Your message dated Tue, 24 Jan 2017 15:14:38 +0000
with message-id <[email protected]>
and subject line Bug#851422: fixed in openjpeg2 2.1.2-1.1
has caused the Debian Bug report #851422,
regarding openjpeg2: CVE-2016-9572 CVE-2016-9573
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
851422: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851422
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openjpeg2
Version: 2.1.0-2
Severity: grave
Tags: security upstream patch
Justification: user security hole
Forwarded: https://github.com/uclouvain/openjpeg/issues/863
Control: fixed -1 2.1.0-2+deb8u2
Hi,
the following vulnerabilities were published for openjpeg2. Filling it
as RC severity, since Moritz's DSA for openjpeg2 will contain fixes
for those two CVEs, and not having those fixed in stretch would imply
a regression.
CVE-2016-9572[0] and CVE-2016-9573[1]. There is an upstream issue at
[2] with patch[3].
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9572
[1] https://security-tracker.debian.org/tracker/CVE-2016-9573
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9573
[2] https://github.com/uclouvain/openjpeg/issues/863
[3]
https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openjpeg2
Source-Version: 2.1.2-1.1
We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated openjpeg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Jan 2017 14:18:13 +0100
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7
libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server
libopenjp3d-tools libopenjp2-tools
Architecture: all source
Version: 2.1.2-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 851422
Description:
libopenjp2-7 - JPEG 2000 image compression/decompression library
libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
libopenjp2-tools - command-line tools using the JPEG 2000 library
libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression
librar
libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP
protocol
libopenjpip-server - JPIP server for JPEG 2000 files
libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP
access
libopenjpip7 - JPEG 2000 Interactive Protocol
Changes:
openjpeg2 (2.1.2-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Add CVE-2016-9572_CVE-2016-9573.patch patch.
CVE-2016-9572: NULL pointer dereference in input decoding
CVE-2016-9573: Heap out-of-bounds read due to insufficient check in
imagetopnm(). (Closes: #851422)
Checksums-Sha1:
50ddef758320bd23c768767a016baedd562b9f44 2924 openjpeg2_2.1.2-1.1.dsc
1fbf5f76f97a99292463e153301c36a5766365ec 19364
openjpeg2_2.1.2-1.1.debian.tar.xz
2c5ab2904d14808e26f0bad53c307d38588d824d 44488
libopenjpip-viewer_2.1.2-1.1_all.deb
Checksums-Sha256:
103af13df834b24267c86617944f1fe1204a30b3053a1a4b032bb131ef23b126 2924
openjpeg2_2.1.2-1.1.dsc
b19b15ac6306c19734f0626f974c8863e4dc21a1df849a8ae81008479b5b0daf 19364
openjpeg2_2.1.2-1.1.debian.tar.xz
e86ff5f6bda77c7f33b84d1521cf23ca784f6d3cff4c2732251a6f007bb0b5cc 44488
libopenjpip-viewer_2.1.2-1.1_all.deb
Files:
802071a28cab62ce2d912da64437652f 2924 libs optional openjpeg2_2.1.2-1.1.dsc
1672d0c7de5196f2e67eeeed091f72cb 19364 libs optional
openjpeg2_2.1.2-1.1.debian.tar.xz
8397640d4a09518f5cb6a130ab4683b4 44488 graphics optional
libopenjpip-viewer_2.1.2-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAliEvQZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ec5kP/1aK/TuH4zxf0pCZAiAyjYNJFAXOJH+K
GHgD/hCVpjbkKfOhvPAa4hTneCBtPfzHVKmoTYEHkXOBc/+vGnnC2cNg0LkfxjcL
2iOe4E1S7DRKXazUX58Sar9hPKAQ1h4quCot2RYi6+6UbOXXiDBX/eRAQ3YAoEeG
OpTpHDjD/Ib12pZ8Z5PpEW1L1evRxZ1mspIhaTVZ5DNqCKRUuf+ARGoj5EreR4u7
Cp9YChetN3kPfK7zFMnATmQhZf3KK73ALap9Rz405An37Viw/4GM9p8W25fBGuHf
kG9pHmeaXtc+I2qbu4dapSDCCpGBYlncJcuUUnDith+JPvUkFUqC1tmhKuP8fW43
nZCDuDVZ3huj6QqeLVmiDhWlJDE+V4fMr2sUnLVHKQz3JcYyfZXcsCHlHisnim7q
8TpX6sLugqEsaMxSr6sAjL2l+9f50ihZ9rfQGArpnPkF/bw9T/WEWm3MPTPkMLAn
a0HbNl1NfWdxDZBqFUYDEdBQPQX81vXein+2rYt3RL96i+MOetTT6fzuQNd9Wi+W
DMEmEAD2LwwImt+ly1s4nU/PrtthTEBvjLeJqseE5wTmI5fS5hZZVz3VzI4bR2BN
2DBpAeaGfUnlaCQSZzvPJL470cMrshZLLuuCHZyrULkqLnNm9pRBRVpG/FEmvdZf
+B0Mw1/oduYW
=eb41
-----END PGP SIGNATURE-----
--- End Message ---