DescriptionDouble free vulnerability in the j2k_read_ppm_v3 function in OpenJPEG before r2997, as used in PDFium in Google Chrome, allows remote attackers to cause a denial of service (process crash) via a crafted PDF.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openjpeg2 (PTS)jessie2.1.0-2+deb8u3vulnerable
jessie (security)2.1.0-2+deb8u6fixed
stretch (security), stretch2.1.2-1.1+deb9u2fixed
buster, sid2.3.0-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

The issue must have been fixed in one of the commits before or with
which corresponds to the r2997 commit as mentioned in the merge which
fixed the issue on Google/PDFium's side.

Search for package or bug name: Reporting problems