Debian Bug report logs - #681075
Fwd: Openjpeg heap buffer overflow issue affecting 1.4 and 1.5

version graph

Package: openjpeg; Maintainer for openjpeg is Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>;

Reported by: Mathieu Malaterre <malat@debian.org>

Date: Tue, 10 Jul 2012 13:21:02 UTC

Severity: important

Tags: fixed-upstream, patch, security

Found in versions 1.3+dfsg-4.3, 1.3+dfsg-4.2

Fixed in version openjpeg/1.3+dfsg-4.4

Done: Michael Gilbert <mgilbert@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#681075; Package openjpeg. (Tue, 10 Jul 2012 13:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mathieu Malaterre <malat@debian.org>:
New Bug report received and forwarded. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Tue, 10 Jul 2012 13:21:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Mathieu Malaterre <malat@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Fwd: Openjpeg heap buffer overflow issue affecting 1.4 and 1.5
Date: Tue, 10 Jul 2012 15:16:27 +0200
[Message part 1 (text/plain, inline)]
Package: openjpeg
Version: 1.3+dfsg-4.2
Severity: important
Tags: security patch fixed-upstream

Hi Mathieu,

We have found a heap-buffer overflow issue in openjpeg, when decoding
j2k image files. I am attaching a patch to this email.

We will be making this issue public on 9-July-2012 Monday.
Sorry for the short notice, let me know if you need more time.

This issue affects both version 1.4 and 1.5


--
Huzaifa Sidhpurwala / Red Hat Security Response Team
[openjpeg-tile-sanity.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#681075; Package openjpeg. (Wed, 11 Jul 2012 07:54:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mathieu Malaterre <malat@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Wed, 11 Jul 2012 07:54:24 GMT) Full text and rfc822 format available.

Message #10 received at 681075@bugs.debian.org (full text, mbox):

From: Mathieu Malaterre <malat@debian.org>
To: 681075@bugs.debian.org
Subject: for reference
Date: Wed, 11 Jul 2012 09:32:24 +0200
CVE-2012-3358 openjpeg: heap-based buffer overflow when processing
JPEG2000 image files




Marked as found in versions 1.3+dfsg-4.3. Request was from Mathieu Malaterre <malat@debian.org> to control@bugs.debian.org. (Wed, 11 Jul 2012 07:54:29 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#681075; Package openjpeg. (Wed, 11 Jul 2012 20:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Wed, 11 Jul 2012 20:15:07 GMT) Full text and rfc822 format available.

Message #17 received at 681075@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 681075@bugs.debian.org
Subject: re: Openjpeg heap buffer overflow issue affecting 1.4 and 1.5
Date: Wed, 11 Jul 2012 16:12:01 -0400
[Message part 1 (text/plain, inline)]
Hi,

I've just uploaded an nmu fixing this security issue.  See attached.

Best wishes,
Mike
[openjpeg.patch (application/octet-stream, attachment)]

Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Wed, 11 Jul 2012 20:51:13 GMT) Full text and rfc822 format available.

Notification sent to Mathieu Malaterre <malat@debian.org>:
Bug acknowledged by developer. (Wed, 11 Jul 2012 20:51:13 GMT) Full text and rfc822 format available.

Message #22 received at 681075-close@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 681075-close@bugs.debian.org
Subject: Bug#681075: fixed in openjpeg 1.3+dfsg-4.4
Date: Wed, 11 Jul 2012 20:48:43 +0000
Source: openjpeg
Source-Version: 1.3+dfsg-4.4

