[Bug 711061] Re: [MIR] openjpeg2
** Description changed: openjpeg should be included in main because compiling poppler with --enable-openjpeg in debian/rules gives poppler greater functionality (please see bug 710412). Since this change to /debian/rules adds openjpeg as a build-dep to poppler, which is in main, openjpeg must also be in main. - ImageMagick also needs openjpeg in main so it can be built with JPEG2000 support. - (LP: #1447968) + ImageMagick also needs openjpeg in main so it can be built with JPEG2000 + support. (LP: #1447968) Main inclusion requirements: 1. It is already in universe. 2. The package is a new build-dep and has a large user base (think evince). 3. Searching https://secuniaresearch.flexerasoftware.com/community/advisories/search/ for openjpeg gave zero results. 4. openjpeg has no current Ubuntu bugs (https://bugs.launchpad.net/ubuntu/+source/openjpeg2) Debian bugs at https://bugs.debian.org/cgi- bin/pkgreport.cgi?src=openjpeg2 openjpeg does not require any configuration or debconf questions. 5. N/A 6. All build-deps are already included in main. 7. I am afraid that this is a bit over my head. Hopefully, someone else could ensure that this package meets the requirements here. Based on its long inclusion in Debian and Ubuntu, I think that it should be alright here. 8. This is a fairly simple program that doesn't need too much maintenance as shown by the bug reports. 9. The package title and description seem to be in order. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
Promoted $ ./change-override -c main -t openjpeg2 Override component to main openjpeg2 2.3.1-1 in focal: universe/misc -> main Override [y|N]? y 1 publication overridden. $ ./change-override -c main libopenjp2-7 Override component to main libopenjp2-7 2.3.1-1 in focal amd64: universe/libs/extra/100% -> main libopenjp2-7 2.3.1-1 in focal arm64: universe/libs/extra/100% -> main libopenjp2-7 2.3.1-1 in focal armhf: universe/libs/extra/100% -> main libopenjp2-7 2.3.1-1 in focal i386: universe/libs/extra/100% -> main libopenjp2-7 2.3.1-1 in focal ppc64el: universe/libs/extra/100% -> main libopenjp2-7 2.3.1-1 in focal s390x: universe/libs/extra/100% -> main Override [y|N]? y 6 publications overridden. ** Changed in: openjpeg2 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
synced Ghostscript 9.50 from Debian, pulling in libopenjpeg2. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
No worry! I'll promote it once we have something pulling it in the archive -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
Great, finally succeeded after 9 (!) years! I will soon update the Ghostscript packages, merging 9.50 from Debian and switch over to use the libopenjpeg2 instead of the Ghostscript- internal library. Other target is Poppler, I hope the Poppler package maintainer is aware. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
This already had the Security review acked - thanks ebarretto for clarifying. The only thing missing was a Team subscriber. $ ./get-packages-subscribed.py --team desktop-packages -p | grep openjpeg openjpeg2 The missing subscription is now resolved, therefore this is ready. It is not yet in component mismatches, so per [1] I'll mark it "In Progress" and unassign the security Team. @Desktop - are you adding a dependency or seed change to pull it in? [1]: https://wiki.ubuntu.com/MIRTeam#Process_states ** Changed in: openjpeg2 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** Changed in: openjpeg2 (Ubuntu) Status: Incomplete => In Progress ** Changed in: openjpeg2 (Ubuntu) Assignee: (unassigned) => Didier Roche (didrocks) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
@didrocks, please forgive me but to avoid this being lost I assigned you for now - feel free to re-assign inside the team as needed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
** Changed in: openjpeg2 (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
FYI this still lacks a team subscriber - per the former comments I'd have expected "desktop-packages" but haven't found that one. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
With above analysis done, in conjunction with the decisions in Paris and per the discussion in the MIR team meeting at [1] this is an ack. Please go forward with vendored dependencies, that applies to: 1. the security team which has this on its queue for review 2. the server team for an eventual upload http://ubottu.com/meetingology/logs/ubuntu-meeting/2020/ubuntu- meeting.2020-01-14-14.03.moin.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
