Alerts This Week
Warning Icon 1 1,154
Alerts This Week
Warning Icon 1 1,154

Scientific Linux SL6: Important OpenJPEG Update for Buffer Overflow

Scientific Large Esm H446
Important: openjpeg security update
Date: Tue, 10 Jul 2012 09:40:19 -0500
Reply-To: Pat Riehecky 
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Organization: Fermilab
Subject: FASTBUGS for SL 5x i386, x86_64 now available
MIME-Version: 1.0

The following FASTBUGS have been uploaded to

i386:
 cpio-2.6-25.el5.i386.rpm
 e2fsprogs-1.39-34.el5_8.1.i386.rpm
 e2fsprogs-devel-1.39-34.el5_8.1.i386.rpm
 e2fsprogs-libs-1.39-34.el5_8.1.i386.rpm
 file-4.17-28.i386.rpm
 rgmanager-2.0.52-28.el5_8.2.i386.rpm
 telnet-0.17-41.el5.i386.rpm
 telnet-server-0.17-41.el5.i386.rpm
 uuidd-1.39-34.el5_8.1.i386.rpm

x86_64:
 cpio-2.6-25.el5.x86_64.rpm
 e2fsprogs-1.39-34.el5_8.1.x86_64.rpm
 e2fsprogs-devel-1.39-34.el5_8.1.i386.rpm
 e2fsprogs-devel-1.39-34.el5_8.1.x86_64.rpm
 e2fsprogs-libs-1.39-34.el5_8.1.i386.rpm
 e2fsprogs-libs-1.39-34.el5_8.1.x86_64.rpm
 file-4.17-28.x86_64.rpm
 rgmanager-2.0.52-28.el5_8.2.x86_64.rpm
 telnet-0.17-41.el5.x86_64.rpm
 telnet-server-0.17-41.el5.x86_64.rpm
 uuidd-1.39-34.el5_8.1.x86_64.rpm
Date: Wed, 11 Jul 2012 14:51:57 -0500
Reply-To: This email address is being protected from spambots. You need JavaScript enabled to view it.
Sender: Security Errata for Scientific Linux
 
From: Patrick Riehecky 
Subject: Security ERRATA Important: openjpeg on SL6.x i386/x86_64
Comments: To: This email address is being protected from spambots. You need JavaScript enabled to view it.

Synopsis: Important: openjpeg security update
Issue Date: 2012-07-11
CVE Numbers: CVE-2009-5030
 CVE-2012-3358

OpenJPEG is an open source library for reading and writing image files in
JPEG 2000 format.

An input validation flaw, leading to a heap-based buffer overflow, was
found in the way OpenJPEG handled the tile number and size in an image tile
header. A remote attacker could provide a specially-crafted image file
that, when decoded using an application linked against OpenJPEG, would
cause the application to crash or, potentially, execute arbitrary code with
the privileges of the user running the application. (CVE-2012-3358)

OpenJPEG allocated insufficient memory when encoding JPEG 2000 files from
input images that have certain color depths. A remote attacker could
provide a specially-crafted image file that, when opened in an application
linked against OpenJPEG (such as image_to_j2k), would cause the application
to crash or, potentially, execute arbitrary code with the privileges of the
user running the application. (CVE-2009-5030)

Users of OpenJPEG should upgrade to these updated packages, which contain
patches to correct these issues. All running applications using OpenJPEG
must be restarted for the update to take effect.

SL6:
 i386
 openjpeg-1.3-8.el6_3.i686.rpm
 openjpeg-debuginfo-1.3-8.el6_3.i686.rpm
 openjpeg-devel-1.3-8.el6_3.i686.rpm
 openjpeg-libs-1.3-8.el6_3.i686.rpm
 x86_64
 openjpeg-1.3-8.el6_3.x86_64.rpm
 openjpeg-debuginfo-1.3-8.el6_3.i686.rpm
 openjpeg-debuginfo-1.3-8.el6_3.x86_64.rpm
 openjpeg-devel-1.3-8.el6_3.i686.rpm
 openjpeg-devel-1.3-8.el6_3.x86_64.rpm
 openjpeg-libs-1.3-8.el6_3.i686.rpm
 openjpeg-libs-1.3-8.el6_3.x86_64.rpm

- Scientific Linux Development Team
Your message here