** Patch added: "openjpeg2FixCVE-2016-8332+CVE-2016-7163Xenial.debdiff"
https://bugs.launchpad.net/ubuntu/+source/openjpeg/+bug/1630702/+attachment/4757534/+files/openjpeg2FixCVE-2016-8332+CVE-2016-7163Xenial.debdiff
** Changed in: openjpeg2 (Ubuntu)
Status: Incomplete => Confirmed
**
** Patch added: "openjpeg2FixCVE-2016-8332+CVE-2016-7163Yakkety.debdiff"
https://bugs.launchpad.net/ubuntu/+source/openjpeg/+bug/1630702/+attachment/4757533/+files/openjpeg2FixCVE-2016-8332+CVE-2016-7163Yakkety.debdiff
--
You received this bug notification because you are a member of Ubuntu
I have just started working on applying the patches and making a debdiff
for openjpeg, however I have got a slight problem, none of the files I
am trying to patch seem similar enough in the 1.5.2 version to actually
be patched, I just can't find the right places to insert and remove the
code so I
Right, I don't really have any way of testing whether the patches have
been applied correctly so I will just make the debdiffs and upload them.
But I will have to do this at the weekend because I do not have any time
to do this now. I will be away from my computer until then.
--
You received
Hi Nikita, it's always nice when you can test directly if a known bad
input has been handled correctly, but not all security fixes come with
sample inputs to see the issue. So when you can find them, that's always
welcome, but not necessary.
But it is necessary to make sure that programs that use
Seth, I can make the debdiffs for all the releases if I can find patches
which I can apply. However I'm not sure that I really know enough to
actually test if the vulnerability is still exploitable with the patched
version. So I don't think that I would be able to test them. Would it
still be
Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is
Our openjpeg and openjpeg2 packages have far more than this one flaw
unaccounted for:
http://people.canonical.com/~ubuntu-security/cve/pkg/openjpeg.html
http://people.canonical.com/~ubuntu-security/cve/pkg/openjpeg2.html
(I suspect that most issues that apply to one also apply to the other;
I can create said debdiffs if there is nobody else better to do them.
I'm just not incredibly experienced with this sort of thing (though I
have successfully made debdiffs in the past and had them accepted) and
in the past I was able to provide a debdiff which would then be altered
by the person
** Also affects: openjpeg2 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630702
Title:
CVE-2016-8332 allows an out-of-bound heap write to occur
Seth, I will take a look at those soon after I have created a debdiff
for this (that is if nobody else has done so by the time I do it, which
hopefully will be some time tomorrow).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I assume that I should create a debdiff for this anyway. What do you
think? And do I need to make one for each release or do you think that
someone else can deal with altering my debdiff to be able to be in any
release they want it to be in (if there is somebody to do that that is)?
--
You
Nikita, if you have time and care for OpenJPEG, please consider
reviewing the crashing inputs I reported to the OpenJPEG team:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+attachment/4586223/+files/openjpeg-crashers.tar.gz
** Description changed:
A security vulnerability was recently disclosed in openjpeg and assigned
the CVE number of CVE-2016-8332.
The vulnerability is described here (http://www.zdnet.com/article
/openjpeg-zero-day-flaw-leads-to-remote-code-execution/):
"
Cisco Talos researchers
** Summary changed:
- Backport in patch to fix CVE-2016-8332
+ CVE-2016-8332 allows an out-of-bound heap write to occur resulting in heap
corruption and arbitrary code execution
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
15 matches
Mail list logo
