Debian Bug report logs -
#818399
Multiple security issues
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 16 Mar 2016 20:45:02 UTC
Severity: grave
Tags: security
Fixed in version openjpeg2/2.1.1-1
Done: Mathieu Malaterre <malat@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#818399; Package src:openjpeg2.
(Wed, 16 Mar 2016 20:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Wed, 16 Mar 2016 20:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Severity: grave
Tags: security
Hi,
multiple security issues were found in openjpeg2:
1. Out-Of-Bounds Read in sycc422_to_rgb function (CVE-2016-3183)
http://www.openwall.com/lists/oss-security/2016/03/14/14
https://github.com/uclouvain/openjpeg/issues/726
2. Heap Corruption in opj_free function (CVE-2016-3182)
http://www.openwall.com/lists/oss-security/2016/03/14/13
https://github.com/uclouvain/openjpeg/issues/725
3. Out-Of-Bounds Read in opj_tcd_free_tile function (CVE-2016-3181)
http://www.openwall.com/lists/oss-security/2016/03/14/12
https://github.com/uclouvain/openjpeg/issues/724
4. Out-of-bounds read in opj_j2k_update_image_data and opj_tgt_reset
function (CVE-2016-1923, CVE-2016-1924)
http://www.openwall.com/lists/oss-security/2016/01/18/4
https://github.com/uclouvain/openjpeg/issues/704
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#818399; Package src:openjpeg2.
(Thu, 28 Apr 2016 06:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Mathieu Malaterre <malat@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Thu, 28 Apr 2016 06:27:03 GMT) (full text, mbox, link).
Message #10 received at 818399@bugs.debian.org (full text, mbox, reply):
Control: tags -1 pending
I'll upload the coming release ASAP:
https://github.com/uclouvain/openjpeg/commits/openjpeg-2.1
Added tag(s) pending.
Request was from Mathieu Malaterre <malat@debian.org>
to 818399-submit@bugs.debian.org.
(Thu, 28 Apr 2016 06:27:03 GMT) (full text, mbox, link).
Reply sent
to Mathieu Malaterre <malat@debian.org>:
You have taken responsibility.
(Mon, 11 Jul 2016 07:51:22 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 11 Jul 2016 07:51:22 GMT) (full text, mbox, link).
Message #17 received at 818399-close@bugs.debian.org (full text, mbox, reply):
Source: openjpeg2
Source-Version: 2.1.1-1
We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 818399@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathieu Malaterre <malat@debian.org> (supplier of updated openjpeg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 11 Jul 2016 09:28:19 +0200
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server libopenjp3d-tools libopenjp2-tools
Architecture: source
Version: 2.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Mathieu Malaterre <malat@debian.org>
Description:
libopenjp2-7 - JPEG 2000 image compression/decompression library
libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
libopenjp2-tools - command-line tools using the JPEG 2000 library
libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression librar
libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP protocol
libopenjpip-server - JPIP server for JPEG 2000 files
libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP access
libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 772889 784377 787383 800149 800453 818399 820190 822577 829734
Changes:
openjpeg2 (2.1.1-1) unstable; urgency=medium
.
* New upstream. Closes: #829734
+ d/watch points toward github now
+ Fix man page typos. Closes: #772889, #784377
+ Raise priority to optional. Closes: #822577
+ Fix multiple CVEs: Closes: #800453, #800149, #818399
* Fix pc file. Closes: #787383
* Remove reference to contrib. Closes: #820190
* Bump Std-Vers to 3.9.8, no changes needed
Checksums-Sha1:
591f57eca2f6c14f3533d3eeee9ebdf91307bb6a 2745 openjpeg2_2.1.1-1.dsc
b995742c41abe58828d72ffec52404ec91111194 1984111 openjpeg2_2.1.1.orig.tar.gz
36418e6ee0ff229fe2ddd369fb6fbb203526005d 19520 openjpeg2_2.1.1-1.debian.tar.xz
Checksums-Sha256:
5ae3c3a55b5ac4016aa4b119c13609af2f954d4765dbd21d7d49d381fe89663e 2745 openjpeg2_2.1.1-1.dsc
82c27f47fc7219e2ed5537ac69545bf15ed8c6ba8e6e1e529f89f7356506dbaa 1984111 openjpeg2_2.1.1.orig.tar.gz
b7b43c2a23d4719009dc8cc7cad01faff779d7f7ab11ae1a9c6293dbd54f00f1 19520 openjpeg2_2.1.1-1.debian.tar.xz
Files:
c9e4cda2d708ff2053242d4dfc308291 2745 libs optional openjpeg2_2.1.1-1.dsc
0cc4b2aee0a9b6e9e21b7abcd201a3ec 1984111 libs optional openjpeg2_2.1.1.orig.tar.gz
e870c7e4846c8db878e8104de6cb6e3c 19520 libs optional openjpeg2_2.1.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJXg0q9AAoJEAFx4YKK4JNFXGEP/1YjZoMLtxFADHNyZdCWfaHn
ADbvTRb9gpA/XB3NNj/9hRGjZoAfRFjVo9WwNBxA+caCZ/JGZGLOfsL6fSW4Cgxh
t0VolwsocDy1j7912hBBdrod/j5ho9ALewUVONBqNoFhnIieRy/bP9b02pmmdquV
zk97+ljWdpiVQIsy3/W3F/KcsGDLZnKjS+ILFOTru+YfthVUWn3boGq2JUlwHAUH
2PyOfWCoQqRW+ZHtPT5+Cp3poz1xa3PDFn7eON0BLZHVfyH9ImjW4U6HkFlpo3Mj
G4ds2bnkP9Er9HUtT6CV326hyomGG152pWqRmBZM0LuE1+HTGdUx/SZsnom/kegM
I4lqK8o9ybExtF8BrtnUu8UbG1mvHDdSaRzuBHr3IZCfFDTiMIn6S1y9/IiNdWaP
hQcTbb5tDhexZU81NSQG6WxnmmBWmqxEdvlCpMgMAUWc+uDl+r/4G46MDMa6Ekv5
oDJL2MI78xDgX3B3w5vLtGoD22BRvXLvLLCmNm/P3/DJmSMtBqk0eQlwc4mOBh6O
1xFtQdNA+o2uvhq3LLR0acBLhDEruCHVORd+qpxusXwFktvJpkwNGDYLtevH81yj
B+FTHFJH7cKk/0dkqO+LiYlZqM2sfxYn0VtooDF/xrsg7VqV+tjetm93CpGWdAm5
pZAxKNbz8D3BCt1cNVXv
=ObLW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Dec 2016 11:54:53 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 07 Dec 2016 01:47:12 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Jan 2017 12:14:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:02:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon