Debian LTS: Security Advisory for openjpeg2 (DLA-2277-1)

The remote host is missing an update for the 'openjpeg2' package(s) announced via the DLA-2277-1 advisory.

The following CVEs were reported against src:openjpeg2. CVE-2019-12973 In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616. CVE-2020-6851 OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of opj_j2k_update_image_dimensions validation. CVE-2020-8112 opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a different issue than CVE-2020-6851. CVE-2020-15389 jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free that can be triggered if there is a mix of valid and invalid files in a directory operated on by the decompressor. Triggering a double-free may also be possible. This is related to calling opj_image_destroy twice.

'openjpeg2' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For Debian 9 stretch, these problems have been fixed in version 2.1.2-1.1+deb9u5. We recommend that you upgrade your openjpeg2 packages.