Source: openjpeg2 Version: 2.1.0-1 Severity: grave Tags: security upstream Forwarded: https://github.com/uclouvain/openjpeg/issues/1044
Hi, the following vulnerability was published for openjpeg2. CVE-2017-17480[0]: | In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the | pgxtovolume function in jp3d/convert.c. The vulnerability causes an | out-of-bounds write, which may lead to remote denial of service or | possibly remote code execution. Note there is as well the CVE-2017-17479 assignment, for the jpwl/convert.c part. But AFAICS the Debian packagagins has overall BUILD_JPWL:BOOL=OFF, so that one can be considered unimportant since only present as in the source, but not in the resulting binary packages. Though if upstream fixes the both issues, then fixes could be applied. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17480 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17480 [1] https://github.com/uclouvain/openjpeg/issues/1044 Regards, Salvatore
