Debian Bug report logs -
#844553
openjpeg2: CVE-2016-9114
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#844553; Package src:openjpeg2.
(Wed, 16 Nov 2016 20:27:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Wed, 16 Nov 2016 20:27:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Version: 2.1.2-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/uclouvain/openjpeg/issues/857
Hi,
the following vulnerability was published for openjpeg2.
CVE-2016-9114[0]:
| There is a NULL Pointer Access in function imagetopnm of
| convert.c:1943(jp2) of OpenJPEG 2.1.2. image->comps[compno].data is not
| assigned a value after initialization(NULL). Impact is Denial of
| Service.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9114
[1] https://github.com/uclouvain/openjpeg/issues/857
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Mathieu Malaterre <malat@debian.org>:
You have taken responsibility.
(Fri, 22 Sep 2017 21:09:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 22 Sep 2017 21:09:10 GMT) (full text, mbox, link).
Message #10 received at 844553-close@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Source-Version: 2.2.0-1
We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 844553@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathieu Malaterre <malat@debian.org> (supplier of updated openjpeg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 22 Sep 2017 21:51:36 +0200
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server libopenjp3d-tools libopenjp2-tools
Architecture: source amd64 all
Version: 2.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Mathieu Malaterre <malat@debian.org>
Description:
libopenjp2-7 - JPEG 2000 image compression/decompression library
libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
libopenjp2-tools - command-line tools using the JPEG 2000 library
libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression librar
libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP protocol
libopenjpip-server - JPIP server for JPEG 2000 files
libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP access
libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 844552 844553 844554 844555 844556 872041
Changes:
openjpeg2 (2.2.0-1) unstable; urgency=medium
.
* New upstream release. Closes: #872041
* Fix CVE-2016-9113. Closes: #844552
* Fix CVE-2016-9114. Closes: #844553
* Fix CVE-2016-9115. Closes: #844554
* Fix CVE-2016-9116. Closes: #844555
* Fix CVE-2016-9117. Closes: #844556
Checksums-Sha1:
97ff8dc3cbb3cb95c601bf5d94e4e61c3b431297 2786 openjpeg2_2.2.0-1.dsc
2f36b87f7d5875aea1310208fcae6193f605780a 2043867 openjpeg2_2.2.0.orig.tar.gz
a33ca110a67e7757acd10c6f2d43de6d2d9d7f04 17460 openjpeg2_2.2.0-1.debian.tar.xz
459a4df4b28c241ef89adbed519cebbb9d81a050 1203632 libopenjp2-7-dbg_2.2.0-1_amd64.deb
372108cde89d84269644947a14b0d47d4e97e35e 40948 libopenjp2-7-dev_2.2.0-1_amd64.deb
7c71f1795096bd0ba59a54b7b8535017b013fad8 148514 libopenjp2-7_2.2.0-1_amd64.deb
a3dd8e8201cf0c3a5968082db9732335adf9761a 96810 libopenjp2-tools_2.2.0-1_amd64.deb
ca96a36b8d8a00af54db28c288f03c58e409271c 43636 libopenjp3d-tools_2.2.0-1_amd64.deb
288eca067497e902375bae89c94593d5cb7c64f0 86806 libopenjp3d7_2.2.0-1_amd64.deb
2c3f037f69de10dac89d2ead8e67208eebc7f2ff 30694 libopenjpip-dec-server_2.2.0-1_amd64.deb
f999dcbe1e41a3cdbb0fadc3067e516dcc2c4e70 53096 libopenjpip-server_2.2.0-1_amd64.deb
936c9bd713916ab04c4ff2ee2042dab670e52aa3 47208 libopenjpip-viewer_2.2.0-1_all.deb
cf7d606898be0791e1f65290e3424db355a918d0 62916 libopenjpip7_2.2.0-1_amd64.deb
cdff80b087bc32aa60d5220baa5cbbeb3d86cb19 14550 openjpeg2_2.2.0-1_amd64.buildinfo
Checksums-Sha256:
4605a2dc5d385b9fe1f226ca1f6f075179d9d05258d901ec6e40c17bb486964c 2786 openjpeg2_2.2.0-1.dsc
f73c0e2e689a1454a2ecc47f56a648d5f35e85fe882a4a2f8fdfe2e36e23b73f 2043867 openjpeg2_2.2.0.orig.tar.gz
