Control: tags 1110443 + patch Control: tags 1110443 + pending Dear maintainer,
I've prepared an NMU for openjpeg2 (versioned as 2.5.3-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
diffstat for openjpeg2-2.5.3 openjpeg2-2.5.3 changelog | 8 ++ patches/0001-opj_jp2_read_header-Check-for-error-after-parsing-he.patch | 40 ++++++++++ patches/series | 1 3 files changed, 49 insertions(+) diff -Nru openjpeg2-2.5.3/debian/changelog openjpeg2-2.5.3/debian/changelog --- openjpeg2-2.5.3/debian/changelog 2025-03-10 09:22:54.000000000 +0200 +++ openjpeg2-2.5.3/debian/changelog 2025-08-09 18:19:52.000000000 +0300 @@ -1,3 +1,11 @@ +openjpeg2 (2.5.3-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2025-54874: Out-of-bounds write in opj_jp2_read_header() + (Closes: #1110443) + + -- Adrian Bunk <[email protected]> Sat, 09 Aug 2025 18:19:52 +0300 + openjpeg2 (2.5.3-2) unstable; urgency=medium * Team upload. diff -Nru openjpeg2-2.5.3/debian/patches/0001-opj_jp2_read_header-Check-for-error-after-parsing-he.patch openjpeg2-2.5.3/debian/patches/0001-opj_jp2_read_header-Check-for-error-after-parsing-he.patch --- openjpeg2-2.5.3/debian/patches/0001-opj_jp2_read_header-Check-for-error-after-parsing-he.patch 1970-01-01 02:00:00.000000000 +0200 +++ openjpeg2-2.5.3/debian/patches/0001-opj_jp2_read_header-Check-for-error-after-parsing-he.patch 2025-08-09 18:19:52.000000000 +0300 @@ -0,0 +1,40 @@ +From f9b1f9f0a236dfee230b08dcc4165d83c07d473e Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen <[email protected]> +Date: Thu, 16 Jan 2025 02:13:43 +0100 +Subject: opj_jp2_read_header: Check for error after parsing header. + +Consider the case where the caller has not set the p_image +pointer to NULL before calling opj_read_header(). + +If opj_j2k_read_header_procedure() fails while obtaining the rest +of the marker segment when calling opj_stream_read_data() because +the data stream is too short, then opj_j2k_read_header() will +never have the chance to initialize p_image, leaving it +uninitialized. + +opj_jp2_read_header() will check the p_image value whether +opj_j2k_read_header() suceeded or failed. This may be detected as +an error in valgrind or ASAN. + +The fix is to check whether opj_j2k_read_header() suceeded before +using the output argument p_image. +--- + src/lib/openjp2/jp2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c +index 4df055a5..da506318 100644 +--- a/src/lib/openjp2/jp2.c ++++ b/src/lib/openjp2/jp2.c +@@ -2873,7 +2873,7 @@ OPJ_BOOL opj_jp2_read_header(opj_stream_private_t *p_stream, + p_image, + p_manager); + +- if (p_image && *p_image) { ++ if (ret && p_image && *p_image) { + /* Set Image Color Space */ + if (jp2->enumcs == 16) { + (*p_image)->color_space = OPJ_CLRSPC_SRGB; +-- +2.30.2 + diff -Nru openjpeg2-2.5.3/debian/patches/series openjpeg2-2.5.3/debian/patches/series --- openjpeg2-2.5.3/debian/patches/series 2025-03-10 09:22:54.000000000 +0200 +++ openjpeg2-2.5.3/debian/patches/series 2025-08-09 18:19:52.000000000 +0300 @@ -1,2 +1,3 @@ issue878.patch man_fix.patch +0001-opj_jp2_read_header-Check-for-error-after-parsing-he.patch
