Control: tags 1133832 + patch Control: tags 1133832 + pending Dear maintainer,
I've prepared an NMU for openjpeg2 (versioned as 2.5.4-1.1) and uploaded it to DELAYED/1. Please feel free to tell me if I should cancel it. cu Adrian
diffstat for openjpeg2-2.5.4 openjpeg2-2.5.4 changelog | 8 ++ patches/0001-opj_pi_initialise_encode-write-code-path-avoid-poten.patch | 34 ++++++++++ patches/series | 1 3 files changed, 43 insertions(+) diff -Nru openjpeg2-2.5.4/debian/changelog openjpeg2-2.5.4/debian/changelog --- openjpeg2-2.5.4/debian/changelog 2026-01-07 05:28:57.000000000 +0200 +++ openjpeg2-2.5.4/debian/changelog 2026-05-07 20:45:14.000000000 +0300 @@ -1,3 +1,11 @@ +openjpeg2 (2.5.4-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2026-6192: Integer Overflow in opj_pi_initialise_encode() + (Closes: #1133832) + + -- Adrian Bunk <[email protected]> Thu, 07 May 2026 20:45:14 +0300 + openjpeg2 (2.5.4-1) unstable; urgency=medium * Team upload. diff -Nru openjpeg2-2.5.4/debian/patches/0001-opj_pi_initialise_encode-write-code-path-avoid-poten.patch openjpeg2-2.5.4/debian/patches/0001-opj_pi_initialise_encode-write-code-path-avoid-poten.patch --- openjpeg2-2.5.4/debian/patches/0001-opj_pi_initialise_encode-write-code-path-avoid-poten.patch 1970-01-01 02:00:00.000000000 +0200 +++ openjpeg2-2.5.4/debian/patches/0001-opj_pi_initialise_encode-write-code-path-avoid-poten.patch 2026-05-07 20:28:10.000000000 +0300 @@ -0,0 +1,34 @@ +From 4668717cc54b2bfb4466d1973283a9be19294154 Mon Sep 17 00:00:00 2001 +From: Even Rouault <[email protected]> +Date: Sun, 5 Apr 2026 13:25:27 +0200 +Subject: opj_pi_initialise_encode() (write code path): avoid potential integer + overflow leading to insufficient memory allocation + +Fixes #1619 +--- + src/lib/openjp2/pi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c +index 15ac3314..4abb87af 100644 +--- a/src/lib/openjp2/pi.c ++++ b/src/lib/openjp2/pi.c +@@ -1694,9 +1694,12 @@ opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image, + l_current_pi = l_pi; + + /* memory allocation for include*/ +- l_current_pi->include_size = l_tcp->numlayers * l_step_l; +- l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size, +- sizeof(OPJ_INT16)); ++ l_current_pi->include = NULL; ++ if (l_step_l <= UINT_MAX / l_tcp->numlayers) { ++ l_current_pi->include_size = l_tcp->numlayers * l_step_l; ++ l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size, ++ sizeof(OPJ_INT16)); ++ } + if (!l_current_pi->include) { + opj_free(l_tmp_data); + opj_free(l_tmp_ptr); +-- +2.47.3 + diff -Nru openjpeg2-2.5.4/debian/patches/series openjpeg2-2.5.4/debian/patches/series --- openjpeg2-2.5.4/debian/patches/series 2026-01-07 05:22:22.000000000 +0200 +++ openjpeg2-2.5.4/debian/patches/series 2026-05-07 20:45:12.000000000 +0300 @@ -1,3 +1,4 @@ issue878.patch man_fix.patch fix-typo-man-libopenjp2.patch +0001-opj_pi_initialise_encode-write-code-path-avoid-poten.patch
