Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2361 openjpeg2 security update 13 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openjpeg2 Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-15389 CVE-2020-8112 CVE-2020-6851 CVE-2019-12973 CVE-2018-6616 Reference: ESB-2020.0664 ESB-2020.0587 ESB-2020.0372 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2277 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2277-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta July 11, 2020 https://wiki.debian.org/LTS - - ----------------------------------------------------------------------- Package : openjpeg2 Version : 2.1.2-1.1+deb9u5 CVE ID : CVE-2019-12973 CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 Debian Bug : 931292 950000 950184 The following CVEs were reported against src:openjpeg2. CVE-2019-12973 In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616. CVE-2020-6851 OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of opj_j2k_update_image_dimensions validation. CVE-2020-8112 opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a different issue than CVE-2020-6851. CVE-2020-15389 jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free that can be triggered if there is a mix of valid and invalid files in a directory operated on by the decompressor. Triggering a double-free may also be possible. This is related to calling opj_image_destroy twice. For Debian 9 stretch, these problems have been fixed in version 2.1.2-1.1+deb9u5. We recommend that you upgrade your openjpeg2 packages. For the detailed security status of openjpeg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjpeg2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Best, Utkarsh - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl8IySwACgkQgj6WdgbD S5YG+hAAjsn3VsSjB1JlPnAcOJwI3faOVqV4eJrq5qUKGO1XUfq1NrKlwgrLrvq/ gNQx0VgNpjd4inhLTui+YUTiSAbVKEdNESrjm5Mb55Dn3SZtfwN5pwkWjM1rMfx9 ou6S0ItwLqgLl/MC2frvMOTNaYfDFENYoSXJP5tit37E8QvjMNyCl5K2WYSuaqrK ext+zdLoJIHyPydFi4gdKyDGcN9LEXITmR1CGw7HqksigOyd55dLE6JgUJMFjcqR H3o/U8HUQhwWP/SmeNimOZSamWcMe3Vw7xm+lqU/8vUMyZuMrGBUnhdlzszU6Rq6 WWLHR86RxKFEkC0ZegdbblJTQPVxmdY6nN9tknpTvvCSyFp6yptPUO18xhNxOg5b MitPeAfF8bde4u5CE+VAi0lvZTKkx7V1VgSjxtjB/u9Md3mfV2M74L8dCDGHbCyB WafR+xLPz4lEGihDZ7asVs0bkM37Y1yCtnDmFpQvEsvt3o+Dzuvu30vt/HaWpF7B ZpzuRcPpFGdpyDx3vNd/2++wpZu8rs6MMYvpMctcFkqy1Ua+Y2LbWYhicnsA708N c4sOhg8Y+cBvtAWZOw0A7jGhX1/dRvv7YOaz0J5ggdP2o+hnQcxEwPiHsvoX+MAL q885jLVRERwC1Z4DHwtV4S6PHNvICpNyf4ztpHqtyUPRyzLi7hQ= =/Pwf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXwvQ7+NLKJtyKPYoAQj8BA/9Ff/+wJA4ICQ5TgpMNy+xpTUoyojqYfHC PhJHii+CmXuYXIBngXND2LG5LFpk0T+WWb47j3xVREDIEH+zyomBIVutJEVkV3bA B/0+rC5nRQDWsqwRd7Maq5MrYQru2+ORwhgRcFVz0va/maywpmg105V8D/T4ryIo z1wOcNJRhdvKNnh7TUBKOd6/csPLWtDyg56q3v678AmcBzaqcY2m6vlfrl3PPsno jj44uRM8QCLcAtHp80bsEdBPtGGdWMlfNo2V1e030lgPVdxYhB8ZGe1Ku9T9JEur fQTdti8d6M/IKPR2bfvrhH1rLWMWHSEJVLbOea1eky/q882fHOLDeNjT9veycrd4 trisTqh3rX0MQPmnmaGDakiCRtr4ECAijHWkM7+xpPzKutPKBPel6ascZtr1v0Q+ q8Y8ItmNLo3SuNDrYAWNVYAn5LydJwkY9kG46fbESR52myb0zKddSCT9BsWjnKwN /KB1NVYmRWHbdPYL+U8Gsgjp0tCu9YsELy6kTowvsNbA5IIJK873esAK1lwAiUeb kqYUpqG4hf8EH4Zd1Tmjjj4N5hV18bUiPRJdCnqhCIfFb0EXmgLiLtfiPLypZ5u8 QIvJE5dUZoz9frUrM8n48kYU1lWAH+f3lZTfRi6Gs2hfc0QJr4cT9wdAGSqa8Un+ 7bdhsOVklGw= =ZivQ -----END PGP SIGNATURE-----