Debian Bug report logs -
#851422
openjpeg2: CVE-2016-9572 CVE-2016-9573
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#851422; Package src:openjpeg2.
(Sat, 14 Jan 2017 18:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Sat, 14 Jan 2017 18:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Version: 2.1.0-2
Severity: grave
Tags: security upstream patch
Justification: user security hole
Forwarded: https://github.com/uclouvain/openjpeg/issues/863
Control: fixed -1 2.1.0-2+deb8u2
Hi,
the following vulnerabilities were published for openjpeg2. Filling it
as RC severity, since Moritz's DSA for openjpeg2 will contain fixes
for those two CVEs, and not having those fixed in stretch would imply
a regression.
CVE-2016-9572[0] and CVE-2016-9573[1]. There is an upstream issue at
[2] with patch[3].
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9572
[1] https://security-tracker.debian.org/tracker/CVE-2016-9573
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9573
[2] https://github.com/uclouvain/openjpeg/issues/863
[3] https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d
Regards,
Salvatore
Marked as fixed in versions openjpeg2/2.1.0-2+deb8u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 14 Jan 2017 18:51:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#851422; Package src:openjpeg2.
(Sun, 22 Jan 2017 13:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Sun, 22 Jan 2017 13:57:06 GMT) (full text, mbox, link).
Message #12 received at 851422@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 851422 + pending
Dear maintainer,
I've prepared an NMU for openjpeg2 (versioned as 2.1.2-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[openjpeg2-2.1.2-1.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 851422-submit@bugs.debian.org.
(Sun, 22 Jan 2017 13:57:06 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 24 Jan 2017 15:18:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 24 Jan 2017 15:18:06 GMT) (full text, mbox, link).
Message #19 received at 851422-close@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Source-Version: 2.1.2-1.1
We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 851422@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated openjpeg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Jan 2017 14:18:13 +0100
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server libopenjp3d-tools libopenjp2-tools
Architecture: all source
Version: 2.1.2-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 851422
Description:
libopenjp2-7 - JPEG 2000 image compression/decompression library
libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
libopenjp2-tools - command-line tools using the JPEG 2000 library
libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression librar
libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP protocol
libopenjpip-server - JPIP server for JPEG 2000 files
libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP access
libopenjpip7 - JPEG 2000 Interactive Protocol
Changes:
openjpeg2 (2.1.2-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Add CVE-2016-9572_CVE-2016-9573.patch patch.
CVE-2016-9572: NULL pointer dereference in input decoding
CVE-2016-9573: Heap out-of-bounds read due to insufficient check in
imagetopnm(). (Closes: #851422)
Checksums-Sha1:
50ddef758320bd23c768767a016baedd562b9f44 2924 openjpeg2_2.1.2-1.1.dsc
1fbf5f76f97a99292463e153301c36a5766365ec 19364 openjpeg2_2.1.2-1.1.debian.tar.xz
2c5ab2904d14808e26f0bad53c307d38588d824d 44488 libopenjpip-viewer_2.1.2-1.1_all.deb
Checksums-Sha256:
103af13df834b24267c86617944f1fe1204a30b3053a1a4b032bb131ef23b126 2924 openjpeg2_2.1.2-1.1.dsc
b19b15ac6306c19734f0626f974c8863e4dc21a1df849a8ae81008479b5b0daf 19364 openjpeg2_2.1.2-1.1.debian.tar.xz
e86ff5f6bda77c7f33b84d1521cf23ca784f6d3cff4c2732251a6f007bb0b5cc 44488 libopenjpip-viewer_2.1.2-1.1_all.deb
Files:
802071a28cab62ce2d912da64437652f 2924 libs optional openjpeg2_2.1.2-1.1.dsc
1672d0c7de5196f2e67eeeed091f72cb 19364 libs optional openjpeg2_2.1.2-1.1.debian.tar.xz
8397640d4a09518f5cb6a130ab4683b4 44488 graphics optional libopenjpip-viewer_2.1.2-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAliEvQZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ec5kP/1aK/TuH4zxf0pCZAiAyjYNJFAXOJH+K
GHgD/hCVpjbkKfOhvPAa4hTneCBtPfzHVKmoTYEHkXOBc/+vGnnC2cNg0LkfxjcL
2iOe4E1S7DRKXazUX58Sar9hPKAQ1h4quCot2RYi6+6UbOXXiDBX/eRAQ3YAoEeG
OpTpHDjD/Ib12pZ8Z5PpEW1L1evRxZ1mspIhaTVZ5DNqCKRUuf+ARGoj5EreR4u7
Cp9YChetN3kPfK7zFMnATmQhZf3KK73ALap9Rz405An37Viw/4GM9p8W25fBGuHf
kG9pHmeaXtc+I2qbu4dapSDCCpGBYlncJcuUUnDith+JPvUkFUqC1tmhKuP8fW43
nZCDuDVZ3huj6QqeLVmiDhWlJDE+V4fMr2sUnLVHKQz3JcYyfZXcsCHlHisnim7q
8TpX6sLugqEsaMxSr6sAjL2l+9f50ihZ9rfQGArpnPkF/bw9T/WEWm3MPTPkMLAn
a0HbNl1NfWdxDZBqFUYDEdBQPQX81vXein+2rYt3RL96i+MOetTT6fzuQNd9Wi+W
DMEmEAD2LwwImt+ly1s4nU/PrtthTEBvjLeJqseE5wTmI5fS5hZZVz3VzI4bR2BN
2DBpAeaGfUnlaCQSZzvPJL470cMrshZLLuuCHZyrULkqLnNm9pRBRVpG/FEmvdZf
+B0Mw1/oduYW
=eb41
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 07 May 2017 07:26:44 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 23 Sep 2017 11:36:22 GMT) (full text, mbox, link).
Marked as fixed in versions openjpeg2/2.2.0-1.
Request was from Mathieu Malaterre <malat@debian.org>
to control@bugs.debian.org.
(Thu, 28 Sep 2017 18:30:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Oct 2017 07:25:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:57:13 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon