Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openjpeg2 for openSUSE:Factory checked in at 2026-01-26 10:44:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openjpeg2 (Old) and /work/SRC/openSUSE:Factory/.openjpeg2.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openjpeg2" Mon Jan 26 10:44:26 2026 rev:25 rq:1328986 version:2.5.4 Changes: -------- --- /work/SRC/openSUSE:Factory/openjpeg2/openjpeg2.changes 2025-10-07 18:25:48.682975095 +0200 +++ /work/SRC/openSUSE:Factory/.openjpeg2.new.1928/openjpeg2.changes 2026-01-26 10:55:05.927923634 +0100 @@ -1,0 +2,6 @@ +Fri Jan 23 20:16:08 UTC 2026 - Hans Petter Jansson <[email protected]> + +- Add openjpeg2-cve-2023-39327-limit-iterations.patch + (CVE-2023-39327, bsc#1227412). + +------------------------------------------------------------------- New: ---- openjpeg2-cve-2023-39327-limit-iterations.patch ----------(New B)---------- New: - Add openjpeg2-cve-2023-39327-limit-iterations.patch (CVE-2023-39327, bsc#1227412). ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openjpeg2.spec ++++++ --- /var/tmp/diff_new_pack.rUMMXA/_old 2026-01-26 10:55:17.088396726 +0100 +++ /var/tmp/diff_new_pack.rUMMXA/_new 2026-01-26 10:55:17.100397232 +0100 @@ -1,7 +1,7 @@ # # spec file for package openjpeg2 # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,6 +27,7 @@ URL: https://www.openjpeg.org/ Source0: https://github.com/uclouvain/openjpeg/archive/v%{version}.tar.gz#/openjpeg-%{version}.tar.gz Source1: baselibs.conf +Patch01: openjpeg2-cve-2023-39327-limit-iterations.patch BuildRequires: cmake > 3.5 BuildRequires: doxygen BuildRequires: fdupes @@ -87,7 +88,7 @@ This package provides the API documentation for %{name}. %prep -%autosetup -n openjpeg-%{version} -p0 +%autosetup -n openjpeg-%{version} -p1 # do not embed timestamps into html documentation sed -i 's|^HTML_TIMESTAMP[ =].*$|HTML_TIMESTAMP = NO|' doc/Doxyfile.dox.cmake.in ++++++ openjpeg2-cve-2023-39327-limit-iterations.patch ++++++ diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c index 4e8cf6018..ad39cd741 100644 --- a/src/lib/openjp2/t2.c +++ b/src/lib/openjp2/t2.c @@ -441,6 +441,8 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t* tcd, * and no l_img_comp->resno_decoded are computed */ OPJ_BOOL* first_pass_failed = NULL; + OPJ_UINT32 l_packet_count = 0; + OPJ_UINT32 l_max_packets = 100000; if (l_current_pi->poc.prg == OPJ_PROG_UNKNOWN) { /* TODO ADE : add an error */ @@ -457,6 +459,17 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t* tcd, while (opj_pi_next(l_current_pi)) { OPJ_BOOL skip_packet = OPJ_FALSE; + + /* CVE-2023-39327: Check for excessive packet iterations */ + if (++l_packet_count > l_max_packets) { + opj_event_msg(p_manager, EVT_ERROR, + "Excessive packet iterations detected (>%u). Possible malformed stream.\n", + l_max_packets); + opj_pi_destroy(l_pi, l_nb_pocs); + opj_free(first_pass_failed); + return OPJ_FALSE; + } + JAS_FPRINTF(stderr, "packet offset=00000166 prg=%d cmptno=%02d rlvlno=%02d prcno=%03d lyrno=%02d\n\n", l_current_pi->poc.prg1, l_current_pi->compno, l_current_pi->resno,
