Your message dated Mon, 16 Oct 2017 09:08:02 +0000
with message-id <e1e41ns-0007nz...@fasolo.debian.org>
and subject line Bug#874431: fixed in openjpeg2 2.3.0-1
has caused the Debian Bug report #874431,
regarding openjpeg2: CVE-2017-14152: heap-based buffer overflow in
opj_write_bytes_LE
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
874431: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874431
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openjpeg2
Version: 2.1.2-1.3
Severity: grave
Tags: upstream patch security
Forwarded: https://github.com/uclouvain/openjpeg/issues/985
Hi,
the following vulnerability was published for openjpeg2.
CVE-2017-14152[0]:
| A mishandled zero case was discovered in opj_j2k_set_cinema_parameters
| in lib/openjp2/j2k.c in OpenJPEG 2.2.0. The vulnerability causes an
| out-of-bounds write, which may lead to remote denial of service
| (heap-based buffer overflow affecting opj_write_bytes_LE in
| lib/openjp2/cio.c and opj_j2k_write_sot in lib/openjp2/j2k.c) or
| possibly remote code execution.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14152
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14152
[1] https://github.com/uclouvain/openjpeg/issues/985
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openjpeg2
Source-Version: 2.3.0-1
We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 874...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathieu Malaterre <ma...@debian.org> (supplier of updated openjpeg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Oct 2017 07:43:41 +0200
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7
libopenjpip-dec-server libopenjpip-viewer libopenjpip-server libopenjp3d-tools
libopenjp2-tools
Architecture: source amd64 all
Version: 2.3.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Mathieu Malaterre <ma...@debian.org>
Description:
libopenjp2-7 - JPEG 2000 image compression/decompression library
libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
libopenjp2-tools - command-line tools using the JPEG 2000 library
libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression
librar
libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP
protocol
libopenjpip-server - JPIP server for JPEG 2000 files
libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP
access
libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 874115 874430 874431 877676 877758
Changes:
openjpeg2 (2.3.0-1) unstable; urgency=medium
.
* New upstream release. Closes: #877758
* Drop explicit -dbg package. Closes: #877676
* Fix CVE-2017-14041. Closes: #874115
* Fix CVE-2017-14151. Closes: #874430
* Fix CVE-2017-14152. Closes: #874431
Checksums-Sha1:
90eb0d36e0fb465b7669b6c3b2f5ea57050e1078 2725 openjpeg2_2.3.0-1.dsc
3093a23f815e2a75d4fab2a68a572cb05c4ac75a 2074456 openjpeg2_2.3.0.orig.tar.gz
24d6b3d2ae4b31e48a253d7c4fadb2ca69c0224b 17744 openjpeg2_2.3.0-1.debian.tar.xz
161d550f5708881f1477de4ab461324a5782a26f 412488
libopenjp2-7-dbgsym_2.3.0-1_amd64.deb
5992e9ca12bd4ac1ecd83bbee9e0aed9a153f7cf 43642
libopenjp2-7-dev_2.3.0-1_amd64.deb
3429684594b2271933d40c6ed85825ca94accd54 162718 libopenjp2-7_2.3.0-1_amd64.deb
308e4dd2cb5880e6ad47dfb82134bdc0b8f417e1 344796
libopenjp2-tools-dbgsym_2.3.0-1_amd64.deb
15136a59ac8bddd3215e48515b5c470be64c8e36 100324
libopenjp2-tools_2.3.0-1_amd64.deb
9c48405da7736d579ff70ffe3e489a6b2cf3ace6 59470
libopenjp3d-tools-dbgsym_2.3.0-1_amd64.deb
17d6ae2de268b5ac64a28b1f71809f0bb5a5b864 45776
libopenjp3d-tools_2.3.0-1_amd64.deb
7d54fed1d60ba04e56281aec46d6c57ce32c2e6a 163618
libopenjp3d7-dbgsym_2.3.0-1_amd64.deb
83135e6a6a5d7164b4f1df95cd46fdbfd3029c9e 88948 libopenjp3d7_2.3.0-1_amd64.deb
655558f75e6237e2a319c262d82b3b3137c24604 20924
libopenjpip-dec-server-dbgsym_2.3.0-1_amd64.deb
85c626a01882c6864f63055a83a9e48ff84cb13b 32824
libopenjpip-dec-server_2.3.0-1_amd64.deb
4837cf60fdf04138d883dd15d7c479d23e454f29 96850
libopenjpip-server-dbgsym_2.3.0-1_amd64.deb
f3944189e63902cb50ac6ee5d9c07d9083d2f963 55206
libopenjpip-server_2.3.0-1_amd64.deb
4cc8e41bd7ac42091af2fe6eb3505637a3eeccd4 49344
libopenjpip-viewer_2.3.0-1_all.deb
aa4d1154d31f3e9bb46bd61c159b068903d56128 132162
libopenjpip7-dbgsym_2.3.0-1_amd64.deb
8c31f3618b5484a6cfaa41b488bc8006b86b31e2 65052 libopenjpip7_2.3.0-1_amd64.deb
cabde61b32cef60a5cca64cad0b5e26fc386ddd9 16305
openjpeg2_2.3.0-1_amd64.buildinfo
Checksums-Sha256:
bd59d04084ca51ac063d1920b2615879c7eba172d7eecea61765a0cc2c2fe7cb 2725
openjpeg2_2.3.0-1.dsc
fd5ca8cf3f195b0a54c56193c5897bb423c00db577afda4033318006769a5833 2074456
openjpeg2_2.3.0.orig.tar.gz
a7036deea45045b7bf46acbe50ba0dc648d56058534f673bc6d4add1f052184a 17744
openjpeg2_2.3.0-1.debian.tar.xz
518828b92e9e53646405b3b6ae72519740d0276c1304b2aee4ce5c2d6152ee54 412488
libopenjp2-7-dbgsym_2.3.0-1_amd64.deb
bc882683427fc908001aa498da367e1d5dca2c39f16aea94e3cc4b8b8acb08a3 43642
libopenjp2-7-dev_2.3.0-1_amd64.deb
d6a8527e69d8125a7dcedb74d42c0ae4685fc8e9ea764b3003caeb8312a2fa8e 162718
libopenjp2-7_2.3.0-1_amd64.deb
b1bb613e6861988b1e5aafc1277ecf000ed13b5d7db28622c8c872e67e9e66ac 344796
libopenjp2-tools-dbgsym_2.3.0-1_amd64.deb
f1381fab62c25dfac2bfc158433036aaf1ecce8fba5a13713af99ddb3f5c8b1b 100324
libopenjp2-tools_2.3.0-1_amd64.deb
511692ceea3aaa258b2f16c1fa6706ca7f57bf2ef03e5126cf35a12e4453f9a9 59470
libopenjp3d-tools-dbgsym_2.3.0-1_amd64.deb
8808e468c400e3ade34c4198ed92d0442c9e7b6682b4c2e0e37d8ee085bc868d 45776
libopenjp3d-tools_2.3.0-1_amd64.deb
9bfc296412312ef612e0e7fbb945671f955e259d851e6f1e5c56aa77a3df8ddc 163618
libopenjp3d7-dbgsym_2.3.0-1_amd64.deb
45a297169a57a8b1ca7baeb8f9b650270c17939eb4c6363c808967e491e0e46c 88948
libopenjp3d7_2.3.0-1_amd64.deb
b4ac0005ad43b1e875478a10a3060975bb23d6b1999e1590b2155bac73d7a1cd 20924
libopenjpip-dec-server-dbgsym_2.3.0-1_amd64.deb
4bf60910a517288ed7dadfb27a48f8ff518be4137c062cfadd0a0d7b5a271db9 32824
libopenjpip-dec-server_2.3.0-1_amd64.deb
781f624372cbf2872ab238a8e03ec7c414a4ac3ec9673f9d34d40152a3f87014 96850
libopenjpip-server-dbgsym_2.3.0-1_amd64.deb
ef0033cdccf7c285dd5afe874f5cebb930145bad913518ed4482a7c69dfb047f 55206
libopenjpip-server_2.3.0-1_amd64.deb
489423057f42a81861554ea2ace3c1a609f0d0d931b4fba84ae70be65288113d 49344
libopenjpip-viewer_2.3.0-1_all.deb
