Bug#910763: marked as done (openjpeg2: CVE-2018-18088)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 16:17:09 +0000
with message-id <e1h3k5v-0008x9...@fasolo.debian.org>
and subject line Bug#910763: fixed in openjpeg2 2.1.2-1.1+deb9u3
has caused the Debian Bug report #910763,
regarding openjpeg2: CVE-2018-18088
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
910763: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910763
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: openjpeg2
Version: 2.3.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/uclouvain/openjpeg/issues/1152

Hi,

The following vulnerability was published for openjpeg2.

CVE-2018-18088[0]:
| OpenJPEG 2.3.0 has a NULL pointer dereference for "red" in the
| imagetopnm function of jp2/convert.c

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-18088
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18088
[1] https://github.com/uclouvain/openjpeg/issues/1152

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: openjpeg2
Source-Version: 2.1.2-1.1+deb9u3

We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 910...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luci...@debian.org> (supplier of updated openjpeg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 07 Mar 2019 16:41:30 -0500
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 
libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server 
libopenjp3d-tools libopenjp2-tools
Architecture: source amd64 all
Version: 2.1.2-1.1+deb9u3
Distribution: stretch-security
Urgency: medium
Maintainer: Debian PhotoTools Maintainers 
<pkg-phototools-de...@lists.alioth.debian.org>
Changed-By: Luciano Bello <luci...@debian.org>
Description:
 libopenjp2-7 - JPEG 2000 image compression/decompression library
 libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
 libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
 libopenjp2-tools - command-line tools using the JPEG 2000 library
 libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
 libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression 
librar
 libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP 
protocol
 libopenjpip-server - JPIP server for JPEG 2000 files
 libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP 
access
 libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 884738 888533 889683 904873 910763
Changes:
 openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2018-14423: Division-by-zero vulnerabilities in the functions
     pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873).
   * CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
     (closes: #889683).
   * CVE-2017-17480: Write stack buffer overflow due to missing buffer
     length formatter in fscanf call (closes: #884738).
   * CVE-2018-18088: Null pointer dereference caused by null image
     components in imagetopnm (closes: #910763).
   * CVE-2018-5785: Integer overflow in convertbmp.c (closes: #888533).
Checksums-Sha1:
 0bb0b62c4d594aee08a9c8ad0e09600ff837fca1 2797 openjpeg2_2.1.2-1.1+deb9u3.dsc
 bf7200a53237309731c0a7aeb5bb3d3521cdd2e5 25464 
openjpeg2_2.1.2-1.1+deb9u3.debian.tar.xz
 9c0984edc917655a29a4114dadd74d7448baa9d2 1104792 
libopenjp2-7-dbg_2.1.2-1.1+deb9u3_amd64.deb
 1884bd30286fc08ec51a9bb7e890d941e1654495 38598 
libopenjp2-7-dev_2.1.2-1.1+deb9u3_amd64.deb
 f921ecfcbfeb3a7d5feabe7dc53d078d0a2b4451 122130 
libopenjp2-7_2.1.2-1.1+deb9u3_amd64.deb
 e2488d27382a742a8d431a0730f4aebf50b38deb 94044 
libopenjp2-tools_2.1.2-1.1+deb9u3_amd64.deb
 ded14698e1d569f9ecc8da5f765a6236540c8560 41600 
libopenjp3d-tools_2.1.2-1.1+deb9u3_amd64.deb
 8e49a8941eee3817d4033bbc8aa216d421ac4017 84986 
libopenjp3d7_2.1.2-1.1+deb9u3_amd64.deb
 0116918ac53e864dbf1fb88d662d2bc816fa6344 28564 
libopenjpip-dec-server_2.1.2-1.1+deb9u3_amd64.deb
 8527587877ab29da1d35cc03d9d91493ce8820de 51002 
libopenjpip-server_2.1.2-1.1+deb9u3_amd64.deb
 2c58348763b4109a6160b5fc464301858c498634 45150 
libopenjpip-viewer_2.1.2-1.1+deb9u3_all.deb
 5c883cbc1749227db6c85bdfea7ef15d99e161d2 60780 
libopenjpip7_2.1.2-1.1+deb9u3_amd64.deb
 3b5b33a9cd176a2b164eebf0cd69c18cde78ad04 15461 
openjpeg2_2.1.2-1.1+deb9u3_amd64.buildinfo
Checksums-Sha256:
 dcb5cf6adee12ab0cc23d9a08731df6ee87406a98f623233348580e9f0373f78 2797 
openjpeg2_2.1.2-1.1+deb9u3.dsc
 c168bec05ef60b78e1d219760d6faf67e58f9055cbde770005bd12123c3b0002 25464 
openjpeg2_2.1.2-1.1+deb9u3.debian.tar.xz
 18e57bc0920008f558ba3664e12f647fa851e6d4bdec53078a585d99c4f5cd5b 1104792 
libopenjp2-7-dbg_2.1.2-1.1+deb9u3_amd64.deb
 be81266d7855f4d608738f5b5823d5fab4df4181b5e877e2c5c8e55926ca62d2 38598 
libopenjp2-7-dev_2.1.2-1.1+deb9u3_amd64.deb
 c27e9a64efd804baccb0bd2721286a928a352d822710abe00a96d12e9e7c8789 122130 
libopenjp2-7_2.1.2-1.1+deb9u3_amd64.deb
 56ff2b99ed823eda18f5b9b06f4aa7676c9cad5c220be2601fb5cd8de198435c 94044 
libopenjp2-tools_2.1.2-1.1+deb9u3_amd64.deb
 59510064aedb3959942aa94dac75f2231a00f2d39fb7b784fd1ff0db8acb1327 41600 
libopenjp3d-tools_2.1.2-1.1+deb9u3_amd64.deb
 54f2ba8c1257a2ea59e3eb8ab812a189c33a687ede3148a66399a277f4a54d79 84986 
libopenjp3d7_2.1.2-1.1+deb9u3_amd64.deb
 24eaea599e88ceb716a77e5b10f979bb15f282e40da1a0fe516dbba0a997b43f 28564 
libopenjpip-dec-server_2.1.2-1.1+deb9u3_amd64.deb
 027ae15436855e26039dbd6fe1bf0454f9278dc909718870996bf678ecfbfc97 51002 
libopenjpip-server_2.1.2-1.1+deb9u3_amd64.deb
 37ee8d1ff37aa71dc0da418b12ad98d779cb439c715209ec0a4e10644cd52fa3 45150 
libopenjpip-viewer_2.1.2-1.1+deb9u3_all.deb
 3819a0ddbf629f9e15b974012223504d900bc4a29db7d3425e5c6e6512c8885c 60780 
libopenjpip7_2.1.2-1.1+deb9u3_amd64.deb
 757801686b19428ae77f0b9b09004b4e7de3b46e2d0ac053b43969e829b4dff5 15461 
openjpeg2_2.1.2-1.1+deb9u3_amd64.buildinfo
Files:
 07cab98fc00a26409aeaf301a3c9dafe 2797 libs optional 
openjpeg2_2.1.2-1.1+deb9u3.dsc
 e99ac3fca1bd9ab9aa164346db9f5f54 25464 libs optional 
openjpeg2_2.1.2-1.1+deb9u3.debian.tar.xz
 67dbede5aaf2db2670cd372f82477191 1104792 debug extra 
libopenjp2-7-dbg_2.1.2-1.1+deb9u3_amd64.deb
 f3155b3bec2e217a2e62af0544005f3e 38598 libdevel optional 
libopenjp2-7-dev_2.1.2-1.1+deb9u3_amd64.deb
 c5e1828696f6fbe81a5e8ae0b132872c 122130 libs optional 
libopenjp2-7_2.1.2-1.1+deb9u3_amd64.deb
 ba1a18f5171cfbf8105f47ea8e94a724 94044 graphics optional 
libopenjp2-tools_2.1.2-1.1+deb9u3_amd64.deb
 6df1cf91913480769e8eea3123ab3dc8 41600 graphics optional 
libopenjp3d-tools_2.1.2-1.1+deb9u3_amd64.deb
 e888089592bcb92c74d37387c31bd771 84986 libs optional 
libopenjp3d7_2.1.2-1.1+deb9u3_amd64.deb
 cbb7261624611756e0763f3ed0199557 28564 graphics optional 
libopenjpip-dec-server_2.1.2-1.1+deb9u3_amd64.deb
 b3745aee4c333a47c8edf53a1551fc6e 51002 graphics optional 
libopenjpip-server_2.1.2-1.1+deb9u3_amd64.deb
 f77cc3ba770a5c969070feef5c703e2b 45150 graphics optional 
libopenjpip-viewer_2.1.2-1.1+deb9u3_all.deb
 8293bcf4d675bf00535b28a4a04cac6b 60780 libs optional 
libopenjpip7_2.1.2-1.1+deb9u3_amd64.deb
 6704384b3c4de6b601d9beac771a5924 15461 libs optional 
openjpeg2_2.1.2-1.1+deb9u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlyFEcEACgkQbsLe9o/+
N3TqKA//Q8tDyecutOV43IXXdaexrLF+UtcXn8ZDFj+G0RtFXmrIOsenZFP8JHyi
zOUi/dCIfgH7V6qFRTkt/qbUp7Zx0AAxUhJEdcvCO4L3RPyF2zrvibcSjdH2xHEP
J6OFtINQnUpnL94toEQWmzgptu2bPqduTael8c7hvGADYFt9NdNacfMaOWGXuD7N
TpUFr7dkMGtHA5nJUFsAp7L5DpJZAjvUO6UVeAyVPZEwVjS44VUPVtUXROk7t9Qm
9J5LbHMu3SifUSDbEI+a7YG35/rd7aNWz3Nl3PKFuIsCIbdXEJ/mKEPLlXJwo7bw
NRfkffKJ4ewK7P6o5w7Xp2bFm7qwRHwXr5d2OiiGNupxQzi86/YXdwVjADUq6MWL
PMa9baJOPexxiBBZjXnnappas/6m+mSAM1dPaW/rRegq+FWFuNUQm3/6oZHHNC/y
Lbczft0lYg8REdeFJBBk8Dn88IA7WbZjaSfB4K1b9BD8ushHKiSxQK5j6BVldTJK
oTt0EOb2FX5g6T3bOWnhbPxEPZGOySCXIws3k8bnyvPtj6wZD3r/O/T3baKpDpFh
wp+7uP4f588/E+n3Sl6LVn8VXsN3rs8lwqrwlqOrksSNXo9tKGy6Ft1XuUg954z1
Igt+zEF3uM57StL5wabmYPMtx6PYI4bgxnhLsP1zhdZgL06P0lo=
=5UPl
-----END PGP SIGNATURE-----

--- End Message ---