dev_1.5.2-1_amd64.deb
 a786700ef09f08013d429449be7e15d8 108584 libs extra libopenjpeg5_1.5.2-1_amd64.deb
 855731f1580cbfef03103368f37a2deb 48042 java extra libopenjpeg-java_1.5.2-1_amd64.deb
 f8c262cad6113762b119379c93b0c69e 1986888 debug extra libopenjpeg5-dbg_1.5.2-1_amd64.deb
 94024f6844c087251e2f8e9dce1cfbc8 55252 graphics extra openjpip-dec-server_1.5.2-1_amd64.deb
 c42765df1bf9aba10d2b8ca02a3e7b86 34300 graphics extra openjpip-viewer-xerces_1.5.2-1_all.deb
 6ec644d0abb919f053df7bd11870d645 29592 graphics extra openjpip-viewer_1.5.2-1_all.deb
 80d62408e287a212d549ed8a29dcf2c0 43118 graphics extra openjpip-server_1.5.2-1_amd64.deb
 3a6567309e0b2a63b0a640735544b9ee 202576 graphics extra openjpeg-tools_1.5.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJTNILDAAoJEAFx4YKK4JNFzvEQAJIaFa5GoxMyemsxz6S/VzP+
sYuij9bhCwPxaEH3rp1lnGIfAXCJjKCIOxyV6U2PrlJ1SOw44XB8Z3fvmakY6U9I
qYZCJPTfWkdOcFrHDuGUdrwRMUi3iFbWAc2IxdrQ4LxGNOfKNXbtLoXcgqL5Z8/T
udUwUh4gxNwnyZNW4I06vKiSAspsGT3FV4hCgntTTic4kvoId+dWUkVDImJG6ZQ2
mDc3m+uuv+Nxid2jvxbA0HUGCr3IfVMChLtS+NfzYB5LhuE31m1EzIwasS47hXXE
avEhQ8Jztm/k781dINzmM9JN1EL91uPDI5rYaz0+6DBRpk2g0KuDjXpBEmJFoHfg
O56PXD5M4BrEEUPC+6c7lGptRaTxFtesQrLZjDH+6b/4U3eEHtJpDn6Zu7JAc5bD
uR1SS3zROzzikY35jgQmeK2YHBlWrqy0MLB5nGdHMyiLdS41M3l569jMIF5kHCml
tZ1SScG91FLIJ3DwWyzEXbfqs73qkv6wT5fZYvoT7wlkWmqZK9phPldFgKnt6hNt
2keBDM764Ro98+jFTdPEUKEzK/nZYthQZHxsR3T2P2DuMvbr9VAIBWAGmQfgg+sG
PgEy9FBYmVQTqq9S+nz9EWxA7ow492+pBMXyb3lO0ymJ7D7UO7lQPQuyGQN/1Gqe
GqnYIZbrSnnxXSdAV90q
=2OcX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.