We believe that the bug you reported is fixed in the latest version of
openjpeg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 681075@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated openjpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 11 Jul 2012 15:52:34 -0400
Source: openjpeg
Binary: libopenjpeg-dev libopenjpeg2 libopenjpeg2-dbg openjpeg-tools
Architecture: source amd64
Version: 1.3+dfsg-4.4
Distribution: unstable
Urgency: high
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 libopenjpeg-dev - development files for libopenjpeg2, a JPEG 2000 image library
 libopenjpeg2 - JPEG 2000 image compression/decompression library
 libopenjpeg2-dbg - debug symbols for libopenjpeg2, a JPEG 2000 image library
 openjpeg-tools - command-line tools using the JPEG 2000 library
Closes: 681075
Changes: 
 openjpeg (1.3+dfsg-4.4) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix cve-2012-3358: buffer overflow in JPEG2000 image file handling
     (closes: #681075).
Checksums-Sha1: 
 430952022af657d4acbe81471ccc47a1c246495c 2869 openjpeg_1.3+dfsg-4.4.dsc
 6043add5cb16fe3fccb73da3c86238df02693510 13166 openjpeg_1.3+dfsg-4.4.diff.gz
 57a8f3cf8bb458a7781cfe9d03102dd050bcf365 99624 libopenjpeg-dev_1.3+dfsg-4.4_amd64.deb
 9717ea958b4c68dfddbe15c8957e269c34a38438 85672 libopenjpeg2_1.3+dfsg-4.4_amd64.deb
 0984979520b213b87270e6ead37f94c7f0710065 448778 libopenjpeg2-dbg_1.3+dfsg-4.4_amd64.deb
 e44ce35ea8ff5c3802e89aef139c062f03651c6b 216970 openjpeg-tools_1.3+dfsg-4.4_amd64.deb
Checksums-Sha256: 
 9a6cef2aaca601db432c0ec0385a039747138ecc4b3b891015c68fe24c7639c9 2869 openjpeg_1.3+dfsg-4.4.dsc
 410df89f0f7a7b0636b40b030bc30f2d912f148b312d21353aa3ddbed4f05a70 13166 openjpeg_1.3+dfsg-4.4.diff.gz
 4fbfd6628bc5dbafe3ce50ab45a8096e35cfba2fcfd9e29532aa972af6906352 99624 libopenjpeg-dev_1.3+dfsg-4.4_amd64.deb
 f352d136c42ca7db1008d489b220ec72636aef871cea3e30835de6937f72cd9a 85672 libopenjpeg2_1.3+dfsg-4.4_amd64.deb
 0dcea53c2d20823c3622bbd385502fc429ca157b803e6d999df46808dcdff585 448778 libopenjpeg2-dbg_1.3+dfsg-4.4_amd64.deb
 3c86f4339eb2385ab69d60682e95fc1dbe25e84157903212086c7b57bc99d100 216970 openjpeg-tools_1.3+dfsg-4.4_amd64.deb
Files: 
 46762dae01a2589150886ddccb56d7e7 2869 libs extra openjpeg_1.3+dfsg-4.4.dsc
 107d52d6c6c70f6f1ba9d97469e41365 13166 libs extra openjpeg_1.3+dfsg-4.4.diff.gz
 b0ce39f9781fa664666527789faa0c98 99624 libdevel extra libopenjpeg-dev_1.3+dfsg-4.4_amd64.deb
 ae58d65b535dbd7347fbc4cd32c45251 85672 libs extra libopenjpeg2_1.3+dfsg-4.4_amd64.deb
 f18acab58ba6e45d4b226ed9c2381178 448778 libdevel extra libopenjpeg2-dbg_1.3+dfsg-4.4_amd64.deb
 ed808e08c765072064f535e2b4b77ef4 216970 graphics extra openjpeg-tools_1.3+dfsg-4.4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCAAGBQJP/dzxAAoJELjWss0C1vRzXwQf/A6tuFGrEws6uTH6mR5C+JmR
msIIoD0qa377bVyU430zCSTnc17HgerzIm4+DpehrfaZbHs0WahZRRdUvdxqTY7v
GPATaLP5wtkJroPrYE81Sguuinm2K8pKJ0nis6zgrl8DdSQwwmFK7rejqFPALMf6
9B7GBHpwwSaFI2h0bWCrY4om+HaTZiRFZbnhK3mYk1qcigKwG8Oi77NSSdSHjxGK
I2qQZ9Oz+aRChjuyUkOSOKXGr1WlXM/GLgWEYAG5uhkUSDs0+8r6rZ+8JwMfU4z5
Qgy/AAcSiQRjiNQ2v62uqE+G1ALaPmYRNMPoABjt/7kFSGpua6GczZe0/mP3xzhH
jqeykVeHW11w8i+BARJIywy70pcb9rBzToA3bDiNBFE1ptJLQQlZe3Pxx+HKmIZv
z5v8u6NMqGSJ/Q2L0lpF4EeCwt/Gc0oxOJD1m8Cl32fQRupNBzJUo2NgzAXfwipm
vKFUR6nBnTZRDFUXLF/8Hpp+/q6hKqMG/Y57MoFFciSMTNbMiNu+2NNGK4ZIq/AM
UD/Yt8EJEw9PuxV+sL/rgMXFrWUmFUb3Dkya0v5566M8v6er0GrIvS+3cRVkrPHi
NoesZTKDGf7Evuk2c7dLjtMe3gwuB7eedsSQN19TmqTSeHHnheyOkUDkEgDZBfN5
/utC30rQq6pcOJIAfWID26kthV16cP4DSBqy4RK0iYIFPoP5OJBqhTr/EF0E71zQ
+RoL8pLgf9Ub0tf+crtCtM8a1c/2LsTH5ySVWuYynOHRt4vdD6rxjocNz0y9JOjS
CzDRwOLfHx9Evys5R9tNj6itE2pUPWJmOUv/QcYgTpcC/HUdMX1RJ41bRYXhV3AP
TA6cb9F0dWgyHgX3l2hYZSbBDbaNIVQ/hos/GCmeh72J38cOcM1j+FvLt+i1WEkJ
RfXvFTv/ZvSPjLksJCYg7RffQ2JIbHJ5HbJRGtKj/LIhnFiyZBnbLHhewZTb9ubr
aSgOETPsiB5mEa3lqHrvxMvL7vpKFSg9Kx58EJWLUQxd4N4XO+A7qtLogKUPXmoO
kAg/9mwecvdD/nSNnQMjT72p9KyL5ms1FwL7pokJhG4YObHrIf6Sh3iy72P3Prbr
HETtbisaGVx3PF2oWBAG9EJZUajILnmvS26YnPbKyzoCqdFNnwZHP4W7VbvcscE1
1DRvKxzVowKP2L+HD8P1YX03NQ6QKi0YXWEo5gUNZ/2eOlagElPssC95v3vxwCPV
sF9qjH7aFL3uGgVOIu2lzICtMWm430+s49Ffd6J15FGBUI96p9zb1bEIyNWl/0Ca
U67oinqdDT3FBCIpog6w53GOpb88iDKm+kKbBCjdeE0xrReVfKtW7fq7vNGvWwg=
=fLJJ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 09 Aug 2012 07:28:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 04:12:00 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.