Debian Bug report logs -
#681075
Fwd: Openjpeg heap buffer overflow issue affecting 1.4 and 1.5
Reported by: Mathieu Malaterre <malat@debian.org>
Date: Tue, 10 Jul 2012 13:21:02 UTC
Severity: important
Tags: fixed-upstream, patch, security
Found in versions 1.3+dfsg-4.3, 1.3+dfsg-4.2
Fixed in version openjpeg/1.3+dfsg-4.4
Done: Michael Gilbert <mgilbert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#681075; Package openjpeg.
(Tue, 10 Jul 2012 13:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Mathieu Malaterre <malat@debian.org>:
New Bug report received and forwarded. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Tue, 10 Jul 2012 13:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: openjpeg
Version: 1.3+dfsg-4.2
Severity: important
Tags: security patch fixed-upstream
Hi Mathieu,
We have found a heap-buffer overflow issue in openjpeg, when decoding
j2k image files. I am attaching a patch to this email.
We will be making this issue public on 9-July-2012 Monday.
Sorry for the short notice, let me know if you need more time.
This issue affects both version 1.4 and 1.5
--
Huzaifa Sidhpurwala / Red Hat Security Response Team
[openjpeg-tile-sanity.patch (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#681075; Package openjpeg.
(Wed, 11 Jul 2012 07:54:24 GMT) (full text, mbox, link).
Acknowledgement sent
to Mathieu Malaterre <malat@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Wed, 11 Jul 2012 07:54:24 GMT) (full text, mbox, link).
Message #10 received at 681075@bugs.debian.org (full text, mbox, reply):
CVE-2012-3358 openjpeg: heap-based buffer overflow when processing
JPEG2000 image files
Marked as found in versions 1.3+dfsg-4.3.
Request was from Mathieu Malaterre <malat@debian.org>
to control@bugs.debian.org.
(Wed, 11 Jul 2012 07:54:29 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#681075; Package openjpeg.
(Wed, 11 Jul 2012 20:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Wed, 11 Jul 2012 20:15:07 GMT) (full text, mbox, link).
Message #17 received at 681075@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I've just uploaded an nmu fixing this security issue. See attached.
Best wishes,
Mike
[openjpeg.patch (application/octet-stream, attachment)]
Reply sent
to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility.
(Wed, 11 Jul 2012 20:51:13 GMT) (full text, mbox, link).
Notification sent
to Mathieu Malaterre <malat@debian.org>:
Bug acknowledged by developer.
(Wed, 11 Jul 2012 20:51:13 GMT) (full text, mbox, link).
Message #22 received at 681075-close@bugs.debian.org (full text, mbox, reply):
Source: openjpeg
Source-Version: 1.3+dfsg-4.4
We believe that the bug you reported is fixed in the latest version of
openjpeg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 681075@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated openjpeg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 11 Jul 2012 15:52:34 -0400
Source: openjpeg
Binary: libopenjpeg-dev libopenjpeg2 libopenjpeg2-dbg openjpeg-tools
Architecture: source amd64
Version: 1.3+dfsg-4.4
Distribution: unstable
Urgency: high
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
libopenjpeg-dev - development files for libopenjpeg2, a JPEG 2000 image library
libopenjpeg2 - JPEG 2000 image compression/decompression library
libopenjpeg2-dbg - debug symbols for libopenjpeg2, a JPEG 2000 image library
openjpeg-tools - command-line tools using the JPEG 2000 library
Closes: 681075
Changes:
openjpeg (1.3+dfsg-4.4) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix cve-2012-3358: buffer overflow in JPEG2000 image file handling
(closes: #681075).
