[Pkg-phototools-devel] Bug#884738: openjpeg2: CVE-2017-17480: stack-based buffer overflow in pgxtovolume function in jp3d/convert.c
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 18 21:33:47 UTC 2017
Source: openjpeg2
Version: 2.1.0-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/uclouvain/openjpeg/issues/1044
Hi,
the following vulnerability was published for openjpeg2.
CVE-2017-17480[0]:
| In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the
| pgxtovolume function in jp3d/convert.c. The vulnerability causes an
| out-of-bounds write, which may lead to remote denial of service or
| possibly remote code execution.
Note there is as well the CVE-2017-17479 assignment, for the
jpwl/convert.c part. But AFAICS the Debian packagagins has overall
BUILD_JPWL:BOOL=OFF, so that one can be considered unimportant since
only present as in the source, but not in the resulting binary
packages. Though if upstream fixes the both issues, then fixes could
be applied.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17480
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17480
[1] https://github.com/uclouvain/openjpeg/issues/1044
Regards,
Salvatore
More information about the Pkg-phototools-devel
mailing list