MGASA-2020-0478 - Updated openjpeg2 packages fix security vulnerabilities

Publication date: 29 Dec 2020
URL: https://advisories.mageia.org/MGASA-2020-0478.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-27841,
     CVE-2020-27842,
     CVE-2020-27843,
     CVE-2020-27845

There's a flaw in openjpeg in src/lib/openjp2/pi.c. When an attacker is able to
provide crafted input to be processed by the openjpeg encoder, this could cause
an out-of-bounds read. The greatest impact from this flaw is to application
availability (CVE-2020-27841).

There's a flaw in openjpeg's t2 encoder. An attacker who is able to provide
crafted input to be processed by openjpeg could cause a null pointer
dereference. The highest impact of this flaw is to application availability
(CVE-2020-27842).

A flaw was found in OpenJPEG. This flaw allows an attacker to provide specially
crafted input to the conversion or encoding functionality, causing an
out-of-bounds read. The highest threat from this vulnerability is system
availability (CVE-2020-27843).

There's a flaw in  src/lib/openjp2/pi.c of openjpeg. If an attacker is able to
provide untrusted input to openjpeg's conversion/encoding functionality, they
could cause an out-of-bounds read. The highest impact of this flaw is to
application availability (CVE-2020-27845).

References:
- https://bugs.mageia.org/show_bug.cgi?id=27903
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/THY4LKGUS3D4XE5YHKLMTPVLURQ7OV57/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27841
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27842
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27843
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27845

SRPMS:
- 7/core/openjpeg2-2.3.1-1.6.mga7