|Description||A mishandled zero case was discovered in opj_j2k_set_cinema_parameters in lib/openjp2/j2k.c in OpenJPEG 2.2.0. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service (heap-based buffer overflow affecting opj_write_bytes_LE in lib/openjp2/cio.c and opj_j2k_write_sot in lib/openjp2/j2k.c) or possibly remote code execution.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|openjpeg2 (PTS)||jessie (security), jessie||2.1.0-2+deb8u3||fixed|
|stretch (security), stretch||2.1.2-1.1+deb9u2||fixed|
The information below is based on the following data on fixed versions.
When fixing this issue make sure to apply the complete fix including the following
to not make openjpeg2 vulnerable to CVE-2017-14164.