Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2022-8207-01

Red Hat Security Advisory 2022-8207-01 - OpenJPEG is an open source library for reading and writing image files in JPEG2000 format.

Packet Storm
#vulnerability#linux#red_hat#ssl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Low: openjpeg2 security update
Advisory ID: RHSA-2022:8207-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8207
Issue date: 2022-11-15
CVE Names: CVE-2022-1122
====================================================================

  1. Summary:

An update for openjpeg2 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

  1. Description:

OpenJPEG is an open source library for reading and writing image files in
JPEG2000 format.

Security Fix(es):

  • openjpeg: segmentation fault in opj2_decompress due to uninitialized
    pointer (CVE-2022-1122)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2067052 - CVE-2022-1122 openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer

  1. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:
openjpeg2-2.4.0-7.el9.src.rpm

aarch64:
openjpeg2-2.4.0-7.el9.aarch64.rpm
openjpeg2-debuginfo-2.4.0-7.el9.aarch64.rpm
openjpeg2-debugsource-2.4.0-7.el9.aarch64.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.aarch64.rpm

ppc64le:
openjpeg2-2.4.0-7.el9.ppc64le.rpm
openjpeg2-debuginfo-2.4.0-7.el9.ppc64le.rpm
openjpeg2-debugsource-2.4.0-7.el9.ppc64le.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.ppc64le.rpm

s390x:
openjpeg2-2.4.0-7.el9.s390x.rpm
openjpeg2-debuginfo-2.4.0-7.el9.s390x.rpm
openjpeg2-debugsource-2.4.0-7.el9.s390x.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.s390x.rpm

x86_64:
openjpeg2-2.4.0-7.el9.i686.rpm
openjpeg2-2.4.0-7.el9.x86_64.rpm
openjpeg2-debuginfo-2.4.0-7.el9.i686.rpm
openjpeg2-debuginfo-2.4.0-7.el9.x86_64.rpm
openjpeg2-debugsource-2.4.0-7.el9.i686.rpm
openjpeg2-debugsource-2.4.0-7.el9.x86_64.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.i686.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:
openjpeg2-debuginfo-2.4.0-7.el9.aarch64.rpm
openjpeg2-debugsource-2.4.0-7.el9.aarch64.rpm
openjpeg2-devel-2.4.0-7.el9.aarch64.rpm
openjpeg2-tools-2.4.0-7.el9.aarch64.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.aarch64.rpm

ppc64le:
openjpeg2-debuginfo-2.4.0-7.el9.ppc64le.rpm
openjpeg2-debugsource-2.4.0-7.el9.ppc64le.rpm
openjpeg2-devel-2.4.0-7.el9.ppc64le.rpm
openjpeg2-tools-2.4.0-7.el9.ppc64le.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.ppc64le.rpm

s390x:
openjpeg2-debuginfo-2.4.0-7.el9.s390x.rpm
openjpeg2-debugsource-2.4.0-7.el9.s390x.rpm
openjpeg2-devel-2.4.0-7.el9.s390x.rpm
openjpeg2-tools-2.4.0-7.el9.s390x.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.s390x.rpm

x86_64:
openjpeg2-debuginfo-2.4.0-7.el9.i686.rpm
openjpeg2-debuginfo-2.4.0-7.el9.x86_64.rpm
openjpeg2-debugsource-2.4.0-7.el9.i686.rpm
openjpeg2-debugsource-2.4.0-7.el9.x86_64.rpm
openjpeg2-devel-2.4.0-7.el9.i686.rpm
openjpeg2-devel-2.4.0-7.el9.x86_64.rpm
openjpeg2-tools-2.4.0-7.el9.i686.rpm
openjpeg2-tools-2.4.0-7.el9.x86_64.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.i686.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2022-1122
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY3PhFdzjgjWX9erEAQgS1Q/9EQDOF4ZawRGe05n43/uEPJi5FJfO0gHE
6Bf8P9zQPJG0xzs3ZeCJ2HrX8WaN/6VX+N1/Cz0lzO3IVd8biwggdZ2S7EjL8+VT
cpM2O5EqYS7ScLGnxurEjPXd1D8kcJC6aanu1a5ztiK6tXp693XVtb9EYBRUDtRg
dgY6qU3xdM5JDwdfXqFeZoHd2/Aaf0DVTLlGyOgSF1NF/whoC60lLPRC9xKRAT8n
XObHjEm7HyMGrIUPaoSIbzG1pHEjHMT2HyNKXnthzaBSOUaTjtATLSyi9uMvjOpn
LyyElibSatxRw6YV0k//cprLhvIeRIBk34KGd5uyZEC4BPaeY4I6bmtw1www1zcr
5DSvjuJP0ZmBEfjY018ibfHbiG+DKafwiTRjxQFz1F2Gn9ug7CVoDd2xTsDF8irq
APo8aIVQXZFtQ7szURxDUuHEuG7FhylN4NyKvwv9gbqti7hGO7rL9Tzx4eb3Azmg
CClV4fO7DjWrkmPguyE/Y9Y9u2M/tfCKFzeIfoJ4ykb3QZoqs6eHa+0jX89Dq1AT
1i0sEREsAcPDN/soUkZ5RnrD82xagCzFEHyukOM78g9LzWgZoU143bIFMfV9Cuz2
J+dBXf67ygMFbc7F+n8DuEoL2tNzVjkvl9ig9ykrkkkkSnb3kTxp1Zk6QzNhmRP9
kgngEo/g17c=wQvP
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Ubuntu Security Notice USN-7083-1

Ubuntu Security Notice 7083-1 - It was discovered that OpenJPEG incorrectly handled certain memory operations when using the command line "-ImgDir" in a directory with a large number of files, leading to an integer overflow vulnerability. An attacker could potentially use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that OpenJPEG incorrectly handled decompressing certain .j2k files in sycc420_to_rgb, leading to a heap-based buffer overflow vulnerability. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to execute arbitrary code.

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

Red Hat Security Advisory 2023-1174-01

Red Hat Security Advisory 2023-1174-01 - OpenShift API for Data Protection (OADP) 1.1.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate.

RHSA-2023:1174: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.1.2 security and bug fix update

OpenShift API for Data Protection (OADP) 1.1.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic. * CVE-2022...

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

RHSA-2022:9047: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.6 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in G...

RHSA-2022:8207: Red Hat Security Advisory: openjpeg2 security update

An update for openjpeg2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1122: openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer

Red Hat Security Advisory 2022-7645-01

Red Hat Security Advisory 2022-7645-01 - OpenJPEG is an open source library for reading and writing image files in JPEG2000 format.

RHSA-2022:7645: Red Hat Security Advisory: openjpeg2 security update

An update for openjpeg2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1122: openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer

Gentoo Linux Security Advisory 202209-04

Gentoo Linux Security Advisory 202209-4 - Multiple vulnerabilities have been discovered in OpenJPEG, the worst of which could result in arbitrary code execution. Versions less than 2.5.0 are affected.

CVE-2022-1122: Exist a issues of freeing uninitialized pointer in src/bin/jp2/opj_decompress.c,that will cause a segfault · Issue #1368 · uclouvain/openjpeg

A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution