[gentoo-announce] [ GLSA 201710-26 ] OpenJPEG: Multiple vulnerabilities - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201710-26 ] OpenJPEG: Multiple vulnerabilities
Date:	Mon, 23 Oct 2017 01:40:28
Message-Id:	`2578740.rZSGAur8cN@localhost.localdomain`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201710-26

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: OpenJPEG: Multiple vulnerabilities

9

     Date: October 23, 2017

10

     Bugs: #602180, #606618, #628504, #629372, #629668, #630120

11

       ID: 201710-26

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in OpenJPEG, the worst of

19

which may allow remote attackers to execute arbitrary code.

20

21

Background

22

==========

23

24

OpenJPEG is an open-source JPEG 2000 library.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  media-libs/openjpeg         < 2.3.0:2                 >= 2.3.0:2 

33

34

Description

35

===========

36

37

Multiple vulnerabilities have been discovered in OpenJPEG. Please

38

review the references below for details.

39

40

Impact

41

======

42

43

A remote attacker, via a crafted BMP, PDF, or j2k document, could

44

execute arbitrary code, cause a Denial of Service condition, or have

45

other unspecified impacts.

46

47

Workaround

48

==========

49

50

There is no known workaround at this time.

51

52

Resolution

53

==========

54

55

All OpenJPEG users should upgrade to the latest version:

56

57

  # emerge --sync

58

  # emerge --ask --oneshot --verbose ">=media-libs/openjpeg-2.3.0:2"

59

60

References

61

==========

62

63

[  1 ] CVE-2016-10504

64

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10504

65

[  2 ] CVE-2016-10505

66

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10505

67

[  3 ] CVE-2016-10506

68

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10506

69

[  4 ] CVE-2016-10507

70

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10507

71

[  5 ] CVE-2016-1626

72

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1626

73

[  6 ] CVE-2016-1628

74

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1628

75

[  7 ] CVE-2016-9112

76

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9112

77

[  8 ] CVE-2016-9113

78

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9113

79

[  9 ] CVE-2016-9114

80

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9114

81

[ 10 ] CVE-2016-9115

82

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9115

83

[ 11 ] CVE-2016-9116

84

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9116

85

[ 12 ] CVE-2016-9117

86

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9117

87

[ 13 ] CVE-2016-9118

88

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9118

89

[ 14 ] CVE-2016-9572

90

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9572

91

[ 15 ] CVE-2016-9573

92

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9573

93

[ 16 ] CVE-2016-9580

94

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9580

95

[ 17 ] CVE-2016-9581

96

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9581

97

[ 18 ] CVE-2017-12982

98

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12982

99

[ 19 ] CVE-2017-14039

100

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14039

101

[ 20 ] CVE-2017-14164

102

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14164

103

104

Availability

105

============

106

107

This GLSA and any updates to it are available for viewing at

108

the Gentoo Security Website:

109

110

 https://security.gentoo.org/glsa/201710-26

111

112

Concerns?

113

=========

114

115

Security is a primary focus of Gentoo Linux and ensuring the

116

confidentiality and security of our users' machines is of utmost

117

importance to us. Any security concerns should be addressed to

118

security@g.o or alternatively, you may file a bug at

119

https://bugs.gentoo.org.

120

121

License

122

=======

123

124

Copyright 2017 Gentoo Foundation, Inc; referenced text

125

belongs to its owner(s).

126

127

The contents of this document are licensed under the

128

Creative Commons - Attribution / Share Alike license.

129

130

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201710-26
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: OpenJPEG: Multiple vulnerabilities
9	Date: October 23, 2017
10	Bugs: #602180, #606618, #628504, #629372, #629668, #630120
11	ID: 201710-26
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in OpenJPEG, the worst of
19	which may allow remote attackers to execute arbitrary code.
20
21	Background
22	==========
23
24	OpenJPEG is an open-source JPEG 2000 library.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 media-libs/openjpeg < 2.3.0:2 >= 2.3.0:2
33
34	Description
35	===========
36
37	Multiple vulnerabilities have been discovered in OpenJPEG. Please
38	review the references below for details.
39
40	Impact
41	======
42
43	A remote attacker, via a crafted BMP, PDF, or j2k document, could
44	execute arbitrary code, cause a Denial of Service condition, or have
45	other unspecified impacts.
46
47	Workaround
48	==========
49
50	There is no known workaround at this time.
51
52	Resolution
53	==========
54
55	All OpenJPEG users should upgrade to the latest version:
56
57	# emerge --sync
58	# emerge --ask --oneshot --verbose ">=media-libs/openjpeg-2.3.0:2"
59
60	References
61	==========
62
63	[ 1 ] CVE-2016-10504
64	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10504
65	[ 2 ] CVE-2016-10505
66	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10505
67	[ 3 ] CVE-2016-10506
68	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10506
69	[ 4 ] CVE-2016-10507
70	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10507
71	[ 5 ] CVE-2016-1626
72	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1626
73	[ 6 ] CVE-2016-1628
74	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1628
75	[ 7 ] CVE-2016-9112
76	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9112
77	[ 8 ] CVE-2016-9113
78	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9113
79	[ 9 ] CVE-2016-9114
80	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9114
81	[ 10 ] CVE-2016-9115
82	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9115
83	[ 11 ] CVE-2016-9116
84	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9116
85	[ 12 ] CVE-2016-9117
86	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9117
87	[ 13 ] CVE-2016-9118
88	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9118
89	[ 14 ] CVE-2016-9572
90	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9572
91	[ 15 ] CVE-2016-9573
92	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9573
93	[ 16 ] CVE-2016-9580
94	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9580
95	[ 17 ] CVE-2016-9581
96	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9581
97	[ 18 ] CVE-2017-12982
98	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12982
99	[ 19 ] CVE-2017-14039
100	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14039
101	[ 20 ] CVE-2017-14164
102	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14164
103
104	Availability
105	============
106
107	This GLSA and any updates to it are available for viewing at
108	the Gentoo Security Website:
109
110	https://security.gentoo.org/glsa/201710-26
111
112	Concerns?
113	=========
114
115	Security is a primary focus of Gentoo Linux and ensuring the
116	confidentiality and security of our users' machines is of utmost
117	importance to us. Any security concerns should be addressed to
118	security@g.o or alternatively, you may file a bug at
119	https://bugs.gentoo.org.
120
121	License
122	=======
123
124	Copyright 2017 Gentoo Foundation, Inc; referenced text
125	belongs to its owner(s).
126
127	The contents of this document are licensed under the
128	Creative Commons - Attribution / Share Alike license.
129
130	http://creativecommons.org/licenses/by-sa/2.5