Debian Security Advisory
DLA-2975-1 openjpeg2 -- LTS security update
- Date Reported:
- 10 Apr 2022
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2020-27842, CVE-2020-27843, CVE-2021-29338, CVE-2022-1122.
- More information:
Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec.
Null pointer dereference through specially crafted input. The highest impact of this flaw is to application availability.
The flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability.
Integer overflow allows remote attackers to crash the application, causing a denial of service. This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.
Input directory with a large number of files can lead to a segmentation fault and a denial of service due to a call of free() on an uninitialized pointer.
For Debian 9 stretch, these problems have been fixed in version 2.1.2-1.1+deb9u7.
We recommend that you upgrade your openjpeg2 packages.
For the detailed security status of openjpeg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjpeg2
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS