Ubuntu Security Notice 7083-1 - It was discovered that OpenJPEG incorrectly handled certain memory operations when using the command line "-ImgDir" in a directory with a large number of files, leading to an integer overflow vulnerability. An attacker could potentially use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that OpenJPEG incorrectly handled decompressing certain .j2k files in sycc420_to_rgb, leading to a heap-based buffer overflow vulnerability. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to execute arbitrary code.
ff9f9486933fc7bd7d89dc29eb83d72d64684aeba87a4f207fd9ed45b92e8df5==========================================================================
Ubuntu Security Notice USN-7083-1
November 05, 2024
openjpeg2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenJPEG.
Software Description:
- openjpeg2: JPEG 2000 image compression/decompression library
Details:
It was discovered that OpenJPEG incorrectly handled certain memory
operations when using the command line "-ImgDir" in a directory with a
large number of files, leading to an integer overflow vulnerability. An
attacker could potentially use this issue to cause a denial of service.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2021-29338)
It was discovered that OpenJPEG incorrectly handled decompressing certain
.j2k files in sycc420_to_rgb, leading to a heap-based buffer overflow
vulnerability. If a user or automated system were tricked into opening
a specially crafted file, an attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-3575)
It was discovered that OpenJPEG incorrectly handled certain memory
operations in the opj2_decompress program. An attacker could potentially
use this issue to cause a denial of service. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-1122)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libopenjp2-7 2.5.0-2ubuntu1.1
libopenjpip7 2.5.0-2ubuntu1.1
Ubuntu 24.04 LTS
libopenjp2-7 2.5.0-2ubuntu0.2
libopenjpip7 2.5.0-2ubuntu0.2
Ubuntu 22.04 LTS
libopenjp2-7 2.4.0-6ubuntu0.2
libopenjp3d7 2.4.0-6ubuntu0.2
libopenjpip7 2.4.0-6ubuntu0.2
Ubuntu 20.04 LTS
libopenjp2-7 2.3.1-1ubuntu4.20.04.3
libopenjp3d7 2.3.1-1ubuntu4.20.04.3
libopenjpip7 2.3.1-1ubuntu4.20.04.3
Ubuntu 18.04 LTS
libopenjp2-7 2.3.0-2+deb10u2ubuntu0.1~esm3
Available with Ubuntu Pro
libopenjp3d7 2.3.0-2+deb10u2ubuntu0.1~esm3
Available with Ubuntu Pro
libopenjpip7 2.3.0-2+deb10u2ubuntu0.1~esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libopenjp2-7 2.1.2-1.1+deb9u6ubuntu0.1~esm6
Available with Ubuntu Pro
libopenjp3d7 2.1.2-1.1+deb9u6ubuntu0.1~esm6
Available with Ubuntu Pro
libopenjpip7 2.1.2-1.1+deb9u6ubuntu0.1~esm6
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7083-1
CVE-2021-29338, CVE-2021-3575, CVE-2022-1122
Package Information:
https://launchpad.net/ubuntu/+source/openjpeg2/2.5.0-2ubuntu1.1
https://launchpad.net/ubuntu/+source/openjpeg2/2.5.0-2ubuntu0.2
https://launchpad.net/ubuntu/+source/openjpeg2/2.4.0-6ubuntu0.2
https://launchpad.net/ubuntu/+source/openjpeg2/2.3.1-1ubuntu4.20.04.3
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed