[Bug 711061] Re: [MIR] openjpeg2

[Mathew Hodson]

** Description changed:

  openjpeg should be included in main because compiling poppler with
  --enable-openjpeg in debian/rules gives poppler greater functionality
  (please see bug 710412). Since this change to /debian/rules adds
  openjpeg as a build-dep to poppler, which is in main, openjpeg must also
  be in main.
  
- ImageMagick also needs openjpeg in main so it can be built with JPEG2000 
support.
-  (LP: #1447968)
+ ImageMagick also needs openjpeg in main so it can be built with JPEG2000
+ support. (LP: #1447968)
  
  Main inclusion requirements:
  
  1. It is already in universe.
  
  2. The package is a new build-dep and has a large user base (think
  evince).
  
  3. Searching
  https://secuniaresearch.flexerasoftware.com/community/advisories/search/
  for openjpeg gave zero results.
  
  4. openjpeg has no current Ubuntu bugs
  (https://bugs.launchpad.net/ubuntu/+source/openjpeg2)
  
  Debian bugs at https://bugs.debian.org/cgi-
  bin/pkgreport.cgi?src=openjpeg2
  
  openjpeg does not require any configuration or debconf questions.
  
  5. N/A
  
  6. All build-deps are already included in main.
  
  7. I am afraid that this is a bit over my head. Hopefully, someone else
  could ensure that this package meets the requirements here. Based on its
  long inclusion in Debian and Ubuntu, I think that it should be alright
  here.
  
  8. This is a fairly simple program that doesn't need too much
  maintenance as shown by the bug reports.
  
  9. The package title and description seem to be in order.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Didier Roche]

Promoted

$ ./change-override -c main -t openjpeg2
Override component to main
openjpeg2 2.3.1-1 in focal: universe/misc -> main
Override [y|N]? y
1 publication overridden.
$ ./change-override -c main libopenjp2-7
Override component to main
libopenjp2-7 2.3.1-1 in focal amd64: universe/libs/extra/100% -> main
libopenjp2-7 2.3.1-1 in focal arm64: universe/libs/extra/100% -> main
libopenjp2-7 2.3.1-1 in focal armhf: universe/libs/extra/100% -> main
libopenjp2-7 2.3.1-1 in focal i386: universe/libs/extra/100% -> main
libopenjp2-7 2.3.1-1 in focal ppc64el: universe/libs/extra/100% -> main
libopenjp2-7 2.3.1-1 in focal s390x: universe/libs/extra/100% -> main
Override [y|N]? y
6 publications overridden.


** Changed in: openjpeg2 (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Till Kamppeter]

synced Ghostscript 9.50 from Debian, pulling in libopenjpeg2.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Didier Roche]

No worry! I'll promote it once we have something pulling it in the
archive

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Till Kamppeter]

Great, finally succeeded after 9 (!) years!

I will soon update the Ghostscript packages, merging 9.50 from Debian
and switch over to use the libopenjpeg2 instead of the Ghostscript-
internal library.

Other target is Poppler, I hope the Poppler package maintainer is aware.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Christian Ehrhardt ]

@didrocks, please forgive me but to avoid this being lost I assigned you
for now - feel free to re-assign inside the team as needed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Christian Ehrhardt ]

This already had the Security review acked - thanks ebarretto for clarifying.
The only thing missing was a Team subscriber.

$ ./get-packages-subscribed.py --team desktop-packages -p | grep openjpeg
openjpeg2

The missing subscription is now resolved, therefore this is ready.
It is not yet in component mismatches, so per [1] I'll mark it "In Progress" 
and unassign the security Team.

@Desktop - are you adding a dependency or seed change to pull it in?

[1]: https://wiki.ubuntu.com/MIRTeam#Process_states

** Changed in: openjpeg2 (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

** Changed in: openjpeg2 (Ubuntu)
   Status: Incomplete => In Progress

** Changed in: openjpeg2 (Ubuntu)
 Assignee: (unassigned) => Didier Roche (didrocks)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Didier Roche]

** Changed in: openjpeg2 (Ubuntu)
 Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Christian Ehrhardt ]

FYI this still lacks a team subscriber - per the former comments I'd
have expected "desktop-packages" but haven't found that one.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Christian Ehrhardt ]

With above analysis done, in conjunction with the decisions in Paris and
per the discussion in the MIR team meeting at [1] this is an ack.

