Mageia 2020-0478: openjpeg2 security update
Summary
There's a flaw in openjpeg in src/lib/openjp2/pi.c. When an attacker is able to
provide crafted input to be processed by the openjpeg encoder, this could cause
an out-of-bounds read. The greatest impact from this flaw is to application
availability (CVE-2020-27841).
There's a flaw in openjpeg's t2 encoder. An attacker who is able to provide
crafted input to be processed by openjpeg could cause a null pointer
dereference. The highest impact of this flaw is to application availability
(CVE-2020-27842).
A flaw was found in OpenJPEG. This flaw allows an attacker to provide specially
crafted input to the conversion or encoding functionality, causing an
out-of-bounds read. The highest threat from this vulnerability is system
availability (CVE-2020-27843).
There's a flaw in src/lib/openjp2/pi.c of openjpeg. If an attacker is able to
provide untrusted input to openjpeg's conversion/encoding functionality, they
could cause an out-of-bounds read. The highest impact of this flaw is to
application availability (CVE-2020-27845).
References
- https://bugs.mageia.org/show_bug.cgi?id=27903
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/THY4LKGUS3D4XE5YHKLMTPVLURQ7OV57/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27841
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27842
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27843
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27845
Resolution
MGASA-2020-0478 - Updated openjpeg2 packages fix security vulnerabilities
SRPMS
- 7/core/openjpeg2-2.3.1-1.6.mga7