Debian alert DLA-1950-1 (openjpeg2)

From:
             
 
Hugo Lefeuvre <hle@debian.org> 
To:
             
 
debian-lts-announce@lists.debian.org 
Subject:
             
 
[SECURITY] [DLA 1950-1] openjpeg2 security update 
Date:
             
 
Tue, 8 Oct 2019 16:10:39 +0200
Message-ID:
             
 
<20191008141039.7enkw6o3gng7raj3@behemoth.owl.eu.com.local>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : openjpeg2
Version        : 2.1.0-2+deb8u8
CVE ID         : CVE-2018-21010
Debian Bug     : 939553

A heap buffer overflow vulnerability was discovered in openjpeg2, the
open-source JPEG 2000 codec. This vulnerability is caused by insufficient
validation of width and height of image components in color_apply_icc_profile
(src/bin/common/color.c).  Remote attackers might leverage this vulnerability
via a crafted JP2 file, leading to denial of service (application crash) or any
other undefined behavior.

For Debian 8 "Jessie", this problem has been fixed in version
2.1.0-2+deb8u8.

We recommend that you upgrade your openjpeg2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2cmK4ACgkQEeMFjl5E
GkJV4gv+ILr9iKuvrc6dyINgKyIhmPjyAFv9Y4+VvTpj8ezQtvgFlcA90mhvcDDa
02ib0BLmo8VFdT0ObIxc8wd4H9qw+9M0M+9nppflKVoCsRLYswQeVohgoMPNXnoV
s/9RVis5t/HGrbEGX6mXohdRmA3U8VC4Ja+sXwwYjpQH2+yRX0vB7joIt92yOdtE
HLG/IBfXUidywacNr/acv/pXvAT3l2f2xqYk66s+6i56G2FK1V0bEdg4hmaoiWpQ
mEYr2UYNB4q+p8gdfUtMa7H155iR+9oa7YXO8cQyGqneMZUn5FmOlHDRyKulFKuB
sv5yCjVgsweeqgkV9+H1AjqFtfspZLHF+W7Qt9iASSgitzC44/xVcwCZpXnPRlAP
b1xHHi55zFwL+UpE9UpbEs/fOabDBc/NmYkQPpljzS5pnn5DwoY3SDu6o7pmIY79
TC6FYcK4326WISEkrpjUoSW2FbX/8vxB7WvwXoT67ViIoUw6NOoYxx1nn87mIPwg
rqLBYrhW
=Rgi3
-----END PGP SIGNATURE-----