Please go forward with vendored dependencies, that applies to:
1. the security team which has this on its queue for review
2. the server team for an eventual upload

http://ubottu.com/meetingology/logs/ubuntu-meeting/2020/ubuntu-
meeting.2020-01-14-14.03.moin.txt

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Eduardo dos Santos Barretto]

** Changed in: openjpeg2 (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Eduardo dos Santos Barretto]

I reviewed openjpeg2 2.3.1-1 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

openjpeg2 is a library to encode and decode JPEG 2000 images. JPEG 2000 is an
image compression standard and coding system. OpenJPEG dates back from 2005
and has become the JPEG 2000 reference software in 2015.

- CVE History:
  - openjpeg has been assigned CVEs every year since 2012. For Xenial we still
have some 2016 CVEs that we are unaware of the fix. There are also a couple
of CVEs that don't have fix or we are unsure if they were solved:
CVE-2018-16376, CVE-2018-20846, CVE-2019-6988
  - Upstream is responsive and willing to fix security issues, but they still
need to improve on how to communicate about the fixes.
- Build-Depends:
  - cmake
  - debhelper
  - default-jdk
  - dh-apache2
  - help2man
  - javahelper
  - libcurl4-gnutls-dev or libcurl-ssl-dev
  - libfcgi-dev
  - liblcms2-dev
  - libpng-dev
  - libtiff-dev
  - libxerces2-java
  - zlib1g-dev
- postinst, prerm and postrm scripts automatically added
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
  - /usr/bin/opj_compress - This program reads in an image of a certain type
and converts it to a JPEG2000 file.
  - /usr/bin/opj_decompress - This program reads in a JPEG2000 image and
converts it to another image type.
  - /usr/bin/opj_dump - This program reads in a JPEG2000 image and dumps the
contents to stdout.
  - /usr/bin/opj_jp3d_compress - compress into JP3D volume.
  - /usr/bin/opj_jp3d_decompress - decompress JP3D volume.
  - /usr/bin/opj_dec_server - server to decode JPT/JPP-stream and communicate
locally with JPIP client, which is coded in java.
  - /usr/bin/opj_jpip_addxml - embed metadata into JP2 file.
  - /usr/bin/opj_jpip_test - test index code format of a JP2 file.
  - /usr/bin/opj_jpip_transcode - convert JPT/JPP-stream to JP2 or J2K.
  - /usr/bin/opj_server - JPIP server supporting HTTP connection and
JPT/JPP-stream.
  - /usr/bin/opj_jpip_viewer
- No sudo fragments
- No udev rules
- openjpeg2 has 1478 tests under tests/, including Google's oss-fuzzers setup.
  - some of those tests are CVEs reproducers.
- No cron jobs
- Build logs:
  - Multiple compiler warnings:
/<>/src/lib/openjp2/openjpeg.c:1041:30: warning: cast between 
incompatible function types from int (*)(FILE *) {aka int (*)(struct _IO_FILE 
*)} to void (*)(void *) [-Wcast-function-type]
/<>/src/bin/jp3d/opj_jp3d_decompress.c:488:5: warning: ignoring 
return value of fread, declared with attribute warn_unused_result 
[-Wunused-result]
/<>/src/bin/jp3d/convert.c:111:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:118:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:119:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:130:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:131:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:132:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:133:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:300:9: warning: ignoring return value 
of fscanf, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:529:9: warning: ignoring return value 
of fgets, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:851:9: warning: ignoring return value 
of fgets, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:111:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:118:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:119:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:130:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:131:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:132:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<>/src/bin/jp3d/convert.c:133:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]

[Bug 711061] Re: [MIR] openjpeg2

[Matthias Klose]

it was noted that img2pdf ftbfs with an JPEG2000 test error in
https://launchpad.net/ubuntu/+source/img2pdf/0.3.3-1

Maybe it's worth finding out why

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Eduardo dos Santos Barretto]

** Changed in: openjpeg2 (Ubuntu)
 Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[jonathan green]

It looks like https://github.com/uclouvain/openjpeg/issues/1079 was
recently resolved, which hopefully can help to move this issue forward!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Michael Catanzaro]

Hm that makes sense!

>From my reading of that issue, it's clear that you want the checks
removed from the fuzzer, but not so clear that you want them added to
the main library. That might be worth clarifying with upstream.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Seth Arnold]

Hello Michael, thanks for giving this a new look. I know enough people
have interest in working with JPEG2000 files -- this is a frequent
request. The OpenJPEG team has really done a lot of work to improve the
library, and it'd be well and truly satisfying to be able to move it to
main.

I'd really love for https://github.com/uclouvain/openjpeg/issues/1079 to
be addressed. The *fuzzer* has implemented safety checks that should
have been implemented in the library. Simply moving these checks from
the fuzzer to the library would have a huge impact on safety and make
the fuzzer far more effective.

Of course, this only pays dividends if someone is fixing issues as
ossfuzz finds and reports them.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Michael Catanzaro]

Actually, both #1076 and #1078 are in the mj2 library, which Ubuntu
disables with the -DBUILD_MJ2:BOOL=OFF CMake arg. Additionally, all of
the cppcheck issues in #719 that are not under bin are in this mj2
library, except for one:

[lib/openjpip/j2kheader_manager.c:120]: (error) Uninitialized variable:
COD

So I believe this is the only issue flagged by Seth that actually
affects OpenJPEG when used as a library (and with mj2 library disabled).

Of course, the issues with the tools and mj2 library are not
encouraging, but the situation doesn't seem as bad as I had thought.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Michael Catanzaro]

Even better: #1077 can be immediately closed as a duplicate of #1078
(which contains discussion), and then you already fixed #1071 and just
forgot to close. So that leaves us with two specific security issues
affecting the library, #1076 and #1078, plus the "make cppcheck happy"
issue #719.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Michael Catanzaro]

The security review in comment #59 and comment #60 looks very nice. I
skimmed over the issues and noticed that almost all of them affect the
utility tools (in bin), not the library itself. You may or may not
consider that relevant to the MIR. The issues affecting the library code
are:

https://github.com/uclouvain/openjpeg/issues/719
https://github.com/uclouvain/openjpeg/issues/1071
https://github.com/uclouvain/openjpeg/issues/1076
https://github.com/uclouvain/openjpeg/issues/1077
https://github.com/uclouvain/openjpeg/issues/1078

There's also issue 1073, but that issue is disputed by upstream and
doesn't affect Ubuntu anyway because Ubuntu uses system libtiff instead
of the bundled code. All the other issues are in bin.

** Bug watch added: github.com/uclouvain/openjpeg/issues #719
   https://github.com/uclouvain/openjpeg/issues/719

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Matthias Klose]

setting to incomplete again, based on the review above.

** Changed in: openjpeg2 (Ubuntu)
   Status: Confirmed => Incomplete

** Changed in: openjpeg2 (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Seth Arnold]

Hi Misaki,

There's multiple interacting issues:

- ffmpeg is in universe; thus, many sites will not install it because
they configure apt to only install packages from main.

- imagemagick's insanely useful tools are used by hundreds or thousands
of other applications.

- openjpeg's upstream developers have made really impressive progress
improving their code quality but it still appears to be a hobby / part
time project rather than a production ready tool.

At this point I'd probably even say openjpeg's quality is slightly
better than imagemagick's quality. imagemagick is included in main
because the effort to *remove* it from main would be substantial. Were
imagemagick to be proposed as a new addition today it would not meet our
quality expectations.

However, I'm confident that at least some of the issues I've raised with
openjpeg would allow for remote zero-interaction exploits of our desktop
users if its code were properly exposed. It could be via attached images
in emails being automatically thumbnailed, downloaded documents being
automatically thumbnailed, etc. Perhaps album artwork on streaming music
services. Probably not everything I've found is actually exploitable but
I've flagged so many potential issues that it's entirely likely there's
multiple paths to exploitation.

The openjpeg team has come so far, it'd be a shame if they didn't cross
the finish line at this point. (I also hope the imagemagick team can
make similar strides, but hopefully everyone knows to run imagemagick
commands in AppArmor profiles or SELinux policy by now.)

