CVE-2020-27843

Name	CVE-2020-27843
Description	A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2975-1, DSA-4882-1
Debian Bugs	983663

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
openjpeg2 (PTS)	bullseye	2.4.0-3	fixed
	sid, trixie, bookworm	2.5.0-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
openjpeg2	source	stretch	2.1.2-1.1+deb9u7	DLA-2975-1
openjpeg2	source	buster	2.3.0-2+deb10u2	DSA-4882-1
openjpeg2	source	(unstable)	2.4.0-1		983663

Notes

https://github.com/uclouvain/openjpeg/issues/1297
Partial fix (preventing the out of bounds access): https://github.com/uclouvain/openjpeg/commit/38d661a3897052c7ff0b39b30c29cb067e130121 (2.4.0)