** Description changed:
openjpeg should be included in main because compiling poppler with
--enable-openjpeg in debian/rules gives poppler greater functionality
(please see bug 710412). Since this change to /debian/rules adds
openjpeg as a build-dep to poppler, which is in main, openjpeg
Promoted
$ ./change-override -c main -t openjpeg2
Override component to main
openjpeg2 2.3.1-1 in focal: universe/misc -> main
Override [y|N]? y
1 publication overridden.
$ ./change-override -c main libopenjp2-7
Override component to main
libopenjp2-7 2.3.1-1 in focal amd64:
synced Ghostscript 9.50 from Debian, pulling in libopenjpeg2.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061
Title:
[MIR] openjpeg2
To manage notifications about this bug go to:
No worry! I'll promote it once we have something pulling it in the
archive
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061
Title:
[MIR] openjpeg2
To manage notifications about this bug go to:
Great, finally succeeded after 9 (!) years!
I will soon update the Ghostscript packages, merging 9.50 from Debian
and switch over to use the libopenjpeg2 instead of the Ghostscript-
internal library.
Other target is Poppler, I hope the Poppler package maintainer is aware.
--
You received this
@didrocks, please forgive me but to avoid this being lost I assigned you
for now - feel free to re-assign inside the team as needed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061
Title:
This already had the Security review acked - thanks ebarretto for clarifying.
The only thing missing was a Team subscriber.
$ ./get-packages-subscribed.py --team desktop-packages -p | grep openjpeg
openjpeg2
The missing subscription is now resolved, therefore this is ready.
It is not yet in
** Changed in: openjpeg2 (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061
Title:
[MIR] openjpeg2
To manage
FYI this still lacks a team subscriber - per the former comments I'd
have expected "desktop-packages" but haven't found that one.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061
Title:
[MIR]
With above analysis done, in conjunction with the decisions in Paris and
per the discussion in the MIR team meeting at [1] this is an ack.
Please go forward with vendored dependencies, that applies to:
1. the security team which has this on its queue for review
2. the server team for an eventual
** Changed in: openjpeg2 (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061
Title:
[MIR] openjpeg2
To manage
I reviewed openjpeg2 2.3.1-1 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
openjpeg2 is a library to encode and decode JPEG 2000 images. JPEG 2000 is an
image compression standard and coding system. OpenJPEG dates back from 2005
and
it was noted that img2pdf ftbfs with an JPEG2000 test error in
https://launchpad.net/ubuntu/+source/img2pdf/0.3.3-1
Maybe it's worth finding out why
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: openjpeg2 (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061
Title:
[MIR] openjpeg2
To manage
It looks like https://github.com/uclouvain/openjpeg/issues/1079 was
recently resolved, which hopefully can help to move this issue forward!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061
Title:
Hm that makes sense!
>From my reading of that issue, it's clear that you want the checks
removed from the fuzzer, but not so clear that you want them added to
the main library. That might be worth clarifying with upstream.
--
You received this bug notification because you are a member of Ubuntu
Hello Michael, thanks for giving this a new look. I know enough people
have interest in working with JPEG2000 files -- this is a frequent
request. The OpenJPEG team has really done a lot of work to improve the
library, and it'd be well and truly satisfying to be able to move it to
main.
I'd
Actually, both #1076 and #1078 are in the mj2 library, which Ubuntu
disables with the -DBUILD_MJ2:BOOL=OFF CMake arg. Additionally, all of
the cppcheck issues in #719 that are not under bin are in this mj2
library, except for one:
[lib/openjpip/j2kheader_manager.c:120]: (error) Uninitialized
Even better: #1077 can be immediately closed as a duplicate of #1078
(which contains discussion), and then you already fixed #1071 and just
forgot to close. So that leaves us with two specific security issues
affecting the library, #1076 and #1078, plus the "make cppcheck happy"
issue #719.
--
The security review in comment #59 and comment #60 looks very nice. I
skimmed over the issues and noticed that almost all of them affect the
utility tools (in bin), not the library itself. You may or may not
consider that relevant to the MIR. The issues affecting the library code
are:
setting to incomplete again, based on the review above.
