From $URL: A heap-based buffer overflow was discovered in the opj_t2_encode_packet function in lib/openjp2/t2.c in OpenJPEG 2.2.0. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact. Upstream bug: https://github.com/uclouvain/openjpeg/issues/992 Upstream patch: https://github.com/uclouvain/openjpeg/commit/c535531f03369623b9b833ef41952c62257b507e References: https://blogs.gentoo.org/ago/2017/08/28/openjpeg-heap-based-buffer-overflow-in-opj_t2_encode_packet-t2-c/
2.3.0 is in tree. It fixes several other vulnerabilities like this: https://blogs.gentoo.org/ago/2017/08/28/openjpeg-stack-based-buffer-overflow-write-in-pgxtoimage-convert-c/ Can we stabilize?
@ Arches, please test and mark stable: =media-libs/openjpeg-2.3.0
hppa stable
Stable on amd64
x86 stable
ia64 stable
ppc/ppc64 stable
arm stable
Stable on alpha.
@maintainers, please clean the vulnerable versions.
This issue was resolved and addressed in GLSA 201710-26 at https://security.gentoo.org/glsa/201710-26 by GLSA coordinator Aaron Bauman (b-man).
commit 43ba3bc2fbc5d86243cf8c68ff825eaa34bd1146 Author: Mart Raudsepp <leio@gentoo.org> Date: Sat Mar 3 14:14:07 2018 +0200 media-libs/openjpeg-2.3.0: arm64 stable