Debian alert DLA-2550-1 (openjpeg2)
| From: | Brian May <bam@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 2550-1] openjpeg2 security update | |
| Date: | Tue, 09 Feb 2021 09:03:55 +1100 | |
| Message-ID: | <YCG1SzlREQCK+/On@canidae.wired.pri> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2550-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Brian May February 09, 2021 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : openjpeg2 Version : 2.1.2-1.1+deb9u6 CVE ID : CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27844 CVE-2020-27845 Various overflow errors were identified and fixed. CVE-2020-27814 A heap-buffer overflow was found in the way openjpeg2 handled certain PNG format files. CVE-2020-27823 Wrong computation of x1,y1 if -d option is used, resulting in heap buffer overflow. CVE-2020-27824 Global buffer overflow on irreversible conversion when too many decomposition levels are specified. CVE-2020-27841 Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read. CVE-2020-27844 Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds write. CVE-2020-27845 Crafted input can cause out-of-bounds-read. For Debian 9 stretch, these problems have been fixed in version 2.1.2-1.1+deb9u6. We recommend that you upgrade your openjpeg2 packages. For the detailed security status of openjpeg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjpeg2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAmAhtQcACgkQKpJZkldk SvrZcw/8DbSP6wWmlild41IgRroquPaY0DAorg59xGhZZLWJ19HYEJ0O1XNc8edV rgolb9B8o96//kzzUJ/UABEOPNVTbacfDnUDNiAtry/4fPjmfa9Qg4iaarLFNFpb QfMnDFTFPYP1HToIAWVkJT6S4U5A2V35Mhqo2GrHz3cwoz2uLYrZx14iLuZWFO3h OpNJmAv3IyH3qOUTccgaUiWfFkDZOA2wI+BgvI7nDmLeuqfCFdJ9XMBGEz3FRMH9 uOJRGbIXrY7yyDNLwG+qYsa6btaxDwfPyXZHYiC73N2T24yaboDFQt3l0mzKNheu gUi1X6K7ICjKp4/8+o0XsM1VVQsiyg9KckxM5thhLtgmTdJ+wc/NFRy3JOtj8r04 VUoQDi3rs5NOW9MV6YswD3DeRd8EkYay5sJ6r13TGAViNDZPtj1EJt7bfnRwcD1G 5N756jZWjHcc0k/u/egeG/1u9S0uXTr+Dhy+vFR/8gojb/a5vtI/iMWLccRlB0Qc UNl/Xtcwy283trleBfUpIcnc3g4kjLnWtHjEOX+G1o986/bL6DVO32fQou/hi/Nn w6hIH9wr1aSFbyb4NznpKLW8PZEPsseli9eD4/zL4LCRLdGCBnRNq1+xj+RS5NCz c50ROdoWPW3nz5Y+NhAspQjzH24Jg5cvrX0pX7G3a2g8WYP/Ei8= =LFai -----END PGP SIGNATURE-----