0e1e770dff01f75826ac030b51b5d9f8eef9a574cdf73b978771bf313bc077c5 17460 openjpeg2_2.2.0-1.debian.tar.xz
6812ad939079d6f12df8782f8cbf70b74e9a3d6e14eb4607d215dffa8429bbff 1203632 libopenjp2-7-dbg_2.2.0-1_amd64.deb
3bddc0226f6e564212bff36b4dc85e6dc1adafdf164c37e6df88f2717681480d 40948 libopenjp2-7-dev_2.2.0-1_amd64.deb
cd889b18826ae207c82ac05ad9c7116d1da9f3f14d91d0938c436b06c7dd7d0d 148514 libopenjp2-7_2.2.0-1_amd64.deb
40f01d644879c924c1737613002abeb3ddbbcd43a72e48b3776813b84139276a 96810 libopenjp2-tools_2.2.0-1_amd64.deb
b7b9a1242c7d2b17df8b739b534dbe23383a9bb492a24df849dcc926aa66e16c 43636 libopenjp3d-tools_2.2.0-1_amd64.deb
5232c6f3dfe50f8ecc868e7c1a49ca0f277d4da218885c4efbf4129eda49dc36 86806 libopenjp3d7_2.2.0-1_amd64.deb
fd951f98f6dc90e5aff9c77268c43225fdf1767897e9cf9b1e6141fb4789ef65 30694 libopenjpip-dec-server_2.2.0-1_amd64.deb
26bf0a360eb84ccb5afea4869d4cbf0eadcd8ba4297fb26225c395bfe6c3a85d 53096 libopenjpip-server_2.2.0-1_amd64.deb
e55fea43e4befd6235760d2aaf902064105bc78b3c4644ce0bb487be0e51befa 47208 libopenjpip-viewer_2.2.0-1_all.deb
927fb5a403221dfdf08afbaae16b01b95058734353c9ebd34ab3c612bc8d5ce8 62916 libopenjpip7_2.2.0-1_amd64.deb
3195f04414485f4efb60af6c0ef56968d9bc8532c8ebcbc7ccc6bb02248ac661 14550 openjpeg2_2.2.0-1_amd64.buildinfo
Files:
def3e4e5b2cba13a07eb7e4c521a419d 2786 libs optional openjpeg2_2.2.0-1.dsc
3d06f0bd3203a50d5e297f7eff0a70ae 2043867 libs optional openjpeg2_2.2.0.orig.tar.gz
5e254e054bfeb5a308bc547ef9792c65 17460 libs optional openjpeg2_2.2.0-1.debian.tar.xz
84a3d1eed6cfb7dff6ea808dd9d2b88f 1203632 debug extra libopenjp2-7-dbg_2.2.0-1_amd64.deb
3e15ea8c431a4a68cf883d7b57bd4ecc 40948 libdevel optional libopenjp2-7-dev_2.2.0-1_amd64.deb
7d7929d890aad954425d88f05c505818 148514 libs optional libopenjp2-7_2.2.0-1_amd64.deb
006eac77ca67a1227ec3a1c21bdfa5e7 96810 graphics optional libopenjp2-tools_2.2.0-1_amd64.deb
ebd79a449c416ca5c4fab03f115ae9ae 43636 graphics optional libopenjp3d-tools_2.2.0-1_amd64.deb
1dafcac12cb87a215a8e1df9c4fb42d6 86806 libs optional libopenjp3d7_2.2.0-1_amd64.deb
4b9d0582355545e506ca8270d4bff861 30694 graphics optional libopenjpip-dec-server_2.2.0-1_amd64.deb
d40334f80232b07e35b6223062ef7d2b 53096 graphics optional libopenjpip-server_2.2.0-1_amd64.deb
0ddeb5bede4652f827798f663b00313c 47208 graphics optional libopenjpip-viewer_2.2.0-1_all.deb
324081c30d151551a8d45610d57e23c5 62916 libs optional libopenjpip7_2.2.0-1_amd64.deb
88963cbc9aa962077b78d3f123e89947 14550 libs optional openjpeg2_2.2.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEaTNn/67NjqrNHwY7AXHhgorgk0UFAlnFa5cRHG1hbGF0QGRl
Ymlhbi5vcmcACgkQAXHhgorgk0WY8A//dkWEeVrjBiBdTcF5lJvHIcVc5NjN6Ua/
HjYNcP8Ejw0rUQVeVWamD6r0ZwZlUpDxLSS1gsQyVzpsiq6Cpf6gODrv6v80Dg2Y
VEbcp8fvyYDbHrVcu6iZsBz5s6/5JQSjDnrD2DJ2KtDijvPG3dfWGWtBKzO7/DJ5
etdQzbeCLO9lls1bnVQvjmv+wKzkVZV72jKikzZhj7EP0EqdCzNWqDzC+fEI5JnP
c4TZpHCBU7iG0J+7uX2jzJut3HZTN/L524ecQn/LyKKX/5KakE3NiH038wSmSHmY
sndXqo8ATeP3Wktr1ig1Sv5zYpCkRht6XYiLtVNzduY2RGzgm0IWrdZmLpppTP8u
e3jLJf4H6eOOOlSVSZlgO/jOn8XZPkfXZoJdi9ANIfZL420jjiY62+JEpMnE1oyW
TI1gVqWWcoeSaJknMFNSVaJGihyi0KbRNcjfUkotUdJUWkAlYA7jMRtHJeQVp7Wz
mGi+wPbSpIlpyxwB3rSd6dw2NhLr8hG00NCCbI/ivljtjuPNNeqh5oi4wAXbxu+3
H/voeKwlg8nneE7fgywRjqbrE6jlDGBgKeDk5L0AGI8TR3bgRJiKNJunIojovbJb
sECqcO1lgpU0XqDppAXI3Q5qDD6WtklqmiadvIMlY8ERZre6viyzV80mxwalCulp
pyCI7f+pgX4=
=Uif1
-----END PGP SIGNATURE-----
No longer marked as fixed in versions openjpeg2/2.2.0-1.
Request was from Mathieu Malaterre <malat@debian.org>
to control@bugs.debian.org.
(Mon, 25 Sep 2017 13:21:09 GMT) (full text, mbox, link).
Bug reopened
Request was from Mathieu Malaterre <malat@debian.org>
to control@bugs.debian.org.
(Mon, 25 Sep 2017 13:30:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:30:35 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon