- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2975-1                [email protected]
https://www.debian.org/lts/security/                         Anton Gladky
April 10, 2022                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : openjpeg2
Version        : 2.1.2-1.1+deb9u7
CVE ID         : CVE-2020-27842 CVE-2020-27843 CVE-2021-29338 CVE-2022-1122

Multiple vulnerabilities have been discovered in openjpeg2, the open-source
JPEG 2000 codec.


    Null pointer dereference through specially crafted input. The highest impact
    of this flaw is to application availability.


    The flaw allows an attacker to provide specially crafted input to the
    conversion or encoding functionality, causing an out-of-bounds read. The
    highest threat from this vulnerability is system availability.


    Integer overflow allows remote attackers to crash the application, causing a
    denial of service. This occurs when the attacker uses the command line
    option "-ImgDir" on a directory that contains 1048576 files.


    Input directory with a large number of files can lead to a segmentation
    fault and a denial of service due to a call of free() on an uninitialized

For Debian 9 stretch, these problems have been fixed in version

We recommend that you upgrade your openjpeg2 packages.

For the detailed security status of openjpeg2 please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS