| Name | CVE-2020-27814 |
| Description | A heap-buffer overflow was found in the way openjpeg2 handled certain PNG format files. An attacker could use this flaw to cause an application crash or in some cases execute arbitrary code with the permission of the user running such an application. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more) |
| References | DLA-2550-1, DSA-4882-1 |
| NVD severity | medium |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| openjpeg2 (PTS) | stretch | 2.1.2-1.1+deb9u4 | vulnerable |
| stretch (security) | 2.1.2-1.1+deb9u6 | fixed | |
| buster | 2.3.0-2+deb10u1 | vulnerable | |
| buster (security) | 2.3.0-2+deb10u2 | fixed | |
| bullseye, sid | 2.4.0-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| openjpeg2 | source | stretch | 2.1.2-1.1+deb9u6 | DLA-2550-1 | ||
| openjpeg2 | source | buster | 2.3.0-2+deb10u2 | DSA-4882-1 | ||
| openjpeg2 | source | (unstable) | 2.4.0-1 |
https://github.com/uclouvain/openjpeg/issues/1283
https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc (v2.4.0)
https://github.com/uclouvain/openjpeg/commit/15cf3d95814dc931ca0ecb132f81cb152e051bae (v2.4.0)
https://github.com/uclouvain/openjpeg/commit/649298dcf84b2f20cfe458d887c1591db47372a6
https://github.com/uclouvain/openjpeg/commit/4ce7d285a55d29b79880d0566d4b010fe1907aa9