Univention Bugzilla – Bug 33287
openjpeg: Multiple issues (3.2)
Last modified: 2014-05-20 07:53:31 CEST
+++ This bug was initially created as a clone of Bug #32566 +++ Multiple buffer overflows (CVE-2013-4289 CVE-2013-4290)
Several vulnerabilities have been discovered in OpenJPEG, a JPEG 2000 image library, that may lead to denial of service (CVE-2013-1447) via application crash or high memory consumption, possible code execution through heap buffer overflows (CVE-2013-6045), information disclosure (CVE-2013-6052), or yet another heap buffer overflow that only appears to affect OpenJPEG 1.3 (CVE-2013-6054).
(In reply to Moritz Muehlenhoff from comment #0) > +++ This bug was initially created as a clone of Bug #32566 +++ > > Multiple buffer overflows (CVE-2013-4289 CVE-2013-4290) These don't affect Debian/UCS; while the affected code is present in the source package, it's not built.
These issues were fixed with the update to Squeeze 6.0.9 (Bug 34588). The QA should ideally be made by the same person.
OK: aptitude install '?source-package(openjpeg)' OK: openjpeg (1.3+dfsg-4+squeeze2) squeeze-security; urgency=high * Fix CVE-2013-6052: information leak. * Fix CVE-2013-6045: multiple heap buffer overflows. * Fix CVE-2013-6054: a heap buffer overflow. * Fix CVE-2013-1447: multiple crashers. OK: /usr/bin/image_to_j2k
UCS 3.2-2 has been released: http://docs.univention.de/release-notes-3.2-2-en.html http://docs.univention.de/release-notes-3.2-2-de.html If this error occurs again, please use "Clone This Bug".