CVE-2020-27843

NameCVE-2020-27843
DescriptionA flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4882-1
NVD severityhigh
Debian Bugs983663

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openjpeg2 (PTS)stretch2.1.2-1.1+deb9u4vulnerable
stretch (security)2.1.2-1.1+deb9u6vulnerable
buster, buster (security)2.3.0-2+deb10u2fixed
bookworm, sid, bullseye2.4.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openjpeg2sourcebuster2.3.0-2+deb10u2DSA-4882-1
openjpeg2source(unstable)2.4.0-1983663

Notes

[stretch] - openjpeg2 <no-dsa> (Minor issue)
https://github.com/uclouvain/openjpeg/issues/1297
Partial fix (preventing the out of bounds access): https://github.com/uclouvain/openjpeg/commit/38d661a3897052c7ff0b39b30c29cb067e130121 (2.4.0)

Search for package or bug name: Reporting problems