Operating System:

[Debian]

Published:

13 July 2020

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2020.2361 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2361
                         openjpeg2 security update
                               13 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openjpeg2
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-15389 CVE-2020-8112 CVE-2020-6851
                   CVE-2019-12973 CVE-2018-6616 

Reference:         ESB-2020.0664
                   ESB-2020.0587
                   ESB-2020.0372

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2277

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2277-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
July 11, 2020                               https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------

Package        : openjpeg2
Version        : 2.1.2-1.1+deb9u5
CVE ID         : CVE-2019-12973 CVE-2020-6851 CVE-2020-8112
                 CVE-2020-15389
Debian Bug     : 931292 950000 950184

The following CVEs were reported against src:openjpeg2.

CVE-2019-12973

    In OpenJPEG 2.3.1, there is excessive iteration in the
    opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers
    could leverage this vulnerability to cause a denial of service
    via a crafted bmp file. This issue is similar to CVE-2018-6616.

CVE-2020-6851

    OpenJPEG through 2.3.1 has a heap-based buffer overflow in
    opj_t1_clbl_decode_processor in openjp2/t1.c because of lack
    of opj_j2k_update_image_dimensions validation.

CVE-2020-8112

    opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1
    through 2020-01-28 has a heap-based buffer overflow in the
    qmfbid==1 case, a different issue than CVE-2020-6851.

CVE-2020-15389

    jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a
    use-after-free that can be triggered if there is a mix of
    valid and invalid files in a directory operated on by the
    decompressor. Triggering a double-free may also be possible.
    This is related to calling opj_image_destroy twice.

For Debian 9 stretch, these problems have been fixed in version
2.1.2-1.1+deb9u5.

We recommend that you upgrade your openjpeg2 packages.

For the detailed security status of openjpeg2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjpeg2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Best,
Utkarsh
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl8IySwACgkQgj6WdgbD
S5YG+hAAjsn3VsSjB1JlPnAcOJwI3faOVqV4eJrq5qUKGO1XUfq1NrKlwgrLrvq/
gNQx0VgNpjd4inhLTui+YUTiSAbVKEdNESrjm5Mb55Dn3SZtfwN5pwkWjM1rMfx9
ou6S0ItwLqgLl/MC2frvMOTNaYfDFENYoSXJP5tit37E8QvjMNyCl5K2WYSuaqrK
ext+zdLoJIHyPydFi4gdKyDGcN9LEXITmR1CGw7HqksigOyd55dLE6JgUJMFjcqR
H3o/U8HUQhwWP/SmeNimOZSamWcMe3Vw7xm+lqU/8vUMyZuMrGBUnhdlzszU6Rq6
WWLHR86RxKFEkC0ZegdbblJTQPVxmdY6nN9tknpTvvCSyFp6yptPUO18xhNxOg5b
MitPeAfF8bde4u5CE+VAi0lvZTKkx7V1VgSjxtjB/u9Md3mfV2M74L8dCDGHbCyB
WafR+xLPz4lEGihDZ7asVs0bkM37Y1yCtnDmFpQvEsvt3o+Dzuvu30vt/HaWpF7B
ZpzuRcPpFGdpyDx3vNd/2++wpZu8rs6MMYvpMctcFkqy1Ua+Y2LbWYhicnsA708N
c4sOhg8Y+cBvtAWZOw0A7jGhX1/dRvv7YOaz0J5ggdP2o+hnQcxEwPiHsvoX+MAL
q885jLVRERwC1Z4DHwtV4S6PHNvICpNyf4ztpHqtyUPRyzLi7hQ=
=/Pwf
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXwvQ7+NLKJtyKPYoAQj8BA/9Ff/+wJA4ICQ5TgpMNy+xpTUoyojqYfHC
PhJHii+CmXuYXIBngXND2LG5LFpk0T+WWb47j3xVREDIEH+zyomBIVutJEVkV3bA
B/0+rC5nRQDWsqwRd7Maq5MrYQru2+ORwhgRcFVz0va/maywpmg105V8D/T4ryIo
z1wOcNJRhdvKNnh7TUBKOd6/csPLWtDyg56q3v678AmcBzaqcY2m6vlfrl3PPsno
jj44uRM8QCLcAtHp80bsEdBPtGGdWMlfNo2V1e030lgPVdxYhB8ZGe1Ku9T9JEur
fQTdti8d6M/IKPR2bfvrhH1rLWMWHSEJVLbOea1eky/q882fHOLDeNjT9veycrd4
trisTqh3rX0MQPmnmaGDakiCRtr4ECAijHWkM7+xpPzKutPKBPel6ascZtr1v0Q+
q8Y8ItmNLo3SuNDrYAWNVYAn5LydJwkY9kG46fbESR52myb0zKddSCT9BsWjnKwN
/KB1NVYmRWHbdPYL+U8Gsgjp0tCu9YsELy6kTowvsNbA5IIJK873esAK1lwAiUeb
kqYUpqG4hf8EH4Zd1Tmjjj4N5hV18bUiPRJdCnqhCIfFb0EXmgLiLtfiPLypZ5u8
QIvJE5dUZoz9frUrM8n48kYU1lWAH+f3lZTfRi6Gs2hfc0QJr4cT9wdAGSqa8Un+
7bdhsOVklGw=
=ZivQ
-----END PGP SIGNATURE-----