Bug 979907 (CVE-2015-8871)

Summary: VUL-0: CVE-2015-8871: openjpeg2: Use-after-free in opj_j2k_write_mco function
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Hans Petter Jansson <hpj>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, hpj, tzotsos
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/169089/
Whiteboard: CVSSv2:RedHat:CVE-2015-8871:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2015-8871:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2015-8871:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:SUSE:CVE-2015-8871:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Swamp Workflow Management 2016-05-13 22:01:32 UTC
bugbot adjusting priority
Comment 2 Asterios Dramis 2017-01-31 21:34:15 UTC
This issue does not affect openjpeg but openjpeg2 (see also rh#1335770).
Comment 3 Andreas Stieger 2017-05-19 09:42:11 UTC
(In reply to Asterios Dramis from comment #2)
> This issue does not affect openjpeg but openjpeg2 (see also rh#1335770).

assigning to openjpeg2 maintainers. Putting back into security analysis queue.
Comment 7 Swamp Workflow Management 2017-08-11 19:09:04 UTC
SUSE-SU-2017:2144-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 979907,997857
CVE References: CVE-2015-8871,CVE-2016-7163
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    openjpeg2-2.1.0-4.3.2
SUSE Linux Enterprise Server 12-SP3 (src):    openjpeg2-2.1.0-4.3.2
SUSE Linux Enterprise Server 12-SP2 (src):    openjpeg2-2.1.0-4.3.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    openjpeg2-2.1.0-4.3.2
SUSE Linux Enterprise Desktop 12-SP2 (src):    openjpeg2-2.1.0-4.3.2
Comment 8 Andreas Stieger 2017-08-16 18:13:10 UTC
releasing for Leap, done
Comment 9 Swamp Workflow Management 2017-08-16 22:10:22 UTC
openSUSE-SU-2017:2186-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 979907,997857
CVE References: CVE-2015-8871,CVE-2016-7163
Sources used:
openSUSE Leap 42.3 (src):    openjpeg2-2.1.0-16.1
openSUSE Leap 42.2 (src):    openjpeg2-2.1.0-13.3.1
Comment 10 Swamp Workflow Management 2017-09-26 01:12:50 UTC
openSUSE-SU-2017:2567-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1002414,1007739,1007740,1007741,1007742,1007743,1007744,1007747,1014543,1014975,979907,997857,999817
CVE References: CVE-2015-8871,CVE-2016-7163,CVE-2016-7445,CVE-2016-8332,CVE-2016-9112,CVE-2016-9113,CVE-2016-9114,CVE-2016-9115,CVE-2016-9116,CVE-2016-9117,CVE-2016-9118,CVE-2016-9572,CVE-2016-9573,CVE-2016-9580,CVE-2016-9581
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    openjpeg2-2.1.0-5.1, openjpeg2-2.1.0-6.1