"OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_icc_profile in bin/common/color.c."
Affected versions in Portage:
- 1.5.2-r1 (1.x series)
NOTE: A version of 2.x with the fix is already in tree.
This  mentions that 1.x is also vulnerable.
Code in 1.5.2: https://github.com/uclouvain/openjpeg/blob/openjpeg-1.5/applications/common/color.c#L418
It looks like a patch could be generated, or indeed the 1.x series could be dropped given it is aging and its last release was 2014. Upstream have not released a fix for 1.x.
Patch for 2.x: https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea
The bug has been referenced in the following commit(s):
Author: John Helmert III <email@example.com>
AuthorDate: 2020-07-30 07:01:27 +0000
Commit: Andreas Sturmlechner <firstname.lastname@example.org>
CommitDate: 2021-01-23 18:12:57 +0000
media-libs/openjpeg: Security cleanup (drop :0)
Package-Manager: Portage-3.0.1, Repoman-2.3.23
Signed-off-by: John Helmert III <email@example.com>
Signed-off-by: Andreas Sturmlechner <firstname.lastname@example.org>
media-libs/openjpeg/Manifest | 1 -
media-libs/openjpeg/openjpeg-1.5.2-r1.ebuild | 77 ----------------------------
2 files changed, 78 deletions(-)
Now just need vote.
This issue was resolved and addressed in
GLSA 202101-29 at https://security.gentoo.org/glsa/202101-29
by GLSA coordinator Sam James (sam_c).