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Misaki]

Regarding security: it seems that ffmpeg has retained jpeg-2000 support
during this time. ffmpeg's configuration,

ffmpeg version 3.4.2-2 Copyright (c) 2000-2018 the FFmpeg developers
  built with gcc 7 (Ubuntu 7.3.0-16ubuntu2)

[...]
--enable-libopenjpeg
[...]

ffplay will display a jpeg2000 image, although I get a lot of warnings
about 'End mismatch '.

Is ffmpeg not exposed to any potential security flaws that imagemagick
would be?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Misaki]

** Tags added: bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Seth Arnold]

I've filed:

https://github.com/uclouvain/openjpeg/issues/1082
https://github.com/uclouvain/openjpeg/issues/1083
https://github.com/uclouvain/openjpeg/issues/1084
https://github.com/uclouvain/openjpeg/issues/1085
https://github.com/uclouvain/openjpeg/issues/1086
https://github.com/uclouvain/openjpeg/issues/1087
https://github.com/uclouvain/openjpeg/issues/1088
https://github.com/uclouvain/openjpeg/issues/1089

I'll move on to other MIRs for a while and let the upstream folks get a
handle on these.

Thanks

** Bug watch added: github.com/uclouvain/openjpeg/issues #1082
   https://github.com/uclouvain/openjpeg/issues/1082

** Bug watch added: github.com/uclouvain/openjpeg/issues #1083
   https://github.com/uclouvain/openjpeg/issues/1083

** Bug watch added: github.com/uclouvain/openjpeg/issues #1084
   https://github.com/uclouvain/openjpeg/issues/1084

** Bug watch added: github.com/uclouvain/openjpeg/issues #1085
   https://github.com/uclouvain/openjpeg/issues/1085

** Bug watch added: github.com/uclouvain/openjpeg/issues #1086
   https://github.com/uclouvain/openjpeg/issues/1086

** Bug watch added: github.com/uclouvain/openjpeg/issues #1087
   https://github.com/uclouvain/openjpeg/issues/1087

** Bug watch added: github.com/uclouvain/openjpeg/issues #1088
   https://github.com/uclouvain/openjpeg/issues/1088

** Bug watch added: github.com/uclouvain/openjpeg/issues #1089
   https://github.com/uclouvain/openjpeg/issues/1089

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Seth Arnold]

I've started in on a new review of openjpeg2. The code is vastly
improved since the last time I read it but it still has rough edges. So
far I've filed:

https://github.com/uclouvain/openjpeg/issues/1065
https://github.com/uclouvain/openjpeg/issues/1066
https://github.com/uclouvain/openjpeg/issues/1067
https://github.com/uclouvain/openjpeg/issues/1068
https://github.com/uclouvain/openjpeg/issues/1069
https://github.com/uclouvain/openjpeg/issues/1070
https://github.com/uclouvain/openjpeg/issues/1071
https://github.com/uclouvain/openjpeg/issues/1072
https://github.com/uclouvain/openjpeg/issues/1073
https://github.com/uclouvain/openjpeg/issues/1074
https://github.com/uclouvain/openjpeg/issues/1075
https://github.com/uclouvain/openjpeg/issues/1076
https://github.com/uclouvain/openjpeg/issues/1077
https://github.com/uclouvain/openjpeg/issues/1078
https://github.com/uclouvain/openjpeg/issues/1079

cppcheck still returns a lot of results, it'd be nice to bring that to
zero.

