From ${URL}: A size-validation issue was discovered in opj_j2k_write_sot in lib/openjp2/j2k.c in OpenJPEG 2.2.0. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service (heap-based buffer overflow affecting opj_write_bytes_LE in lib/openjp2/cio.c) or possibly remote code execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-14152. Upstream Patch:( https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a ) Upstream Bug:(https://github.com/uclouvain/openjpeg/issues/991) CVE Details:(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14164) Source:https://blogs.gentoo.org/ago/2017/09/06/heap-based-buffer-overflow-in-opj_write_bytes_le-cio-c-incomplete-fix-for-cve-2017-14152/
@maintainer(s), after bump, please call stabilization if needed, thank you. Daj Uan (jmbailey/mbailey_j) Gentoo Security Padawan
Hi, it is appreciate that you file the security bugs. I'd like if in the summary was reported the nature of the issue instead of the impact, so in this case heap buffer overflow.
This issue was resolved and addressed in GLSA 201710-26 at https://security.gentoo.org/glsa/201710-26 by GLSA coordinator Aaron Bauman (b-man).
re-opened for cleanup.
@maintainers ping. please let us know when tree is clean from <openjpeg-2.3.0
(In reply to Agostino Sarubbo from comment #2) > Hi, it is appreciate that you file the security bugs. I'd like if in the > summary was reported the nature of the issue instead of the impact, so in > this case heap buffer overflow. Sorry, I missed your comment, Ago. Tree is clean.