Debian Security Advisory

DLA-2277-1 openjpeg2 -- LTS security update

Date Reported:
11 Jul 2020
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 931292, Bug 950000, Bug 950184.
In Mitre's CVE dictionary: CVE-2019-12973, CVE-2020-6851, CVE-2020-8112, CVE-2020-15389.
More information:

The following CVEs were reported against src:openjpeg2.

  • CVE-2019-12973

    In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616.

  • CVE-2020-6851

    OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of opj_j2k_update_image_dimensions validation.

  • CVE-2020-8112

    opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a different issue than CVE-2020-6851.

  • CVE-2020-15389

    jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free that can be triggered if there is a mix of valid and invalid files in a directory operated on by the decompressor. Triggering a double-free may also be possible. This is related to calling opj_image_destroy twice.

For Debian 9 stretch, these problems have been fixed in version 2.1.2-1.1+deb9u5.

We recommend that you upgrade your openjpeg2 packages.

For the detailed security status of openjpeg2 please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: