FS#38082 - [openjpeg] security patch for multiple CVEs
Attached to Project:
Arch Linux
Opened by RbN (RbN) - Monday, 09 December 2013, 19:50 GMT
Last edited by Jan de Groot (JGC) - Monday, 28 April 2014, 07:48 GMT
Opened by RbN (RbN) - Monday, 09 December 2013, 19:50 GMT
Last edited by Jan de Groot (JGC) - Monday, 28 April 2014, 07:48 GMT
|
Details
Description:
CVE-2013-6052 : heap OOB reads, information leaks CVE-2013-6053 : heap OOB reads, information leaks CVE-2013-6045 : heap OOB writes CVE-2013-1447 : null pointer dereferences, division by zero, and anything that would just fit as DoS CVE-2013-6887 : null pointer dereferences, division by zero, and anything that would just fit as DoS [0] does not mention openjpeg 2 at all, so it is probably affected too. These patchs will probably be reviewed and integrated upstream soon. Patch: [0] Ressources: [0] http://openwall.com/lists/oss-security/2013/12/04/6 |
This task depends upon
Closed by Jan de Groot (JGC)
Monday, 28 April 2014, 07:48 GMT
Reason for closing: Fixed
Additional comments about closing: Upstream released 1.5.2
Monday, 28 April 2014, 07:48 GMT
Reason for closing: Fixed
Additional comments about closing: Upstream released 1.5.2
I wouldn't count too much on upstream making a release, probably they will come up with another version bump several months later.
Are they all 3 causing regressions ?
Let me know if you need help for testing.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734238
I used patches from Fedora, they also disable 2013-6045 because of this.