[Pkg-phototools-devel] Bug#672455: marked as done (CVE-2009-5030: Heap memory corruption leading to invalid free)

Debian Bug Tracking System Mon, 25 Jun 2012 09:54:16 -0700

Your message dated Mon, 25 Jun 2012 16:50:29 +0000
with message-id <[email protected]>
and subject line Bug#672455: fixed in openjpeg 1.3+dfsg-4.1
has caused the Debian Bug report #672455,
regarding CVE-2009-5030: Heap memory corruption leading to invalid free
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
672455: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672455
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: libopenjpeg2
Version: 1.3+dfsg-4
Severity: important
Tags: security

CVE-2009-5030 openjpeg: Heap memory corruption leading to invalid free by 
processing certain Gray16 TIFF images

https://bugzilla.redhat.com/show_bug.cgi?id=812317
"""
An out-of heap-based buffer bounds read and write flaw, leading to invalid
free, was found in the way a tile coder / decoder (TCD) implementation of
OpenJPEG, an open-source JPEG 2000 codec written in C language, performed
releasing of previously allocated memory for the TCD encoder handle by
processing certain Gray16 TIFF images. A remote attacker could provide a
specially-crafted TIFF image file, which once converted into the JPEG 2000 file
format with an application linked against OpenJPEG (such as 'image_to_j2k'),
would lead to that application crash, or, potentially arbitrary code execution
with the privileges of the user running the application.

Upstream ticket:
http://code.google.com/p/openjpeg/issues/detail?id=5

CVE Request:
http://www.openwall.com/lists/oss-security/2012/04/13/1
"""

-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libopenjpeg2 depends on:
ii  libc6                         2.11.3-3   Embedded GNU C Library: Shared lib

libopenjpeg2 recommends no packages.

libopenjpeg2 suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: openjpeg
Source-Version: 1.3+dfsg-4.1

We believe that the bug you reported is fixed in the latest version of
openjpeg, which is due to be installed in the Debian FTP archive:

libopenjpeg-dev_1.3+dfsg-4.1_i386.deb
  to main/o/openjpeg/libopenjpeg-dev_1.3+dfsg-4.1_i386.deb
libopenjpeg2-dbg_1.3+dfsg-4.1_i386.deb
  to main/o/openjpeg/libopenjpeg2-dbg_1.3+dfsg-4.1_i386.deb
libopenjpeg2_1.3+dfsg-4.1_i386.deb
  to main/o/openjpeg/libopenjpeg2_1.3+dfsg-4.1_i386.deb
openjpeg-tools_1.3+dfsg-4.1_i386.deb
  to main/o/openjpeg/openjpeg-tools_1.3+dfsg-4.1_i386.deb
openjpeg_1.3+dfsg-4.1.diff.gz
  to main/o/openjpeg/openjpeg_1.3+dfsg-4.1.diff.gz
openjpeg_1.3+dfsg-4.1.dsc
  to main/o/openjpeg/openjpeg_1.3+dfsg-4.1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <[email protected]> (supplier of updated openjpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 23 Jun 2012 18:26:27 +0200
Source: openjpeg
Binary: libopenjpeg-dev libopenjpeg2 libopenjpeg2-dbg openjpeg-tools
Architecture: source i386
Version: 1.3+dfsg-4.1
Distribution: unstable
Urgency: high
Maintainer: Debian PhotoTools Maintainers 
<[email protected]>
Changed-By: Luk Claes <[email protected]>
Description: 
 libopenjpeg-dev - development files for libopenjpeg2, a JPEG 2000 image library
 libopenjpeg2 - JPEG 2000 image compression/decompression library
 libopenjpeg2-dbg - debug symbols for libopenjpeg2, a JPEG 2000 image library
 openjpeg-tools - command-line tools using the JPEG 2000 library
Closes: 672455
Changes: 
 openjpeg (1.3+dfsg-4.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2009-5030: Avoid memory overrun (Closes: #672455).
Checksums-Sha1: 
 1eef82b193da7229a3f46aa9457e7f72d1c89c3e 1513 openjpeg_1.3+dfsg-4.1.dsc
 4dc8b8f6276c38b41ecad15e18b9388ac4774b6d 12320 openjpeg_1.3+dfsg-4.1.diff.gz
 7e582c958ceb305db2ed055c0adb40bf3852b00d 95692 
libopenjpeg-dev_1.3+dfsg-4.1_i386.deb
 b15722be0375b329bd36517c4d3624c2d866eb71 82258 
libopenjpeg2_1.3+dfsg-4.1_i386.deb
 afc73248a54340bed910c25e404bc9a87aea6c94 444790 
libopenjpeg2-dbg_1.3+dfsg-4.1_i386.deb
 8ef473316a8134513324e5d2e04bd9816558ff1f 205222 
openjpeg-tools_1.3+dfsg-4.1_i386.deb
Checksums-Sha256: 
 4ccb96422036c34e97a77ca58098642897e15d75720ff270292f86212327cbbe 1513 
openjpeg_1.3+dfsg-4.1.dsc
 9d2910419168439d130a177d46cb478272672e2388cf2aaa8f6ffeb30663efdf 12320 
openjpeg_1.3+dfsg-4.1.diff.gz
 c9f0a1fe2d65a36ddff7e52e8bea473807f90fe261301c158a2eee94691a0962 95692 
libopenjpeg-dev_1.3+dfsg-4.1_i386.deb
 9375800186f4932779c40a490286261afb0c16503489b978ca10593a1b572735 82258 
libopenjpeg2_1.3+dfsg-4.1_i386.deb
 cc48f48430cb01d6de58c640e85e8d1ce98acb81e4b4b2b1c4fb590ee1688f0d 444790 
libopenjpeg2-dbg_1.3+dfsg-4.1_i386.deb
 436ca9c71276d45f2eb846645b84821324306a8d6f18fffc9288bb0dbcfd338e 205222 
openjpeg-tools_1.3+dfsg-4.1_i386.deb
Files: 
 293216ee9c0d303af1751772d6aeda94 1513 libs extra openjpeg_1.3+dfsg-4.1.dsc
 1fac18469bd1384e926e996f33bd687d 12320 libs extra openjpeg_1.3+dfsg-4.1.diff.gz
 13d6f9ed5bf1c6e2e25f53e7c5ef2cb7 95692 libdevel extra 
libopenjpeg-dev_1.3+dfsg-4.1_i386.deb
 dbf86af21aa5ccc606e3cfeef5c1267a 82258 libs extra 
libopenjpeg2_1.3+dfsg-4.1_i386.deb
 cee090c93e0a9916ac56495053b7a1ee 444790 libdevel extra 
libopenjpeg2-dbg_1.3+dfsg-4.1_i386.deb
 fc199ed026efc74fb6d02b310a196092 205222 graphics extra 
openjpeg-tools_1.3+dfsg-4.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/l72YACgkQ5UTeB5t8Mo1RGQCfe6uROZJs/c+nZe0KxLUgNGvh
yBgAn2hgCAKqeyNcusL4pO/utH2vmx7r
=f5hD
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Pkg-phototools-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-phototools-devel

[Pkg-phototools-devel] Bug#672455: marked as done (CVE-2009-5030: Heap memory corruption leading to invalid free)

Reply via email to