Checksums-Sha1:
430952022af657d4acbe81471ccc47a1c246495c 2869 openjpeg_1.3+dfsg-4.4.dsc
6043add5cb16fe3fccb73da3c86238df02693510 13166 openjpeg_1.3+dfsg-4.4.diff.gz
57a8f3cf8bb458a7781cfe9d03102dd050bcf365 99624 libopenjpeg-dev_1.3+dfsg-4.4_amd64.deb
9717ea958b4c68dfddbe15c8957e269c34a38438 85672 libopenjpeg2_1.3+dfsg-4.4_amd64.deb
0984979520b213b87270e6ead37f94c7f0710065 448778 libopenjpeg2-dbg_1.3+dfsg-4.4_amd64.deb
e44ce35ea8ff5c3802e89aef139c062f03651c6b 216970 openjpeg-tools_1.3+dfsg-4.4_amd64.deb
Checksums-Sha256:
9a6cef2aaca601db432c0ec0385a039747138ecc4b3b891015c68fe24c7639c9 2869 openjpeg_1.3+dfsg-4.4.dsc
410df89f0f7a7b0636b40b030bc30f2d912f148b312d21353aa3ddbed4f05a70 13166 openjpeg_1.3+dfsg-4.4.diff.gz
4fbfd6628bc5dbafe3ce50ab45a8096e35cfba2fcfd9e29532aa972af6906352 99624 libopenjpeg-dev_1.3+dfsg-4.4_amd64.deb
f352d136c42ca7db1008d489b220ec72636aef871cea3e30835de6937f72cd9a 85672 libopenjpeg2_1.3+dfsg-4.4_amd64.deb
0dcea53c2d20823c3622bbd385502fc429ca157b803e6d999df46808dcdff585 448778 libopenjpeg2-dbg_1.3+dfsg-4.4_amd64.deb
3c86f4339eb2385ab69d60682e95fc1dbe25e84157903212086c7b57bc99d100 216970 openjpeg-tools_1.3+dfsg-4.4_amd64.deb
Files:
46762dae01a2589150886ddccb56d7e7 2869 libs extra openjpeg_1.3+dfsg-4.4.dsc
107d52d6c6c70f6f1ba9d97469e41365 13166 libs extra openjpeg_1.3+dfsg-4.4.diff.gz
b0ce39f9781fa664666527789faa0c98 99624 libdevel extra libopenjpeg-dev_1.3+dfsg-4.4_amd64.deb
ae58d65b535dbd7347fbc4cd32c45251 85672 libs extra libopenjpeg2_1.3+dfsg-4.4_amd64.deb
f18acab58ba6e45d4b226ed9c2381178 448778 libdevel extra libopenjpeg2-dbg_1.3+dfsg-4.4_amd64.deb
ed808e08c765072064f535e2b4b77ef4 216970 graphics extra openjpeg-tools_1.3+dfsg-4.4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQQcBAEBCAAGBQJP/dzxAAoJELjWss0C1vRzXwQf/A6tuFGrEws6uTH6mR5C+JmR
msIIoD0qa377bVyU430zCSTnc17HgerzIm4+DpehrfaZbHs0WahZRRdUvdxqTY7v
GPATaLP5wtkJroPrYE81Sguuinm2K8pKJ0nis6zgrl8DdSQwwmFK7rejqFPALMf6
9B7GBHpwwSaFI2h0bWCrY4om+HaTZiRFZbnhK3mYk1qcigKwG8Oi77NSSdSHjxGK
I2qQZ9Oz+aRChjuyUkOSOKXGr1WlXM/GLgWEYAG5uhkUSDs0+8r6rZ+8JwMfU4z5
Qgy/AAcSiQRjiNQ2v62uqE+G1ALaPmYRNMPoABjt/7kFSGpua6GczZe0/mP3xzhH
jqeykVeHW11w8i+BARJIywy70pcb9rBzToA3bDiNBFE1ptJLQQlZe3Pxx+HKmIZv
z5v8u6NMqGSJ/Q2L0lpF4EeCwt/Gc0oxOJD1m8Cl32fQRupNBzJUo2NgzAXfwipm
vKFUR6nBnTZRDFUXLF/8Hpp+/q6hKqMG/Y57MoFFciSMTNbMiNu+2NNGK4ZIq/AM
UD/Yt8EJEw9PuxV+sL/rgMXFrWUmFUb3Dkya0v5566M8v6er0GrIvS+3cRVkrPHi
NoesZTKDGf7Evuk2c7dLjtMe3gwuB7eedsSQN19TmqTSeHHnheyOkUDkEgDZBfN5
/utC30rQq6pcOJIAfWID26kthV16cP4DSBqy4RK0iYIFPoP5OJBqhTr/EF0E71zQ
+RoL8pLgf9Ub0tf+crtCtM8a1c/2LsTH5ySVWuYynOHRt4vdD6rxjocNz0y9JOjS
CzDRwOLfHx9Evys5R9tNj6itE2pUPWJmOUv/QcYgTpcC/HUdMX1RJ41bRYXhV3AP
TA6cb9F0dWgyHgX3l2hYZSbBDbaNIVQ/hos/GCmeh72J38cOcM1j+FvLt+i1WEkJ
RfXvFTv/ZvSPjLksJCYg7RffQ2JIbHJ5HbJRGtKj/LIhnFiyZBnbLHhewZTb9ubr
aSgOETPsiB5mEa3lqHrvxMvL7vpKFSg9Kx58EJWLUQxd4N4XO+A7qtLogKUPXmoO
kAg/9mwecvdD/nSNnQMjT72p9KyL5ms1FwL7pokJhG4YObHrIf6Sh4iy72P3Prbr
HETtbisaGVx3PF2oWBAG9EJZUajILnmvS26YnPbKyzoCqdFNnwZHP4W7VbvcscE1
1DRvKxzVowKP2L+HD8P1YX03NQ6QKi0YXWEo5gUNZ/2eOlagElPssC95v3vxwCPV
sF9qjH7aFL3uGgVOIu2lzICtMWm430+s49Ffd6J15FGBUI96p9zb1bEIyNWl/0Ca
U67oinqdDT3FBCIpog6w53GOpb88iDKm+kKbBCjdeE0xrReVfKtW7fq7vNGvWwg=
=fLJJ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 09 Aug 2012 07:28:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:03:22 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon