[Git][security-tracker-team/security-tracker][master] CVE-2020-27844/openjpeg2 n/a on buster & stretch

Emilio Pozuelo Monfort pochu at debian.org
Tue Mar 16 12:23:23 GMT 2021 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7ac5d178 by Emilio Pozuelo Monfort at 2021-03-16T13:22:57+01:00
CVE-2020-27844/openjpeg2 n/a on buster & stretch

The issue was introduced during the development of 2.4.0 and fixed
in that version, so was never in any version in Debian.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -30649,8 +30649,11 @@ CVE-2020-27845 (There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions p
 	NOTE: https://github.com/uclouvain/openjpeg/commit/8f5aff1dff510a964d3901d0fba281abec98ab63 (v2.4.0)
 CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior  ...)
 	- openjpeg2 2.4.0-1
+	[buster] - openjpeg2 <not-affected> (Vulnerable code introduced and fixed in 2.4.0)
+	[stretch] - openjpeg2 <not-affected> (Vulnerable code introduced and fixed in 2.4.0)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1299
 	NOTE: https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296 (v2.4.0)
+	NOTE: Introduced by: https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5
 CVE-2020-27843 (A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw all ...)
 	- openjpeg2 2.4.0-1 (bug #983663)
 	[buster] - openjpeg2 <no-dsa> (Minor issue)


=====================================
data/dla-needed.txt
=====================================
@@ -72,11 +72,6 @@ opendmarc
   NOTE: 20201217: patch for CVE-2020-12460 has become available (roberto)
   NOTE: 20210104: wait for other CVEs (abhijith)
 --
-openjpeg2 (Emilio)
-  NOTE: 20210316: CVE-2020-27844.patch exists in source (via DLA-2550-1), but
-  NOTE: 20210316: does not exist in debian/patches/series or is otherwise not
-  NOTE: 20210316: applied. See b8ffed3c021 for more. (lamby)
---
 php-pear
 --
 pillow (Abhijith PA)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ac5d178b243580aea3f6c91637511aa235d057d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ac5d178b243580aea3f6c91637511aa235d057d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210316/6c98be2b/attachment.htm>

More information about the debian-security-tracker-commits mailing list