[Pkg-phototools-devel] Bug#939553: marked as done (openjpeg2: CVE-2018-21010)

[Debian Bug Tracking System]

Your message dated Tue, 29 Oct 2019 20:53:46 +0000
with message-id <e1ipyus-000heh...@fasolo.debian.org>
and subject line Bug#939553: fixed in openjpeg2 2.1.2-1.1+deb9u4
has caused the Debian Bug report #939553,
regarding openjpeg2: CVE-2018-21010
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
939553: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: openjpeg2
Version: 2.3.0-2
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for openjpeg2.

CVE-2018-21010[0]:
| OpenJPEG before 2.3.1 has a heap buffer overflow in
| color_apply_icc_profile in bin/common/color.c.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-21010
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21010
[1] 
https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: openjpeg2
Source-Version: 2.1.2-1.1+deb9u4

We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 939...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hugo Lefeuvre <h...@debian.org> (supplier of updated openjpeg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 08 Oct 2019 15:20:27 +0200
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 
libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server 
libopenjp3d-tools libopenjp2-tools
Architecture: source amd64 all
Version: 2.1.2-1.1+deb9u4
Distribution: stretch
Urgency: medium
Maintainer: Debian PhotoTools Maintainers 
<pkg-phototools-de...@lists.alioth.debian.org>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
 libopenjp2-7 - JPEG 2000 image compression/decompression library
 libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
 libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
 libopenjp2-tools - command-line tools using the JPEG 2000 library
 libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
 libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression 
librar
 libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP 
protocol
 libopenjpip-server - JPIP server for JPEG 2000 files
 libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP 
access
 libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 844551 931294 939553
Changes:
 openjpeg2 (2.1.2-1.1+deb9u4) stretch; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2018-21010: heap buffer overflow in color_apply_icc_profile
     (Closes: #939553).
   * CVE-2018-20847: improper computation of values in the function
     opj_get_encoding_parameters, leading to an integer overflow
     (Closes: #931294).
   * CVE-2016-9112: floating point exception or divide by zero in the
     function opj_pi_next_cprl (Closes: #844551).
Checksums-Sha1:
 decd707a7394ed319ab5fd0b1fe9c3141712e495 2623 openjpeg2_2.1.2-1.1+deb9u4.dsc
 c8671e7f577fdc58abde1e1f32b10d372e6f9b07 1987071 openjpeg2_2.1.2.orig.tar.gz
 ea6ac5d506ec80964f6bbdfe42854a73d1861725 26744 
openjpeg2_2.1.2-1.1+deb9u4.debian.tar.xz
 c112b29baf4caf299ec5db6c306164f0b4cd0cf2 1105866 
libopenjp2-7-dbg_2.1.2-1.1+deb9u4_amd64.deb
 a2fb26e3daade73311022e8855587301cd33a02c 38778 
libopenjp2-7-dev_2.1.2-1.1+deb9u4_amd64.deb
 e68e4c40c194ef94af54e92d1b971504516798a0 122248 
libopenjp2-7_2.1.2-1.1+deb9u4_amd64.deb
 da872c5097722e2a949b128408078a3a7ca21108 94478 
libopenjp2-tools_2.1.2-1.1+deb9u4_amd64.deb
 e1c95ab2978c4a837cf828246cde11befcf6d124 41768 
libopenjp3d-tools_2.1.2-1.1+deb9u4_amd64.deb
 084ca9e51525a5a87d9f0f41bcfc4c48994f05d7 85150 
libopenjp3d7_2.1.2-1.1+deb9u4_amd64.deb
 a59c7f5bbbf93aa4020f3a1432f9d9546fab56b9 28740 
libopenjpip-dec-server_2.1.2-1.1+deb9u4_amd64.deb
 ce05073fa4ffa25089dced15abb191e9916fa697 51146 
libopenjpip-server_2.1.2-1.1+deb9u4_amd64.deb
 301d1a1f04c075861ded5e65f3cf217e0466c6ec 45326 
libopenjpip-viewer_2.1.2-1.1+deb9u4_all.deb
 da951bb195592e91b9a0e995be53b1f1931fb5e1 60964 
libopenjpip7_2.1.2-1.1+deb9u4_amd64.deb
 f2a2b5d89f434a3eb67b95dd1733b889cadde068 15314 
openjpeg2_2.1.2-1.1+deb9u4_amd64.buildinfo
Checksums-Sha256:
 f3830f5cb00a22cc544d762bdc864e65e9393d040142ddd79b5d3d6169802968 2623 
openjpeg2_2.1.2-1.1+deb9u4.dsc
 4ce77b6ef538ef090d9bde1d5eeff8b3069ab56c4906f083475517c2c023dfa7 1987071 
openjpeg2_2.1.2.orig.tar.gz
 18fd3d6617216bab817581a05e80317579eccef3f43c5f26da6f0fcf4db23d0a 26744 
openjpeg2_2.1.2-1.1+deb9u4.debian.tar.xz
 205e89d43caef66d37eb7b305304d718c8cb4fecc7a8dd7d148395b520a4f2f8 1105866 
libopenjp2-7-dbg_2.1.2-1.1+deb9u4_amd64.deb
 30de7304ee078bf460cf1299de8bc0f998aa32c77fa3bd2bf0adb5dbcefaed79 38778 
libopenjp2-7-dev_2.1.2-1.1+deb9u4_amd64.deb
 d9a32abb5667609e199f86ee83faa1cd43f14a185ca5b8b3595986abcf44e1a6 122248 
libopenjp2-7_2.1.2-1.1+deb9u4_amd64.deb
 6ee6634d8d95b61f888759cf5cb0e0f2d24053648d01d7a445b6c11dca84dab7 94478 
libopenjp2-tools_2.1.2-1.1+deb9u4_amd64.deb
 f4f9e3c012957ca304490f29125a20830cda483e51f8773342d84dd08215c0ca 41768 
libopenjp3d-tools_2.1.2-1.1+deb9u4_amd64.deb
 029f915e114c045ec4ca343105589170613dae13ce79fe4afedaf42d70666b02 85150 
libopenjp3d7_2.1.2-1.1+deb9u4_amd64.deb
 35214f17c43d034df32e4a360ebe2894d1eede5bdcb4a09a7eebf7e86f5cb2ed 28740 
libopenjpip-dec-server_2.1.2-1.1+deb9u4_amd64.deb
 71104a3ee9be2de9a37903e3e1d26d8afb3928e341eb54279cd735a92985232d 51146 
libopenjpip-server_2.1.2-1.1+deb9u4_amd64.deb
 d7b8c3acdd6c8241c4e65539b5f0ddfdffd6b4104c4a34bff4ad0d1addf69618 45326 
libopenjpip-viewer_2.1.2-1.1+deb9u4_all.deb
 67af09d8ecd6bc833d22c04a20bb4ae90902d9f64c1799f6c22507952b9d6e11 60964 
libopenjpip7_2.1.2-1.1+deb9u4_amd64.deb
 aa0beaf60658d8b0db5600090c43910e0ecd90526808aaaed5a76565c4aa7c63 15314 
openjpeg2_2.1.2-1.1+deb9u4_amd64.buildinfo
Files:
 0f1564337b5158fe0a43f0c224bf2268 2623 libs optional 
openjpeg2_2.1.2-1.1+deb9u4.dsc
 40a7bfdcc66280b3c1402a0eb1a27624 1987071 libs optional 
openjpeg2_2.1.2.orig.tar.gz
 65a7e4377b017fbd256935e398c31f84 26744 libs optional 
openjpeg2_2.1.2-1.1+deb9u4.debian.tar.xz
 9943b0e5dc32b5d9b71dfbea7c99b5d3 1105866 debug extra 
libopenjp2-7-dbg_2.1.2-1.1+deb9u4_amd64.deb
 13d42a9c51c958cabaa94fd8db426639 38778 libdevel optional 
libopenjp2-7-dev_2.1.2-1.1+deb9u4_amd64.deb
 579f77902c86af360c5e45eb9d6e29c0 122248 libs optional 
libopenjp2-7_2.1.2-1.1+deb9u4_amd64.deb
 bb9c5c9bc3c0e3da6ec291eb46ce600b 94478 graphics optional 
libopenjp2-tools_2.1.2-1.1+deb9u4_amd64.deb
 bea760496cad1a955e5934ed17dbad6e 41768 graphics optional 
libopenjp3d-tools_2.1.2-1.1+deb9u4_amd64.deb
 b227dda0ca7b9f321ba7337d2ddceea9 85150 libs optional 
libopenjp3d7_2.1.2-1.1+deb9u4_amd64.deb
 a26ba0a963ea7a19f9879c3aeb0ae211 28740 graphics optional 
libopenjpip-dec-server_2.1.2-1.1+deb9u4_amd64.deb
 c1291a619cd2a38cdc80b8a1ea44c72d 51146 graphics optional 
libopenjpip-server_2.1.2-1.1+deb9u4_amd64.deb
 8eb33c7058001958202171c075e06f67 45326 graphics optional 
libopenjpip-viewer_2.1.2-1.1+deb9u4_all.deb
 6159df0d90ef4b21042c2c92e1764494 60964 libs optional 
libopenjpip7_2.1.2-1.1+deb9u4_amd64.deb
 a5ad3f0adbdc8cc9d1c53bb7aa39b353 15314 libs optional 
openjpeg2_2.1.2-1.1+deb9u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2kIpoACgkQEeMFjl5E
GkLcIgv+Icybjt60WFpm12yCBFzyIwg1Vppuydois9MYSrN+XG7Ew8v8ffnsVzcv
twHbO582FScfmqgsxxyhccp9Iu8nCPpEZxeyZ9ustv3wsHDpwKXqg+nd6ZFg9gbW
to3UuOqiwUa0glbufrsecma/gfRPkI/N/fd2rlhF4ZGfQDhdLFwqKjNGfx48QomN
pmzycP9dwqBjD+RHTJ/d+xwytfFuQV7bh7VqdfkjcA9u8zLu7i23gbvj0N7l3Tpz
AZGia37L0qvBhMGyEMqfot7itFkBXPJaBBd04/WSmYttvMjf0nqnQ1gPmyUyGCB7
qdCQGznKxcmmIFwRijNaYrDjU3ZEyfBaVRIXNMo9sWFbimPNlMAVIPrIRa0VCQJc
axwqKGCwqEy48majHl+Otcx+SCDtRth0uMHclGyi5YQhfUbWvZT6fRmRHj2tidKZ
L0/+0KZ1oIWitzntwO9JVOXGxwSrwXTJQqF8NMb4kdF0eKUg21CpmAK3qxH5irK/
3J65RIr0
=egO8
-----END PGP SIGNATURE-----

--- End Message ---

-- 
Pkg-phototools-devel mailing list
Pkg-phototools-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-phototools-devel