Thanks

** Bug watch added: github.com/uclouvain/openjpeg/issues #1065
   https://github.com/uclouvain/openjpeg/issues/1065

** Bug watch added: github.com/uclouvain/openjpeg/issues #1066
   https://github.com/uclouvain/openjpeg/issues/1066

** Bug watch added: github.com/uclouvain/openjpeg/issues #1067
   https://github.com/uclouvain/openjpeg/issues/1067

** Bug watch added: github.com/uclouvain/openjpeg/issues #1068
   https://github.com/uclouvain/openjpeg/issues/1068

** Bug watch added: github.com/uclouvain/openjpeg/issues #1069
   https://github.com/uclouvain/openjpeg/issues/1069

** Bug watch added: github.com/uclouvain/openjpeg/issues #1070
   https://github.com/uclouvain/openjpeg/issues/1070

** Bug watch added: github.com/uclouvain/openjpeg/issues #1071
   https://github.com/uclouvain/openjpeg/issues/1071

** Bug watch added: github.com/uclouvain/openjpeg/issues #1072
   https://github.com/uclouvain/openjpeg/issues/1072

** Bug watch added: github.com/uclouvain/openjpeg/issues #1073
   https://github.com/uclouvain/openjpeg/issues/1073

** Bug watch added: github.com/uclouvain/openjpeg/issues #1074
   https://github.com/uclouvain/openjpeg/issues/1074

** Bug watch added: github.com/uclouvain/openjpeg/issues #1075
   https://github.com/uclouvain/openjpeg/issues/1075

** Bug watch added: github.com/uclouvain/openjpeg/issues #1076
   https://github.com/uclouvain/openjpeg/issues/1076

** Bug watch added: github.com/uclouvain/openjpeg/issues #1077
   https://github.com/uclouvain/openjpeg/issues/1077

** Bug watch added: github.com/uclouvain/openjpeg/issues #1078
   https://github.com/uclouvain/openjpeg/issues/1078

** Bug watch added: github.com/uclouvain/openjpeg/issues #1079
   https://github.com/uclouvain/openjpeg/issues/1079

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Seth Arnold]

** Changed in: openjpeg2 (Ubuntu)
 Assignee: Seth Arnold (seth-arnold) => Ubuntu Security Team 
(ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Bryan Quigley]

I've found a regression [1]in Poppler 17.10 (worked fine in 17.04) that
getting this in main would solve.  I'm still not parsing exactly why
this has regressed, but building with openjpeg2 support did fix it.

[1] https://bugs.launchpad.net/ubuntu/+source/poppler/+bug/1714596

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Mathew Hodson]

** Description changed:

- libopenjpeg should be included in main because compiling poppler with
+ openjpeg should be included in main because compiling poppler with
  --enable-openjpeg in debian/rules gives poppler greater functionality
  (please see bug 710412). Since this change to /debian/rules adds
- libopenjpeg as a build-dep to poppler, which is in main, libopenjpeg
- must also be in main.
+ openjpeg as a build-dep to poppler, which is in main, openjpeg must also
+ be in main.
  
- ImageMagick also needs openjpeg in main so it can be built with JPEG2000
- support. (LP: #1447968)
+ ImageMagick also needs openjpeg in main so it can be built with JPEG2000 
support.
+  (LP: #1447968)
  
  Main inclusion requirements:
  
- 1. It is already in the universe.
+ 1. It is already in universe.
  
- 2. The package is a new build-dep, and has a large user base (think
+ 2. The package is a new build-dep and has a large user base (think
  evince).
  
- 3. Searching http://secunia.com/advisories/search/ for libopenjpeg gave
- zero results.
+ 3. Searching
+ https://secuniaresearch.flexerasoftware.com/community/advisories/search/
+ for openjpeg gave zero results.
  
- 4. Libopenjpeg has no current Ubuntu bugs 
(https://bugs.launchpad.net/ubuntu/maverick/+source/openjpeg)
-  in the Debian bug tracking system libopenjpeg has 1 open bug 
(http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libopenjpeg2), this is an 
encoding bug, but the main use for this package will be decoding.
-  Libopenjpeg does not require any configuration or debconf questions.
+ 4. openjpeg has no current Ubuntu bugs
+ (https://bugs.launchpad.net/ubuntu/+source/openjpeg2)
+ 
+Debian bugs at https://bugs.debian.org/cgi-
+ bin/pkgreport.cgi?src=openjpeg2
+ 
+openjpeg does not require any configuration or debconf questions.
  
  5. N/A
  
  6. All build-deps are already included in main.
  
- 7. I am afraid that this is a bit over my head, hopefully someone else
- could ensure that this package meets the requirments here. Based on its
- long inclusion in Debian and Ubuntu I think that it should be alright
+ 7. I am afraid that this is a bit over my head. Hopefully, someone else
+ could ensure that this package meets the requirements here. Based on its
+ long inclusion in Debian and Ubuntu, I think that it should be alright
  here.
  
- 8.This is a fairly simple program not needed too much maintenance, as
- shown by the bug reports.
+ 8. This is a fairly simple program that doesn't need too much
+ maintenance as shown by the bug reports.
  
  9. The package title and description seem to be in order.
- 
- My only final comments are that I am sorry this may not be quite the
- normal MIR, but I am just a member of bug control, not a dev. Also, any
- help and advise along the way would be much appreciated.

** Description changed:

  openjpeg should be included in main because compiling poppler with
  --enable-openjpeg in debian/rules gives poppler greater functionality
  (please see bug 710412). Since this change to /debian/rules adds
  openjpeg as a build-dep to poppler, which is in main, openjpeg must also
  be in main.
  
  ImageMagick also needs openjpeg in main so it can be built with JPEG2000 
support.
-  (LP: #1447968)
+  (LP: #1447968)
  
  Main inclusion requirements:
  
  1. It is already in universe.
  
  2. The package is a new build-dep and has a large user base (think
  evince).
  
  3. Searching
  https://secuniaresearch.flexerasoftware.com/community/advisories/search/
  for openjpeg gave zero results.
  
  4. openjpeg has no current Ubuntu bugs
  (https://bugs.launchpad.net/ubuntu/+source/openjpeg2)
  
-Debian bugs at https://bugs.debian.org/cgi-
+ Debian bugs at https://bugs.debian.org/cgi-
  bin/pkgreport.cgi?src=openjpeg2
  
-openjpeg does not require any configuration or debconf questions.
+ openjpeg does not require any configuration or debconf questions.
  
  5. N/A
  
  6. All build-deps are already included in main.
  
  7. I am afraid that this is a bit over my head. Hopefully, someone else
  could ensure that this package meets the requirements here. Based on its
  long inclusion in Debian and Ubuntu, I think that it should be alright
  here.
  
  8. This is a fairly simple program that doesn't need too much
  maintenance as shown by the bug reports.
  
  9. The package title and description seem to be in order.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Seth Arnold]

Indeed it might be worth another look; there has been upstream activity
addressing issues and the commit messages even reference Coverity.
They've been trying.

If jpeg2000 support in Ubuntu is important to you, I'd like to encourage you to:
- read the openjpeg2 source code and suggest improvements
- contribute images to a test suite
- contribute a test suite if that's still lacking
- run coverity or cppcheck or other static analysis tools on the codebase
- fuzz the library with ubsan, asan, libdislocator, etc.
- write libfuzzer-friendly wrappers around the functions and contribute these 
to the project if that's still lacking.

Something really simple would be to build an asan or libdislocator
variant and test with the files I've already generated and attached
here. If any of the files I've attached in the last year still cause
asan alerts when I get around to looking at the library again, it'll be
a pretty poor report on the state of the library.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Mathew Hodson]

ImageMagick also needs openjpeg in main so it can be built with JPEG2000
support. (LP: #1447968)

** Description changed:

  libopenjpeg should be included in main because compiling poppler with
  --enable-openjpeg in debian/rules gives poppler greater functionality
  (please see bug 710412). Since this change to /debian/rules adds
  libopenjpeg as a build-dep to poppler, which is in main, libopenjpeg
  must also be in main.
+ 
+ ImageMagick also needs openjpeg in main so it can be built with JPEG2000
+ support. (LP: 1447968)
  
  Main inclusion requirements:
  
  1. It is already in the universe.
  
  2. The package is a new build-dep, and has a large user base (think
  evince).
  
  3. Searching http://secunia.com/advisories/search/ for libopenjpeg gave
  zero results.
  
  4. Libopenjpeg has no current Ubuntu bugs 
(https://bugs.launchpad.net/ubuntu/maverick/+source/openjpeg)
-  in the Debian bug tracking system libopenjpeg has 1 open bug 
(http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libopenjpeg2), this is an 
encoding bug, but the main use for this package will be decoding.
-  Libopenjpeg does not require any configuration or debconf questions.
+  in the Debian bug tracking system libopenjpeg has 1 open bug 
(http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libopenjpeg2), this is an 
encoding bug, but the main use for this package will be decoding.
+  Libopenjpeg does not require any configuration or debconf questions.
  
