Debian Package Tracker

general

source: openjpeg2 (optional, misc)
version: 2.1.2-1.3
maintainer: Debian PhotoTools Maintainers (archive) [DMD]
uploaders: Mathieu Malaterre [DMD]
arch: all any
std-ver: 3.9.8
VCS: Subversion (Browse)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 2.1.0-2+deb8u2
old-sec: 2.1.0-2+deb8u2
stable: 2.1.2-1.1
testing: 2.1.2-1.3
unstable: 2.1.2-1.3

versioned links

2.1.0-2+deb8u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.1.2-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.1.2-1.3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libopenjp2-7
libopenjp2-7-dbg
libopenjp2-7-dev
libopenjp2-tools
libopenjp3d-tools
libopenjp3d7
libopenjpip-dec-server
libopenjpip-server
libopenjpip-viewer
libopenjpip7

action needed

A new upstream version is available: 2.2.0

high

A new upstream version 2.2.0 is available, you should consider packaging it.

Created: 2017-08-12 Last update: 2017-08-20 19:23

11 security issues in jessie

high

There are 11 open security issues in jessie.

7 important issues:

CVE-2016-5139: Multiple integer overflows in the opj_tcd_init_tile function in tcd.c in OpenJPEG, as used in PDFium in Google Chrome before 52.0.2743.116, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted JPEG 2000 data.
CVE-2016-9118: Heap Buffer Overflow (WRITE of size 4) in function pnmtoimage of convert.c:1719 in OpenJPEG 2.1.2.
CVE-2016-1628: pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, does not validate a certain precision value, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted JPEG 2000 image in a PDF document, related to the opj_pi_next_rpcl, opj_pi_next_pcrl, and opj_pi_next_cprl functions.
CVE-2016-5152: Integer overflow in the opj_tcd_get_decoded_tile_size function in tcd.c in OpenJPEG, as used in PDFium in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted JPEG 2000 data.
CVE-2016-1626: The opj_pi_update_decode_poc function in pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, miscalculates a certain layer index value, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document.
CVE-2016-5157: Heap-based buffer overflow in the opj_dwt_interleave_v function in dwt.c in OpenJPEG, as used in PDFium in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allows remote attackers to execute arbitrary code via crafted coordinate values in JPEG 2000 data.
CVE-2016-5158: Multiple integer overflows in the opj_tcd_init_tile function in tcd.c in OpenJPEG, as used in PDFium in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted JPEG 2000 data.

4 issues skipped by the security teams:

CVE-2016-9112: Floating Point Exception (aka FPE or divide by zero) in opj_pi_next_cprl function in openjp2/pi.c:523 in OpenJPEG 2.1.2.
CVE-2014-7947: OpenJPEG before r2944, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c.
CVE-2016-1923: Heap-based buffer overflow in the opj_j2k_update_image_data function in OpenJpeg 2016.1.18 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG 2000 image.
CVE-2016-3183: The sycc422_t_rgb function in common/color.c in OpenJPEG before 2.1.1 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted jpeg2000 file.

Please fix them.

Created: 2015-09-15 Last update: 2017-08-18 07:28

5 security issues in stretch

high

There are 5 open security issues in stretch.

4 important issues:

CVE-2016-5152: Integer overflow in the opj_tcd_get_decoded_tile_size function in tcd.c in OpenJPEG, as used in PDFium in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted JPEG 2000 data.
CVE-2016-9118: Heap Buffer Overflow (WRITE of size 4) in function pnmtoimage of convert.c:1719 in OpenJPEG 2.1.2.
CVE-2016-1626: The opj_pi_update_decode_poc function in pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, miscalculates a certain layer index value, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document.
CVE-2016-1628: pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, does not validate a certain precision value, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted JPEG 2000 image in a PDF document, related to the opj_pi_next_rpcl, opj_pi_next_pcrl, and opj_pi_next_cprl functions.

1 issue skipped by the security teams:

CVE-2016-9112: Floating Point Exception (aka FPE or divide by zero) in opj_pi_next_cprl function in openjp2/pi.c:523 in OpenJPEG 2.1.2.

Please fix them.

Created: 2016-09-08 Last update: 2017-08-18 07:28

Standards version of the package is outdated.

high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.0.1 instead of 3.9.8).

Created: 2017-08-12 Last update: 2017-08-13 01:03

Multiarch hinter reports 1 issue(s)

normal

There are issues with the multiarch metadata for this package.

libopenjp2-7-dev could be marked Multi-Arch: same

Created: 2017-03-05 Last update: 2017-08-20 19:33

Does not build reproducibly during testing

normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2017-08-07 Last update: 2017-08-20 19:31

1 bug tagged patch in the BTS

normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2017-08-12 Last update: 2017-08-20 19:07

lintian reports 11 warnings

normal

Lintian reports 11 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2014-09-03 Last update: 2017-08-13 01:14

news

[rss feed]

[2017-08-18] openjpeg2 2.1.2-1.3 MIGRATED to testing (Debian testing watch)
[2017-08-12] Accepted openjpeg2 2.1.2-1.3 (source amd64 all) into unstable (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2017-08-12] Accepted openjpeg2 2.1.2-1.2 (source) into unstable (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2017-01-28] openjpeg2 2.1.2-1.1 MIGRATED to testing (Debian testing watch)
[2017-01-28] Accepted openjpeg2 2.1.0-2+deb8u2 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2017-01-24] Accepted openjpeg2 2.1.2-1.1 (all source) into unstable (Salvatore Bonaccorso)
[2016-10-04] openjpeg2 2.1.2-1 MIGRATED to testing (Debian testing watch)
[2016-09-29] Accepted openjpeg2 2.1.2-1 (source) into unstable (Mathieu Malaterre)
[2016-09-17] Accepted openjpeg2 2.1.0-2+deb8u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Moritz Mühlenhoff)
[2016-07-17] openjpeg2 2.1.1-1 MIGRATED to testing (Debian testing watch)
[2016-07-11] Accepted openjpeg2 2.1.1-1 (source) into unstable (Mathieu Malaterre)
[2015-06-02] openjpeg2 2.1.0-2.1 MIGRATED to testing (Britney)
[2015-05-30] Accepted openjpeg2 2.1.0-2.1 (source amd64 all) into unstable (Jean-Michel Vourgère) (signed by: Jean-Michel Nirgal Vourgère)
[2014-10-18] openjpeg2 2.1.0-2 MIGRATED to testing (Britney)
[2014-10-07] Accepted openjpeg2 2.1.0-2 (source amd64 all) into unstable (Mathieu Malaterre)
[2014-10-05] openjpeg2 2.1.0-1 MIGRATED to testing (Britney)
[2014-09-12] Accepted openjpeg2 2.1.0-1 (source amd64 all) into unstable, unstable (Mathieu Malaterre)

bugs [bug history graph]

all: 12
RC: 0
I&N: 7
M&W: 5
F&P: 0

links

homepage
lintian (0, 11)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.1.2-1.3
1 bug