Double free or heap corruption vulnerability was found in opj_free function triggered by specially crafted JPEG2000 image file was found in openjpeg 2016.03.14. CVE request (contains reproducer): http://seclists.org/oss-sec/2016/q1/631
Created mingw-openjpeg2 tracking bugs for this issue: Affects: fedora-all [bug 1317831]
Created openjpeg2 tracking bugs for this issue: Affects: fedora-all [bug 1317830] Affects: epel-all [bug 1317832]
CVE assignment: http://seclists.org/oss-sec/2016/q1/667
Patch: https://github.com/uclouvain/openjpeg/commit/ad593c9e0622e0d8d87228e67e4dbd36243ffd22
openjpeg2-2.1.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
openjpeg2-2.1.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
mingw-openjpeg2-2.1.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
mingw-openjpeg2-2.1.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Upstream ticket: https://github.com/uclouvain/openjpeg/issues/725
openjpeg-1 falls to the same reproducer, though in a different location. The function color_sycc_to_rgb (not "esycc") seems to be involved - notable because the same function exists in openjpeg2 and did not get the same checks in this update. Chromium looks to be safe here; it has altered the sycc conversion fairly aggressively.
This flaw only applies to the executables shipped with openjpeg: applications linked with openjpeg-libs or openjpeg-devel are not affected.
*** Bug 1317822 has been marked as a duplicate of this bug. ***
(In reply to Doran Moppert from comment #10) > openjpeg-1 falls to the same reproducer, though in a different location. This was unrelated - see bug 1036495. Openjpeg-1.x is not affected by this issue.