** Changed in: openjpeg2 (Ubuntu)
Status: Confirmed => Incomplete
** Changed in: openjpeg2 (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a
Hi Misaki,
There's multiple interacting issues:
- ffmpeg is in universe; thus, many sites will not install it because
they configure apt to only install packages from main.
- imagemagick's insanely useful tools are used by hundreds or thousands
of other applications.
- openjpeg's upstream
Regarding security: it seems that ffmpeg has retained jpeg-2000 support
during this time. ffmpeg's configuration,
ffmpeg version 3.4.2-2 Copyright (c) 2000-2018 the FFmpeg developers
built with gcc 7 (Ubuntu 7.3.0-16ubuntu2)
[...]
--enable-libopenjpeg
[...]
ffplay will display a jpeg2000
** Tags added: bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061
Title:
[MIR] openjpeg2
To manage notifications about this bug go to:
I've filed:
https://github.com/uclouvain/openjpeg/issues/1082
https://github.com/uclouvain/openjpeg/issues/1083
https://github.com/uclouvain/openjpeg/issues/1084
https://github.com/uclouvain/openjpeg/issues/1085
https://github.com/uclouvain/openjpeg/issues/1086
I've started in on a new review of openjpeg2. The code is vastly
improved since the last time I read it but it still has rough edges. So
far I've filed:
https://github.com/uclouvain/openjpeg/issues/1065
https://github.com/uclouvain/openjpeg/issues/1066
** Changed in: openjpeg2 (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061
Title:
[MIR] openjpeg2
To
I've found a regression [1]in Poppler 17.10 (worked fine in 17.04) that
getting this in main would solve. I'm still not parsing exactly why
this has regressed, but building with openjpeg2 support did fix it.
[1] https://bugs.launchpad.net/ubuntu/+source/poppler/+bug/1714596
--
You received
** Description changed:
- libopenjpeg should be included in main because compiling poppler with
+ openjpeg should be included in main because compiling poppler with
--enable-openjpeg in debian/rules gives poppler greater functionality
(please see bug 710412). Since this change to
Indeed it might be worth another look; there has been upstream activity
addressing issues and the commit messages even reference Coverity.
They've been trying.
If jpeg2000 support in Ubuntu is important to you, I'd like to encourage you to:
- read the openjpeg2 source code and suggest
ImageMagick also needs openjpeg in main so it can be built with JPEG2000
support. (LP: #1447968)
** Description changed:
libopenjpeg should be included in main because compiling poppler with
--enable-openjpeg in debian/rules gives poppler greater functionality
(please see bug 710412).
I've filed https://github.com/uclouvain/openjpeg/issues/811 to ask the
OpenJPEG team to look at the 646 crashing inputs uncovered by AFL.
(Sorry about the extra messages, but github won't let me upload
attachments. So launchpad is most convenient for hosting the tarball.)
Thanks
** Bug watch
I ran afl-fuzz against the upstream openjpeg 2.1.1 release and found the
following corpus of crashing inputs:
68ae4c0f26ff70a7cac6495c430db7e9c42c5a33d81026cfbe0576026556d7f0
crashes-openjpeg-2.1.1.tar.gz
Thanks
** Attachment added: "crashes-openjpeg-2.1.1.tar.gz"
Seth, back to you. I don't know how different a codebase openjpeg2 is
from openjpeg. But version numbers got bumped at least. :)
** Changed in: openjpeg2 (Ubuntu)
Assignee: (unassigned) => SteveA (sarnold)
** Changed in: openjpeg2 (Ubuntu)
Assignee: SteveA (sarnold) => Seth Arnold
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-5030
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1499
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3358
** CVE removed: http://www.cve.mitre.org/cgi-
jasper will be removed from Debian soon. I think the only thing
currently using jasper in main is imagemagick, see bug 1612822.
Since imagemagick already supports openjpeg2 and actually doesn't
support jasper any more, it might be nice if openjpeg2 could simply take
jasper's place as jasper is
36 matches
Mail list logo