** Changed in: openjpeg2 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
I reviewed openjpeg2 2.3.1-1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. openjpeg2 is a library to encode and decode JPEG 2000 images. JPEG 2000 is an image compression standard and coding system. OpenJPEG dates back from 2005 and has become the JPEG 2000 reference software in 2015. - CVE History: - openjpeg has been assigned CVEs every year since 2012. For Xenial we still have some 2016 CVEs that we are unaware of the fix. There are also a couple of CVEs that don't have fix or we are unsure if they were solved: CVE-2018-16376, CVE-2018-20846, CVE-2019-6988 - Upstream is responsive and willing to fix security issues, but they still need to improve on how to communicate about the fixes. - Build-Depends: - cmake - debhelper - default-jdk - dh-apache2 - help2man - javahelper - libcurl4-gnutls-dev or libcurl-ssl-dev - libfcgi-dev - liblcms2-dev - libpng-dev - libtiff-dev - libxerces2-java - zlib1g-dev - postinst, prerm and postrm scripts automatically added - No init scripts - No systemd units - No dbus services - No setuid binaries - binaries in PATH - /usr/bin/opj_compress - This program reads in an image of a certain type and converts it to a JPEG2000 file. - /usr/bin/opj_decompress - This program reads in a JPEG2000 image and converts it to another image type. - /usr/bin/opj_dump - This program reads in a JPEG2000 image and dumps the contents to stdout. - /usr/bin/opj_jp3d_compress - compress into JP3D volume. - /usr/bin/opj_jp3d_decompress - decompress JP3D volume. - /usr/bin/opj_dec_server - server to decode JPT/JPP-stream and communicate locally with JPIP client, which is coded in java. - /usr/bin/opj_jpip_addxml - embed metadata into JP2 file. - /usr/bin/opj_jpip_test - test index code format of a JP2 file. - /usr/bin/opj_jpip_transcode - convert JPT/JPP-stream to JP2 or J2K. - /usr/bin/opj_server - JPIP server supporting HTTP connection and JPT/JPP-stream. - /usr/bin/opj_jpip_viewer - No sudo fragments - No udev rules - openjpeg2 has 1478 tests under tests/, including Google's oss-fuzzers setup. - some of those tests are CVEs reproducers. - No cron jobs - Build logs: - Multiple compiler warnings: /<>/src/lib/openjp2/openjpeg.c:1041:30: warning: cast between incompatible function types from int (*)(FILE *) {aka int (*)(struct _IO_FILE *)} to void (*)(void *) [-Wcast-function-type] /<>/src/bin/jp3d/opj_jp3d_decompress.c:488:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:111:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:118:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:119:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:130:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:131:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:132:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:133:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:300:9: warning: ignoring return value of fscanf, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:529:9: warning: ignoring return value of fgets, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:851:9: warning: ignoring return value of fgets, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:111:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:118:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:119:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:130:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:131:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:132:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:133:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:300:
[Bug 711061] Re: [MIR] openjpeg2
it was noted that img2pdf ftbfs with an JPEG2000 test error in https://launchpad.net/ubuntu/+source/img2pdf/0.3.3-1 Maybe it's worth finding out why -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
** Changed in: openjpeg2 (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
It looks like https://github.com/uclouvain/openjpeg/issues/1079 was recently resolved, which hopefully can help to move this issue forward! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
Hm that makes sense! >From my reading of that issue, it's clear that you want the checks removed from the fuzzer, but not so clear that you want them added to the main library. That might be worth clarifying with upstream. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
Hello Michael, thanks for giving this a new look. I know enough people have interest in working with JPEG2000 files -- this is a frequent request. The OpenJPEG team has really done a lot of work to improve the library, and it'd be well and truly satisfying to be able to move it to main. I'd really love for https://github.com/uclouvain/openjpeg/issues/1079 to be addressed. The *fuzzer* has implemented safety checks that should have been implemented in the library. Simply moving these checks from the fuzzer to the library would have a huge impact on safety and make the fuzzer far more effective. Of course, this only pays dividends if someone is fixing issues as ossfuzz finds and reports them. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
Actually, both #1076 and #1078 are in the mj2 library, which Ubuntu disables with the -DBUILD_MJ2:BOOL=OFF CMake arg. Additionally, all of the cppcheck issues in #719 that are not under bin are in this mj2 library, except for one: [lib/openjpip/j2kheader_manager.c:120]: (error) Uninitialized variable: COD So I believe this is the only issue flagged by Seth that actually affects OpenJPEG when used as a library (and with mj2 library disabled). Of course, the issues with the tools and mj2 library are not encouraging, but the situation doesn't seem as bad as I had thought. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
Even better: #1077 can be immediately closed as a duplicate of #1078 (which contains discussion), and then you already fixed #1071 and just forgot to close. So that leaves us with two specific security issues affecting the library, #1076 and #1078, plus the "make cppcheck happy" issue #719. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
The security review in comment #59 and comment #60 looks very nice. I skimmed over the issues and noticed that almost all of them affect the utility tools (in bin), not the library itself. You may or may not consider that relevant to the MIR. The issues affecting the library code are: https://github.com/uclouvain/openjpeg/issues/719 https://github.com/uclouvain/openjpeg/issues/1071 https://github.com/uclouvain/openjpeg/issues/1076 https://github.com/uclouvain/openjpeg/issues/1077 https://github.com/uclouvain/openjpeg/issues/1078 There's also issue 1073, but that issue is disputed by upstream and doesn't affect Ubuntu anyway because Ubuntu uses system libtiff instead of the bundled code. All the other issues are in bin. ** Bug watch added: github.com/uclouvain/openjpeg/issues #719 https://github.com/uclouvain/openjpeg/issues/719 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
setting to incomplete again, based on the review above. ** Changed in: openjpeg2 (Ubuntu) Status: Confirmed => Incomplete ** Changed in: openjpeg2 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
Hi Misaki, There's multiple interacting issues: - ffmpeg is in universe; thus, many sites will not install it because they configure apt to only install packages from main. - imagemagick's insanely useful tools are used by hundreds or thousands of other applications. - openjpeg's upstream developers have made really impressive progress improving their code quality but it still appears to be a hobby / part time project rather than a production ready tool. At this point I'd probably even say openjpeg's quality is slightly better than imagemagick's quality. imagemagick is included in main because the effort to *remove* it from main would be substantial. Were imagemagick to be proposed as a new addition today it would not meet our quality expectations. However, I'm confident that at least some of the issues I've raised with openjpeg would allow for remote zero-interaction exploits of our desktop users if its code were properly exposed. It could be via attached images in emails being automatically thumbnailed, downloaded documents being automatically thumbnailed, etc. Perhaps album artwork on streaming music services. Probably not everything I've found is actually exploitable but I've flagged so many potential issues that it's entirely likely there's multiple paths to exploitation. The openjpeg team has come so far, it'd be a shame if they didn't cross the finish line at this point. (I also hope the imagemagick team can make similar strides, but hopefully everyone knows to run imagemagick commands in AppArmor profiles or SELinux policy by now.) Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
Regarding security: it seems that ffmpeg has retained jpeg-2000 support during this time. ffmpeg's configuration, ffmpeg version 3.4.2-2 Copyright (c) 2000-2018 the FFmpeg developers built with gcc 7 (Ubuntu 7.3.0-16ubuntu2) [...] --enable-libopenjpeg [...] ffplay will display a jpeg2000 image, although I get a lot of warnings about 'End mismatch '. Is ffmpeg not exposed to any potential security flaws that imagemagick would be? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
** Tags added: bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
I've filed: https://github.com/uclouvain/openjpeg/issues/1082 https://github.com/uclouvain/openjpeg/issues/1083 https://github.com/uclouvain/openjpeg/issues/1084 https://github.com/uclouvain/openjpeg/issues/1085 https://github.com/uclouvain/openjpeg/issues/1086 https://github.com/uclouvain/openjpeg/issues/1087 https://github.com/uclouvain/openjpeg/issues/1088 https://github.com/uclouvain/openjpeg/issues/1089 I'll move on to other MIRs for a while and let the upstream folks get a handle on these. Thanks ** Bug watch added: github.com/uclouvain/openjpeg/issues #1082 https://github.com/uclouvain/openjpeg/issues/1082 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1083 https://github.com/uclouvain/openjpeg/issues/1083 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1084 https://github.com/uclouvain/openjpeg/issues/1084 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1085 https://github.com/uclouvain/openjpeg/issues/1085 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1086 https://github.com/uclouvain/openjpeg/issues/1086 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1087 https://github.com/uclouvain/openjpeg/issues/1087 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1088 https://github.com/uclouvain/openjpeg/issues/1088 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1089 https://github.com/uclouvain/openjpeg/issues/1089 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
I've started in on a new review of openjpeg2. The code is vastly improved since the last time I read it but it still has rough edges. So far I've filed: https://github.com/uclouvain/openjpeg/issues/1065 https://github.com/uclouvain/openjpeg/issues/1066 https://github.com/uclouvain/openjpeg/issues/1067 https://github.com/uclouvain/openjpeg/issues/1068 https://github.com/uclouvain/openjpeg/issues/1069 https://github.com/uclouvain/openjpeg/issues/1070 https://github.com/uclouvain/openjpeg/issues/1071 https://github.com/uclouvain/openjpeg/issues/1072 https://github.com/uclouvain/openjpeg/issues/1073 https://github.com/uclouvain/openjpeg/issues/1074 https://github.com/uclouvain/openjpeg/issues/1075 https://github.com/uclouvain/openjpeg/issues/1076 https://github.com/uclouvain/openjpeg/issues/1077 https://github.com/uclouvain/openjpeg/issues/1078 https://github.com/uclouvain/openjpeg/issues/1079 cppcheck still returns a lot of results, it'd be nice to bring that to zero. Thanks ** Bug watch added: github.com/uclouvain/openjpeg/issues #1065 https://github.com/uclouvain/openjpeg/issues/1065 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1066 https://github.com/uclouvain/openjpeg/issues/1066 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1067 https://github.com/uclouvain/openjpeg/issues/1067 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1068 https://github.com/uclouvain/openjpeg/issues/1068 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1069 https://github.com/uclouvain/openjpeg/issues/1069 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1070 https://github.com/uclouvain/openjpeg/issues/1070 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1071 https://github.com/uclouvain/openjpeg/issues/1071 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1072 https://github.com/uclouvain/openjpeg/issues/1072 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1073 https://github.com/uclouvain/openjpeg/issues/1073 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1074 https://github.com/uclouvain/openjpeg/issues/1074 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1075 https://github.com/uclouvain/openjpeg/issues/1075 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1076 https://github.com/uclouvain/openjpeg/issues/1076 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1077 https://github.com/uclouvain/openjpeg/issues/1077 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1078 https://github.com/uclouvain/openjpeg/issues/1078 ** Bug watch added: github.com/uclouvain/openjpeg/issues #1079 https://github.com/uclouvain/openjpeg/issues/1079 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
** Changed in: openjpeg2 (Ubuntu) Assignee: Seth Arnold (seth-arnold) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
I've found a regression [1]in Poppler 17.10 (worked fine in 17.04) that getting this in main would solve. I'm still not parsing exactly why this has regressed, but building with openjpeg2 support did fix it. [1] https://bugs.launchpad.net/ubuntu/+source/poppler/+bug/1714596 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
** Description changed: - libopenjpeg should be included in main because compiling poppler with + openjpeg should be included in main because compiling poppler with --enable-openjpeg in debian/rules gives poppler greater functionality (please see bug 710412). Since this change to /debian/rules adds - libopenjpeg as a build-dep to poppler, which is in main, libopenjpeg - must also be in main. + openjpeg as a build-dep to poppler, which is in main, openjpeg must also + be in main. - ImageMagick also needs openjpeg in main so it can be built with JPEG2000 - support. (LP: #1447968) + ImageMagick also needs openjpeg in main so it can be built with JPEG2000 support. + (LP: #1447968) Main inclusion requirements: - 1. It is already in the universe. + 1. It is already in universe. - 2. The package is a new build-dep, and has a large user base (think + 2. The package is a new build-dep and has a large user base (think evince). - 3. Searching http://secunia.com/advisories/search/ for libopenjpeg gave - zero results. + 3. Searching + https://secuniaresearch.flexerasoftware.com/community/advisories/search/ + for openjpeg gave zero results. - 4. Libopenjpeg has no current Ubuntu bugs (https://bugs.launchpad.net/ubuntu/maverick/+source/openjpeg) - in the Debian bug tracking system libopenjpeg has 1 open bug (http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libopenjpeg2), this is an encoding bug, but the main use for this package will be decoding. - Libopenjpeg does not require any configuration or debconf questions. + 4. openjpeg has no current Ubuntu bugs + (https://bugs.launchpad.net/ubuntu/+source/openjpeg2) + +Debian bugs at https://bugs.debian.org/cgi- + bin/pkgreport.cgi?src=openjpeg2 + +openjpeg does not require any configuration or debconf questions. 