CVE-2021-29338: Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.
Package list is empty or all packages have requested keywords.
A fix was merged: https://github.com/uclouvain/openjpeg/commit/79c7d7af598b778c3cdcb455df23d50efc95eb3c
If I'm getting the timeline right, there was a comment indicating that the patch doesn't fully resolve the overflow issue: https://github.com/uclouvain/openjpeg/commit/79c7d7af598b778c3cdcb455df23d50efc95eb3c#commitcomment-63789681
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c5508bd5ecf31191a9f63b6f8db66d1c9880b03 commit 3c5508bd5ecf31191a9f63b6f8db66d1c9880b03 Author: Thomas Bracht Laumann Jespersen <t@laumann.xyz> AuthorDate: 2022-04-21 12:07:59 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-04-24 07:24:04 +0000 media-libs/openjpeg: backport upstream fix for CVE-2021-29338 The fix is split across two commits upstream, considered merging them but decided against it. Bug: https://bugs.gentoo.org/783513 Fixes: CVE-2021-29338 Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz> Closes: https://github.com/gentoo/gentoo/pull/25142 Signed-off-by: Joonas Niilola <juippis@gentoo.org> .../openjpeg-2.4.0-r3-avoid-mult-overflow.patch | 52 ++++++++ .../openjpeg-2.4.0-r3-fix-integer-overflow.patch | 57 +++++++++ media-libs/openjpeg/openjpeg-2.4.0-r3.ebuild | 142 +++++++++++++++++++++ 3 files changed, 251 insertions(+)
Thanks! Please stable when ready
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0a1ba2eaccd64377fa90dd289886faaae126df3 commit f0a1ba2eaccd64377fa90dd289886faaae126df3 Author: Thomas Bracht Laumann Jespersen <t@laumann.xyz> AuthorDate: 2022-05-16 08:07:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-05-22 20:35:39 +0000 media-libs/openjpeg: add 2.5.0 Also update to EAPI 8, and bump the test data to the latest commit possible. Drop all security patches from v2.4.0 as they are part of the upstream release. Closes: https://bugs.gentoo.org/844064 Bug: https://bugs.gentoo.org/783513 Bug: https://bugs.gentoo.org/484802 Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz> Closes: https://github.com/gentoo/gentoo/pull/25523 Signed-off-by: Sam James <sam@gentoo.org> media-libs/openjpeg/Manifest | 2 + .../files/openjpeg-2.5.0-gnuinstalldirs.patch | 299 +++++++++++++++++++++ media-libs/openjpeg/openjpeg-2.5.0.ebuild | 140 ++++++++++ 3 files changed, 441 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3ffb060a535687205849990e329954275cbcd1f4 commit 3ffb060a535687205849990e329954275cbcd1f4 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-07 02:52:41 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-07 02:58:07 +0000 [ GLSA 202209-04 ] OpenJPEG: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/783513 Bug: https://bugs.gentoo.org/836969 Bug: https://bugs.gentoo.org/844064 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-04.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+)
GLSA released, all done!