1392bcb785572c20c18508933e774c38b44e3ef21949b086cf87759b5e23eb35 132162
libopenjpip7-dbgsym_2.3.0-1_amd64.deb
0e9f5440b82f73afd345cce0f561fe4b63d1e1268189b7ec6ab6c1cddd509146 65052
libopenjpip7_2.3.0-1_amd64.deb
91a12b825edaeabf690bae788e38ca8a2198b4f9f3f14ea4713b1f1cb1ed2fc9 16305
openjpeg2_2.3.0-1_amd64.buildinfo
Files:
e24826fbcf29360964086ef63a826690 2725 libs optional openjpeg2_2.3.0-1.dsc
753ee37f6f7a97b4dde3e1ff2196372c 2074456 libs optional
openjpeg2_2.3.0.orig.tar.gz
0a6e4b2b289ab41888760c1d0e458b83 17744 libs optional
openjpeg2_2.3.0-1.debian.tar.xz
5580ea7f8ca38133b94b6a765ff19d70 412488 debug extra
libopenjp2-7-dbgsym_2.3.0-1_amd64.deb
0915a27bed93591d7ba2a7f418c891b8 43642 libdevel optional
libopenjp2-7-dev_2.3.0-1_amd64.deb
b8504193a165ad6a2a083e2bf70a3ad7 162718 libs optional
libopenjp2-7_2.3.0-1_amd64.deb
0d0780b9170fb0d15d859a33711e9cdf 344796 debug extra
libopenjp2-tools-dbgsym_2.3.0-1_amd64.deb
acb91ce3a11b5376f2f49b4fb1fe3d74 100324 graphics optional
libopenjp2-tools_2.3.0-1_amd64.deb
dca56ce3411e50e9c681e553c05954b1 59470 debug extra
libopenjp3d-tools-dbgsym_2.3.0-1_amd64.deb
2d23b644c9b1f6c384fe48c807cbe600 45776 graphics optional
libopenjp3d-tools_2.3.0-1_amd64.deb
1311012d68def2cd4cae21da53b9e6b8 163618 debug extra
libopenjp3d7-dbgsym_2.3.0-1_amd64.deb
3cb8988c0a666bc2774b9c25c6bc999d 88948 libs optional
libopenjp3d7_2.3.0-1_amd64.deb
9cb184f8117c941f1a4a89694f537ee6 20924 debug extra
libopenjpip-dec-server-dbgsym_2.3.0-1_amd64.deb
4e14212ccc95d574085487ecf3fe7d1e 32824 graphics optional
libopenjpip-dec-server_2.3.0-1_amd64.deb
c0cd4494194262ed036f1ff0ccb1e38d 96850 debug extra
libopenjpip-server-dbgsym_2.3.0-1_amd64.deb
15cde76dbf0e55834bea3cb4db26af5f 55206 graphics optional
libopenjpip-server_2.3.0-1_amd64.deb
080bb476c9054f38fcda9318d854ce91 49344 graphics optional
libopenjpip-viewer_2.3.0-1_all.deb
e6165b8bc54bdd4ed50fd1ebdc787c32 132162 debug extra
libopenjpip7-dbgsym_2.3.0-1_amd64.deb
4cd6fb7bc5ce3db28e1b0627e8f70db9 65052 libs optional
libopenjpip7_2.3.0-1_amd64.deb
85501713b0a5332948b12a76b17ddc43 16305 libs optional
openjpeg2_2.3.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEaTNn/67NjqrNHwY7AXHhgorgk0UFAlnkcesRHG1hbGF0QGRl
Ymlhbi5vcmcACgkQAXHhgorgk0VxFg/9FQz/ECp00aTcRikgScpY0JiB1O+1VcLN
CxB71FpuoY6TPlDEUxCc9GTQPEda0MNgWVARalVIXl3/Lg+5COWX+FbIFwnTG3Pi
Hcd/qNA7rbQQXE+LNM57tBbo/vgFZ+EFCoejpw+PDVAKhAiTX+RXnft2H69PFelJ
doIE2K+ZZyvsjB0Bt7n8X5DBV7TY52+/M8wA3zBFkHs7nXbfnJ+4Y/3HyrVzv0UO
4XSmlg7YerE2tP00rWMXLzAONlHJNuxcVTUyB4nbye36XoPWWmA+w6GtUZ+iFefa
ciMIRHGsOnI+9N8NsGfcqayfce1hJGG//g7Sjr2FZr1Dtl+5crJkgZysRDz4U3ty
f9dILod1mClYpBEtfbIs/xOzwtZy5xRfJuGXF0TwjFIimJ0xp2eaz4rXmlwgC/7Q
Kj9ACBVYgLrKbi5PEYxMS7FWVSSJgUKp43WJGXtRj8+f3VsKowUozKqUAPHvA8k/
1yCY3tvd0DPpN2JIZ8qCVKR+dWkYm++iphObkb/ByA32VhaJByoBttVPpglxYtET
7r1EzGedYh7aGl+P/mpgNVi/1gmAJJrRabcrNsXIOqm+dxEwgttfHPCDz2yTxuZz
3ZkC+2RtlxJqGwuxZLdnIu6/PotDiyms54T/f5KrkU0MSrN5D4fgG3fiNHJKVQhy
9c/4f09mPeY=
=JHGv
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-phototools-devel mailing list
Pkg-phototools-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-phototools-devel
