First Last Prev Next    This bug is not in your last search results.
Bug 33287 - openjpeg: Multiple issues (3.2)
openjpeg: Multiple issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.1
Other Linux
: P3 normal (vote)
: UCS 3.2-2
Assigned To: Moritz Muehlenhoff
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-12 11:43 CET by Moritz Muehlenhoff
Modified: 2014-05-20 07:53 CEST (History)
0 users

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2013-11-12 11:43:01 CET 
+++ This bug was initially created as a clone of Bug #32566 +++

Multiple buffer overflows (CVE-2013-4289 CVE-2013-4290)
Comment 1 Moritz Muehlenhoff univentionstaff 2013-12-03 08:38:01 CET 
Several vulnerabilities have been discovered in OpenJPEG, a JPEG 2000 image library, that may lead to denial of service (CVE-2013-1447) via application crash or high memory consumption, possible code execution through heap buffer overflows (CVE-2013-6045), information disclosure (CVE-2013-6052), or yet another heap buffer overflow that only appears to affect OpenJPEG 1.3 (CVE-2013-6054).
Comment 2 Moritz Muehlenhoff univentionstaff 2014-03-19 07:11:34 CET 
(In reply to Moritz Muehlenhoff from comment #0)
> +++ This bug was initially created as a clone of Bug #32566 +++
> 
> Multiple buffer overflows (CVE-2013-4289 CVE-2013-4290)

These don't affect Debian/UCS; while the affected code is present in the source package, it's not built.
Comment 3 Moritz Muehlenhoff univentionstaff 2014-05-02 13:05:43 CEST 
These issues were fixed with the update to Squeeze 6.0.9 (Bug 34588). The QA should ideally be made by the same person.
Comment 4 Philipp Hahn univentionstaff 2014-05-06 20:08:51 CEST 
OK: aptitude install '?source-package(openjpeg)'
OK: openjpeg (1.3+dfsg-4+squeeze2) squeeze-security; urgency=high
  * Fix CVE-2013-6052: information leak.
  * Fix CVE-2013-6045: multiple heap buffer overflows.
  * Fix CVE-2013-6054: a heap buffer overflow.
  * Fix CVE-2013-1447: multiple crashers.
OK: /usr/bin/image_to_j2k
Comment 5 Stefan Gohmann univentionstaff 2014-05-20 07:53:31 CEST 
UCS 3.2-2 has been released:
 http://docs.univention.de/release-notes-3.2-2-en.html
 http://docs.univention.de/release-notes-3.2-2-de.html

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.