Bugzilla – Bug 1149789
VUL-0: CVE-2018-21010: openjpeg2: heap buffer overflow in color_apply_icc_profile in bin/common/color.c
Last modified: 2022-11-18 20:30:16 UTC
CVE-2018-21010 OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_icc_profile in bin/common/color.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-21010 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-21010.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21010 https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea
I could not locate much of information or a POC. Judging from the fix it seems that only SLE15 version is affected. Ghostscript ships similar code with the openjpeg2 of SLE-12. Tracked as affected SLE-15.
ping again? is there help needed to evaluate?
Based on code inspection, all openjpeg code streams are affected. This includes: - SUSE:SLE-15:Update/openjpeg (applications/common/color.c L385+) - SUSE:SLE-12-SP2:Update/openjpeg2 (src/bin/common/color.c L473+) - SUSE:SLE-15:Update/openjpeg2 (src/bin/common/color.c L599+)
SUSE-SU-2022:3801-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1149789,1179821,1180043,1180044,1180046 CVE References: CVE-2018-21010,CVE-2020-27824,CVE-2020-27842,CVE-2020-27843,CVE-2020-27845 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): openjpeg2-2.1.0-4.18.2 SUSE OpenStack Cloud 9 (src): openjpeg2-2.1.0-4.18.2 SUSE Linux Enterprise Server for SAP 12-SP4 (src): openjpeg2-2.1.0-4.18.2 SUSE Linux Enterprise Server 12-SP5 (src): openjpeg2-2.1.0-4.18.2 SUSE Linux Enterprise Server 12-SP4-LTSS (src): openjpeg2-2.1.0-4.18.2 SUSE Linux Enterprise Server 12-SP3-BCL (src): openjpeg2-2.1.0-4.18.2 SUSE Linux Enterprise Server 12-SP2-BCL (src): openjpeg2-2.1.0-4.18.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3802-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 1140205,1149789,1179594,1179821,1180042,1180043,1180044,1180046 CVE References: CVE-2018-20846,CVE-2018-21010,CVE-2020-27814,CVE-2020-27824,CVE-2020-27841,CVE-2020-27842,CVE-2020-27843,CVE-2020-27845 JIRA References: Sources used: openSUSE Leap 15.4 (src): openjpeg2-2.3.0-150000.3.8.1 openSUSE Leap 15.3 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Manager Server 4.1 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Manager Retail Branch Server 4.1 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Manager Proxy 4.1 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server for SAP 15 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server 15-LTSS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Enterprise Storage 7 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Enterprise Storage 6 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE CaaS Platform 4.0 (src): openjpeg2-2.3.0-150000.3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
fixed
SUSE-SU-2022:4082-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1140205,1149789,1179821,1180043,1180044,1180046 CVE References: CVE-2018-20846,CVE-2018-21010,CVE-2020-27824,CVE-2020-27842,CVE-2020-27843,CVE-2020-27845 JIRA References: Sources used: openSUSE Leap 15.4 (src): openjpeg-1.5.2-150000.4.10.1 openSUSE Leap 15.3 (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise Server for SAP 15 (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise Server 15-LTSS (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): openjpeg-1.5.2-150000.4.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.