Source: openjpeg2 Version: 2.3.1-1 Severity: important Tags: security upstream Forwarded: https://github.com/uclouvain/openjpeg/issues/1261 X-Debbugs-Cc: Debian Security Team <[email protected]> Control: found -1 2.3.0-2+deb10u1 Control: fund -1 2.3.0-2
Hi, The following vulnerability was published for openjpeg2. CVE-2020-15389[0]: | jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free | that can be triggered if there is a mix of valid and invalid files in | a directory operated on by the decompressor. Triggering a double-free | may also be possible. This is related to calling opj_image_destroy | twice. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15389 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15389 [1] https://github.com/uclouvain/openjpeg/issues/1261 [2] https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 Regards, Salvatore
