CVE-2020-27844

NameCVE-2020-27844
DescriptionA flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openjpeg2 (PTS)stretch2.1.2-1.1+deb9u4fixed
stretch (security)2.1.2-1.1+deb9u6fixed
buster2.3.0-2+deb10u1fixed
buster (security)2.3.0-2+deb10u2fixed
bullseye, sid2.4.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openjpeg2source(unstable)(not affected)

Notes

- openjpeg2 <not-affected> (Vulnerable code introduced and fixed in 2.4.0)
https://github.com/uclouvain/openjpeg/issues/1299
Fixed by: https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296 (v2.4.0)
Introduced by: https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5

Search for package or bug name: Reporting problems