5. N/A 6. All build-deps are already included in main. - 7. I am afraid that this is a bit over my head, hopefully someone else - could ensure that this package meets the requirments here. Based on its - long inclusion in Debian and Ubuntu I think that it should be alright + 7. I am afraid that this is a bit over my head. Hopefully, someone else + could ensure that this package meets the requirements here. Based on its + long inclusion in Debian and Ubuntu, I think that it should be alright here. - 8.This is a fairly simple program not needed too much maintenance, as - shown by the bug reports. + 8. This is a fairly simple program that doesn't need too much + maintenance as shown by the bug reports. 9. The package title and description seem to be in order. - - My only final comments are that I am sorry this may not be quite the - normal MIR, but I am just a member of bug control, not a dev. Also, any - help and advise along the way would be much appreciated. ** Description changed: openjpeg should be included in main because compiling poppler with --enable-openjpeg in debian/rules gives poppler greater functionality (please see bug 710412). Since this change to /debian/rules adds openjpeg as a build-dep to poppler, which is in main, openjpeg must also be in main. ImageMagick also needs openjpeg in main so it can be built with JPEG2000 support. - (LP: #1447968) + (LP: #1447968) Main inclusion requirements: 1. It is already in universe. 2. The package is a new build-dep and has a large user base (think evince). 3. Searching https://secuniaresearch.flexerasoftware.com/community/advisories/search/ for openjpeg gave zero results. 4. openjpeg has no current Ubuntu bugs (https://bugs.launchpad.net/ubuntu/+source/openjpeg2) -Debian bugs at https://bugs.debian.org/cgi- + Debian bugs at https://bugs.debian.org/cgi- bin/pkgreport.cgi?src=openjpeg2 -openjpeg does not require any configuration or debconf questions. + openjpeg does not require any configuration or debconf questions. 5. N/A 6. All build-deps are already included in main. 7. I am afraid that this is a bit over my head. Hopefully, someone else could ensure that this package meets the requirements here. Based on its long inclusion in Debian and Ubuntu, I think that it should be alright here. 8. This is a fairly simple program that doesn't need too much maintenance as shown by the bug reports. 9. The package title and description seem to be in order. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
Indeed it might be worth another look; there has been upstream activity addressing issues and the commit messages even reference Coverity. They've been trying. If jpeg2000 support in Ubuntu is important to you, I'd like to encourage you to: - read the openjpeg2 source code and suggest improvements - contribute images to a test suite - contribute a test suite if that's still lacking - run coverity or cppcheck or other static analysis tools on the codebase - fuzz the library with ubsan, asan, libdislocator, etc. - write libfuzzer-friendly wrappers around the functions and contribute these to the project if that's still lacking. Something really simple would be to build an asan or libdislocator variant and test with the files I've already generated and attached here. If any of the files I've attached in the last year still cause asan alerts when I get around to looking at the library again, it'll be a pretty poor report on the state of the library. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
ImageMagick also needs openjpeg in main so it can be built with JPEG2000 support. (LP: #1447968) ** Description changed: libopenjpeg should be included in main because compiling poppler with --enable-openjpeg in debian/rules gives poppler greater functionality (please see bug 710412). Since this change to /debian/rules adds libopenjpeg as a build-dep to poppler, which is in main, libopenjpeg must also be in main. + + ImageMagick also needs openjpeg in main so it can be built with JPEG2000 + support. (LP: 1447968) Main inclusion requirements: 1. It is already in the universe. 2. The package is a new build-dep, and has a large user base (think evince). 3. Searching http://secunia.com/advisories/search/ for libopenjpeg gave zero results. 