Bugzilla – Bug 1179821
VUL-1: CVE-2020-27824: openjpeg,openjpeg2,ghostscript: OOB read in opj_dwt_calc_explicit_stepsizes()
Last modified: 2024-07-29 15:16:52 UTC
CVE-2020-27824 In openjpeg v2.3.1 and prior, if too many decomposition levels are supplied to the encoder, it could cause a global buffer overflow to out-of-bounds read in the opj_dwt_calc_explicit_stepsizes() function. References: https://github.com/uclouvain/openjpeg/pull/1292/commits/6daf5f3e1ec6eff03b7982889874a3de6617db8d https://github.com/uclouvain/openjpeg/issues/1286 https://bugzilla.redhat.com/show_bug.cgi?id=1905723 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27824
SUSE:SLE-11-SP1:Update ghostscript-library Not affected [1] SUSE:SLE-12:Update ghostscript Affected SUSE:SLE-12-SP2:Update openjpeg2 Affected SUSE:SLE-15:Update ghostscript Affected SUSE:SLE-15:Update openjpeg Affected SUSE:SLE-15:Update openjpeg2 Affected [1] does not embed openjpeg
Hi, any update on this?
@Hans, is SUSE:SLE-15:Update/openjpeg affected here?
(In reply to Thomas Leroy from comment #4) > @Hans, is SUSE:SLE-15:Update/openjpeg affected here? Yes. openjpeg2, as well.
We decided to WONTFIX the embedded openjpeg2 in ghostscript, since backporting the patches or compiling it with the system openjpeg2 could likely cause regressions. @Hans, we are still missing submissions for: - SUSE:SLE-15:Update/openjpeg - SUSE:SLE-12-SP2:Update/openjpeg2 - SUSE:SLE-15:Update/openjpeg2
SUSE-SU-2022:3801-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1149789,1179821,1180043,1180044,1180046 CVE References: CVE-2018-21010,CVE-2020-27824,CVE-2020-27842,CVE-2020-27843,CVE-2020-27845 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): openjpeg2-2.1.0-4.18.2 SUSE OpenStack Cloud 9 (src): openjpeg2-2.1.0-4.18.2 SUSE Linux Enterprise Server for SAP 12-SP4 (src): openjpeg2-2.1.0-4.18.2 SUSE Linux Enterprise Server 12-SP5 (src): openjpeg2-2.1.0-4.18.2 SUSE Linux Enterprise Server 12-SP4-LTSS (src): openjpeg2-2.1.0-4.18.2 SUSE Linux Enterprise Server 12-SP3-BCL (src): openjpeg2-2.1.0-4.18.2 SUSE Linux Enterprise Server 12-SP2-BCL (src): openjpeg2-2.1.0-4.18.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3802-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 1140205,1149789,1179594,1179821,1180042,1180043,1180044,1180046 CVE References: CVE-2018-20846,CVE-2018-21010,CVE-2020-27814,CVE-2020-27824,CVE-2020-27841,CVE-2020-27842,CVE-2020-27843,CVE-2020-27845 JIRA References: Sources used: openSUSE Leap 15.4 (src): openjpeg2-2.3.0-150000.3.8.1 openSUSE Leap 15.3 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Manager Server 4.1 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Manager Retail Branch Server 4.1 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Manager Proxy 4.1 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server for SAP 15 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Server 15-LTSS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Enterprise Storage 7 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE Enterprise Storage 6 (src): openjpeg2-2.3.0-150000.3.8.1 SUSE CaaS Platform 4.0 (src): openjpeg2-2.3.0-150000.3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:4082-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1140205,1149789,1179821,1180043,1180044,1180046 CVE References: CVE-2018-20846,CVE-2018-21010,CVE-2020-27824,CVE-2020-27842,CVE-2020-27843,CVE-2020-27845 JIRA References: Sources used: openSUSE Leap 15.4 (src): openjpeg-1.5.2-150000.4.10.1 openSUSE Leap 15.3 (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise Server for SAP 15 (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise Server 15-LTSS (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): openjpeg-1.5.2-150000.4.10.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): openjpeg-1.5.2-150000.4.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Released.