  5. N/A
  
  6. All build-deps are already included in main.
  
  7. I am afraid that this is a bit over my head, hopefully someone else
  could ensure that this package meets the requirments here. Based on its
  long inclusion in Debian and Ubuntu I think that it should be alright
  here.
  
  8.This is a fairly simple program not needed too much maintenance, as
  shown by the bug reports.
  
  9. The package title and description seem to be in order.
  
- 
- My only final comments are that I am sorry this may not be quite the normal 
MIR, but I am just a member of bug control, not a dev. Also, any help and 
advise along the way would be much appreciated.
+ My only final comments are that I am sorry this may not be quite the
+ normal MIR, but I am just a member of bug control, not a dev. Also, any
+ help and advise along the way would be much appreciated.

** Description changed:

  libopenjpeg should be included in main because compiling poppler with
  --enable-openjpeg in debian/rules gives poppler greater functionality
  (please see bug 710412). Since this change to /debian/rules adds
  libopenjpeg as a build-dep to poppler, which is in main, libopenjpeg
  must also be in main.
  
  ImageMagick also needs openjpeg in main so it can be built with JPEG2000
- support. (LP: 1447968)
+ support. (LP: #1447968)
  
  Main inclusion requirements:
  
  1. It is already in the universe.
  
  2. The package is a new build-dep, and has a large user base (think
  evince).
  
  3. Searching http://secunia.com/advisories/search/ for libopenjpeg gave
  zero results.
  
  4. Libopenjpeg has no current Ubuntu bugs 
(https://bugs.launchpad.net/ubuntu/maverick/+source/openjpeg)
   in the Debian bug tracking system libopenjpeg has 1 open bug 
(http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libopenjpeg2), this is an 
encoding bug, but the main use for this package will be decoding.
   Libopenjpeg does not require any configuration or debconf questions.
  
  5. N/A
  
  6. All build-deps are already included in main.
  
  7. I am afraid that this is a bit over my head, hopefully someone else
  could ensure that this package meets the requirments here. Based on its
  long inclusion in Debian and Ubuntu I think that it should be alright
  here.
  
  8.This is a fairly simple program not needed too much maintenance, as
  shown by the bug reports.
  
  9. The package title and description seem to be in order.
  
  My only final comments are that I am sorry this may not be quite the
  normal MIR, but I am just a member of bug control, not a dev. Also, any
  help and advise along the way would be much appreciated.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Seth Arnold]

I've filed https://github.com/uclouvain/openjpeg/issues/811 to ask the
OpenJPEG team to look at the 646 crashing inputs uncovered by AFL.
(Sorry about the extra messages, but github won't let me upload
attachments. So launchpad is most convenient for hosting the tarball.)

Thanks

** Bug watch added: github.com/uclouvain/openjpeg/issues #811
   https://github.com/uclouvain/openjpeg/issues/811

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Seth Arnold]

I ran afl-fuzz against the upstream openjpeg 2.1.1 release and found the
following corpus of crashing inputs:

68ae4c0f26ff70a7cac6495c430db7e9c42c5a33d81026cfbe0576026556d7f0
crashes-openjpeg-2.1.1.tar.gz


Thanks

** Attachment added: "crashes-openjpeg-2.1.1.tar.gz"
   
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+attachment/4723094/+files/crashes-openjpeg-2.1.1.tar.gz

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Michael Terry]

Seth, back to you.  I don't know how different a codebase openjpeg2 is
from openjpeg.  But version numbers got bumped at least.  :)

** Changed in: openjpeg2 (Ubuntu)
 Assignee: (unassigned) => SteveA (sarnold)

** Changed in: openjpeg2 (Ubuntu)
 Assignee: SteveA (sarnold) => Seth Arnold (seth-arnold)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Mathew Hodson]

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-5030

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1499

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3358

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3535

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

[Jeremy Bicha]

jasper will be removed from Debian soon. I think the only thing
currently using jasper in main is imagemagick, see bug 1612822.

Since imagemagick already supports openjpeg2 and actually doesn't
support jasper any more, it might be nice if openjpeg2 could simply take
jasper's place as jasper is demoted and removed in yakkety.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs