openjpeg: Multiple vulnerabilities (CVE-2020-27814, CVE-2020-27823, CVE-2020-27824)
CVE-2020-27814: Heap-buffer-overflow in lib/openjp2/mqc.c could result in DoS
A heap-buffer overwrites error was discovered in lib/openjp2/mqc.c in OpenJPEG 2.3.1. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly remote code execution.
References:
- https://github.com/uclouvain/openjpeg/issues/1283
- https://security-tracker.debian.org/tracker/CVE-2020-27814
Patches:
- https://github.com/uclouvain/openjpeg/commit/15cf3d95814dc931ca0ecb132f81cb152e051bae
- https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc
CVE-2020-27823: Heap-buffer-overflow write in lib-openjp2
In openjpeg v2.3.1 and prior, there's a heap buffer overflow in opj_tcd_dc_level_shift_encode() causing an out-of-bounds WRITE when crafted input is processed by the encoder and -d option is used.
References:
- https://github.com/uclouvain/openjpeg/issues/1284
- https://security-tracker.debian.org/tracker/CVE-2020-27823
Patch:
https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919
CVE-2020-27824: global-buffer-overflow read in lib-openjp2
In openjpeg v2.3.1 and prior, if too many decomposition levels are supplied to the encoder, it could cause a global buffer overflow to out-of-bounds read in the opj_dwt_calc_explicit_stepsizes() function.
References:
- https://github.com/uclouvain/openjpeg/issues/1286
- https://security-tracker.debian.org/tracker/CVE-2020-27824
Patch:
https://github.com/uclouvain/openjpeg/pull/1292/commits/6daf5f3e1ec6eff03b7982889874a3de6617db8d
Affected branches:
-
master -
3.12-stable -
3.11-stable -
3.10-stable