Summary
=======
The package openjpeg2 is vulnerable to multiple issues
including arbitrary code execution and denial of service via
CVE-2020-27824, CVE-2020-27814, CVE-2020-15389,
CVE-2020-8112, CVE-2020-6851, CVE-2019-12973, CVE-2019-6988,
CVE-2018-20846 and CVE-2018-16376.
Guidance
========
After the last vulnerability report (
FS#68906 ), I dug a little deeper and discovered that openjpeg has
gathered quite a few security issues since its last release
2.3.1 in April 2019. I have collected all the CVEs I could
find in the linked security tracker entry. The necessary
patches are:
https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcdf4406d5e88723c4922202aa3
# CVE-2019-12973
https://github.com/uclouvain/openjpeg/commit/3aef207f90e937d4931daf6d411e092f76d82e66
# CVE-2019-12973
https://github.com/uclouvain/openjpeg/commit/024b8407392cb0b82b04b58ed256094ed5799e04
# CVE-2020-6851
https://github.com/uclouvain/openjpeg/commit/05f9b91e60debda0e83977e5e63b2e66486f7074
# CVE-2020-8112
https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0
# CVE-2020-15389
https://github.com/uclouvain/openjpeg/commit/4ce7d285a55d29b79880d0566d4b010fe1907aa9
# CVE-2020-27814
https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d
# CVE-2020-27824
CVE-2018-16376 and CVE-2019-6988 appear to have no upstream
fixes, CVE-2018-20846 had one
(https://github.com/uclouvain/openjpeg/commit/c277159986c80142180fbe5efb256bbf3bdf3edc)
which was later reverted
(https://github.com/uclouvain/openjpeg/commit/e1740e7ce79d0a1676db4da0f4189b64e85f52cb)
because it did not compile.
Given the relatively large number of patches, I think this
might be one of the few cases where packaging the current
master (currently at commit
98a4c5c3709e0cc43b0a1c151ed5bd85a2d607fa, including all
these fixes) might be easier.
References
==========
https://security.archlinux.org/AVG-1343
https://github.com/uclouvain/openjpeg/issues/1286
https://github.com/uclouvain/openjpeg/pull/1292
https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d
https://github.com/uclouvain/openjpeg/issues/1283
https://github.com/uclouvain/openjpeg/pull/1303
https://github.com/uclouvain/openjpeg/commit/4ce7d285a55d29b79880d0566d4b010fe1907aa9
https://github.com/uclouvain/openjpeg/issues/1261
https://github.com/uclouvain/openjpeg/pull/1262
https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0
https://github.com/uclouvain/openjpeg/issues/1231
https://github.com/uclouvain/openjpeg/pull/1232
https://github.com/uclouvain/openjpeg/commit/05f9b91e60debda0e83977e5e63b2e66486f7074
https://github.com/uclouvain/openjpeg/issues/1228
https://github.com/uclouvain/openjpeg/pull/1229
https://github.com/uclouvain/openjpeg/commit/024b8407392cb0b82b04b58ed256094ed5799e04
https://github.com/uclouvain/openjpeg/issues/1222
https://github.com/uclouvain/openjpeg/pull/1185
https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcdf4406d5e88723c4922202aa3
https://github.com/uclouvain/openjpeg/commit/3aef207f90e937d4931daf6d411e092f76d82e66
https://github.com/uclouvain/openjpeg/issues/1178
https://github.com/uclouvain/openjpeg/pull/1168
https://github.com/uclouvain/openjpeg/commit/c277159986c80142180fbe5efb256bbf3bdf3edc
https://github.com/uclouvain/openjpeg/commit/e1740e7ce79d0a1676db4da0f4189b64e85f52cb
https://github.com/uclouvain/openjpeg/issues/1127
I have no clue if master is in a good backward compatible shape or might break something.
https://github.com/uclouvain/openjpeg/commit/c9380ed0f8cc4794fc71d556ea23ae61e32247af # CVE-2020-27841
https://github.com/uclouvain/openjpeg/commit/00383e162ae2f8fc951f5745bf1011771acb8dce # CVE-2020-27841
https://github.com/uclouvain/openjpeg/commit/fbd30b064f8f9607d500437b6fedc41431fd6cdc # CVE-2020-27842
https://github.com/uclouvain/openjpeg/commit/38d661a3897052c7ff0b39b30c29cb067e130121 # CVE-2020-27843
https://github.com/uclouvain/openjpeg/commit/8f5aff1dff510a964d3901d0fba281abec98ab63 # CVE-2020-27845
The fixes for CVE-2020-27842 and CVE-2020-27843 are possibly only stopgap solutions according to their commit description.
There is also CVE-2020-27844, see https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296, but this issue probably only affects the current master according to the commit description since the vulnerable code is not present in any released version.