[3.9] openjpeg: Multiple vulnerabilities (CVE-2018-14423, CVE-2018-6616) (#9797) · Issues · alpine / aports

[3.9] openjpeg: Multiple vulnerabilities (CVE-2018-14423, CVE-2018-6616)

CVE-2018-14423: Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in lib/openjp3d/pi.c
in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-14423
https://github.com/uclouvain/openjpeg/issues/1123

Patch:

https://github.com/uclouvain/openjpeg/commit/bd88611ed9ad7144ec4f3de54790cd848175891b

CVE-2018-6616: In OpenJPEG 2.3.0, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote
attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-6616
https://github.com/uclouvain/openjpeg/issues/1059

Patch:

https://github.com/hlef/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3

(from redmine: issue id 9797, created on 2018-12-27, closed on 2019-01-01)

Relations:
- parent #9796 (closed)
Changesets:
- Revision 50f991ef by Francesco Colista on 2019-01-01T07:33:41Z:

main/openjpeg: security fixes

- CVE-2018-14423
- CVE-2018-6616

this commit fixes #9797

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information