4. Libopenjpeg has no current Ubuntu bugs (https://bugs.launchpad.net/ubuntu/maverick/+source/openjpeg) - in the Debian bug tracking system libopenjpeg has 1 open bug (http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libopenjpeg2), this is an encoding bug, but the main use for this package will be decoding. - Libopenjpeg does not require any configuration or debconf questions. + in the Debian bug tracking system libopenjpeg has 1 open bug (http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libopenjpeg2), this is an encoding bug, but the main use for this package will be decoding. + Libopenjpeg does not require any configuration or debconf questions. 5. N/A 6. All build-deps are already included in main. 7. I am afraid that this is a bit over my head, hopefully someone else could ensure that this package meets the requirments here. Based on its long inclusion in Debian and Ubuntu I think that it should be alright here. 8.This is a fairly simple program not needed too much maintenance, as shown by the bug reports. 9. The package title and description seem to be in order. - - My only final comments are that I am sorry this may not be quite the normal MIR, but I am just a member of bug control, not a dev. Also, any help and advise along the way would be much appreciated. + My only final comments are that I am sorry this may not be quite the + normal MIR, but I am just a member of bug control, not a dev. Also, any + help and advise along the way would be much appreciated. ** Description changed: libopenjpeg should be included in main because compiling poppler with --enable-openjpeg in debian/rules gives poppler greater functionality (please see bug 710412). Since this change to /debian/rules adds libopenjpeg as a build-dep to poppler, which is in main, libopenjpeg must also be in main. ImageMagick also needs openjpeg in main so it can be built with JPEG2000 - support. (LP: 1447968) + support. (LP: #1447968) Main inclusion requirements: 1. It is already in the universe. 2. The package is a new build-dep, and has a large user base (think evince). 3. Searching http://secunia.com/advisories/search/ for libopenjpeg gave zero results. 4. Libopenjpeg has no current Ubuntu bugs (https://bugs.launchpad.net/ubuntu/maverick/+source/openjpeg) in the Debian bug tracking system libopenjpeg has 1 open bug (http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libopenjpeg2), this is an encoding bug, but the main use for this package will be decoding. Libopenjpeg does not require any configuration or debconf questions. 5. N/A 6. All build-deps are already included in main. 7. I am afraid that this is a bit over my head, hopefully someone else could ensure that this package meets the requirments here. Based on its long inclusion in Debian and Ubuntu I think that it should be alright here. 8.This is a fairly simple program not needed too much maintenance, as shown by the bug reports. 9. The package title and description seem to be in order. My only final comments are that I am sorry this may not be quite the normal MIR, but I am just a member of bug control, not a dev. Also, any help and advise along the way would be much appreciated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
I've filed https://github.com/uclouvain/openjpeg/issues/811 to ask the OpenJPEG team to look at the 646 crashing inputs uncovered by AFL. (Sorry about the extra messages, but github won't let me upload attachments. So launchpad is most convenient for hosting the tarball.) Thanks ** Bug watch added: github.com/uclouvain/openjpeg/issues #811 https://github.com/uclouvain/openjpeg/issues/811 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
I ran afl-fuzz against the upstream openjpeg 2.1.1 release and found the following corpus of crashing inputs: 68ae4c0f26ff70a7cac6495c430db7e9c42c5a33d81026cfbe0576026556d7f0 crashes-openjpeg-2.1.1.tar.gz Thanks ** Attachment added: "crashes-openjpeg-2.1.1.tar.gz" https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+attachment/4723094/+files/crashes-openjpeg-2.1.1.tar.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
Seth, back to you. I don't know how different a codebase openjpeg2 is from openjpeg. But version numbers got bumped at least. :) ** Changed in: openjpeg2 (Ubuntu) Assignee: (unassigned) => SteveA (sarnold) ** Changed in: openjpeg2 (Ubuntu) Assignee: SteveA (sarnold) => Seth Arnold (seth-arnold) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-5030 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-1499 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3358 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3535 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
jasper will be removed from Debian soon. I think the only thing currently using jasper in main is imagemagick, see bug 1612822. Since imagemagick already supports openjpeg2 and actually doesn't support jasper any more, it might be nice if openjpeg2 could simply take jasper's place as jasper is demoted and removed in yakkety. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs