Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 707926 (CVE-2020-6851, CVE-2020-8112) - media-libs/openjpeg: multiple vulnerabilities (CVE-2020-{6851,8112})
Summary: media-libs/openjpeg: multiple vulnerabilities (CVE-2020-{6851,8112})
Status: IN_PROGRESS
Alias: CVE-2020-6851, CVE-2020-8112
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard: B3 [upstream/ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-02 13:44 UTC by filip ambroz
Modified: 2020-02-25 00:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-02 13:44:44 UTC
Heap-based buffer overflows.
Described here: https://github.com/uclouvain/openjpeg/issues/1228
And here: https://github.com/uclouvain/openjpeg/issues/1231
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2020-02-25 00:12:50 UTC
CVE-2020-8112 (https://nvd.nist.gov/vuln/detail/CVE-2020-8112):
  opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through
  2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a
  different issue than CVE-2020-6851.

CVE-2020-6851 (https://nvd.nist.gov/vuln/detail/CVE-2020-6851):
  OpenJPEG through 2.3.1 has a heap-based buffer overflow in
  opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of
  opj_j2k_update_image_dimensions validation.