Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files. Reference: https://github.com/uclouvain/openjpeg/issues/1338
Created mingw-openjpeg2 tracking bugs for this issue: Affects: fedora-all [bug 1950103] Created openjpeg tracking bugs for this issue: Affects: fedora-all [bug 1950104] Created openjpeg2 tracking bugs for this issue: Affects: epel-7 [bug 1950102] Affects: fedora-all [bug 1950105]
This is not a "remote" attack because the opj2_compress tool is not bound to the network. If someone or script is taking remotely-retrieved files and then running them against opj2_compress, it should not be considered a remote attack from the aspect of the opj2_compress tool itself.
Statement: This flaw affects the opj2_compress utility but is not in the openjpeg2 library. Therefore, the attack vector is local to the opj2_compress utility and would require an attacker to convince a user to open a directory with an extremely large number of files using opj2_compress, or a script to be feeding such arbitrary, untrusted files to opj2_compress.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4251 https://access.redhat.com/errata/RHSA-2021:4251