Headline
Red Hat Security Advisory 2022-7645-01
Red Hat Security Advisory 2022-7645-01 - OpenJPEG is an open source library for reading and writing image files in JPEG2000 format.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Low: openjpeg2 security update
Advisory ID: RHSA-2022:7645-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7645
Issue date: 2022-11-08
CVE Names: CVE-2022-1122
====================================================================
- Summary:
An update for openjpeg2 is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
- Description:
OpenJPEG is an open source library for reading and writing image files in
JPEG2000 format.
Security Fix(es):
- openjpeg: segmentation fault in opj2_decompress due to uninitialized
pointer (CVE-2022-1122)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.7 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2067052 - CVE-2022-1122 openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer
- Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
openjpeg2-2.4.0-5.el8.src.rpm
aarch64:
openjpeg2-2.4.0-5.el8.aarch64.rpm
openjpeg2-debuginfo-2.4.0-5.el8.aarch64.rpm
openjpeg2-debugsource-2.4.0-5.el8.aarch64.rpm
openjpeg2-tools-2.4.0-5.el8.aarch64.rpm
openjpeg2-tools-debuginfo-2.4.0-5.el8.aarch64.rpm
noarch:
openjpeg2-devel-docs-2.4.0-5.el8.noarch.rpm
ppc64le:
openjpeg2-2.4.0-5.el8.ppc64le.rpm
openjpeg2-debuginfo-2.4.0-5.el8.ppc64le.rpm
openjpeg2-debugsource-2.4.0-5.el8.ppc64le.rpm
openjpeg2-tools-2.4.0-5.el8.ppc64le.rpm
openjpeg2-tools-debuginfo-2.4.0-5.el8.ppc64le.rpm
s390x:
openjpeg2-2.4.0-5.el8.s390x.rpm
openjpeg2-debuginfo-2.4.0-5.el8.s390x.rpm
openjpeg2-debugsource-2.4.0-5.el8.s390x.rpm
openjpeg2-tools-2.4.0-5.el8.s390x.rpm
openjpeg2-tools-debuginfo-2.4.0-5.el8.s390x.rpm
x86_64:
openjpeg2-2.4.0-5.el8.i686.rpm
openjpeg2-2.4.0-5.el8.x86_64.rpm
openjpeg2-debuginfo-2.4.0-5.el8.i686.rpm
openjpeg2-debuginfo-2.4.0-5.el8.x86_64.rpm
openjpeg2-debugsource-2.4.0-5.el8.i686.rpm
openjpeg2-debugsource-2.4.0-5.el8.x86_64.rpm
openjpeg2-tools-2.4.0-5.el8.x86_64.rpm
openjpeg2-tools-debuginfo-2.4.0-5.el8.i686.rpm
openjpeg2-tools-debuginfo-2.4.0-5.el8.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 8):
aarch64:
openjpeg2-debuginfo-2.4.0-5.el8.aarch64.rpm
openjpeg2-debugsource-2.4.0-5.el8.aarch64.rpm
openjpeg2-devel-2.4.0-5.el8.aarch64.rpm
openjpeg2-tools-debuginfo-2.4.0-5.el8.aarch64.rpm
ppc64le:
openjpeg2-debuginfo-2.4.0-5.el8.ppc64le.rpm
openjpeg2-debugsource-2.4.0-5.el8.ppc64le.rpm
openjpeg2-devel-2.4.0-5.el8.ppc64le.rpm
openjpeg2-tools-debuginfo-2.4.0-5.el8.ppc64le.rpm
s390x:
openjpeg2-debuginfo-2.4.0-5.el8.s390x.rpm
openjpeg2-debugsource-2.4.0-5.el8.s390x.rpm
openjpeg2-devel-2.4.0-5.el8.s390x.rpm
openjpeg2-tools-debuginfo-2.4.0-5.el8.s390x.rpm
x86_64:
openjpeg2-debuginfo-2.4.0-5.el8.i686.rpm
openjpeg2-debuginfo-2.4.0-5.el8.x86_64.rpm
openjpeg2-debugsource-2.4.0-5.el8.i686.rpm
openjpeg2-debugsource-2.4.0-5.el8.x86_64.rpm
openjpeg2-devel-2.4.0-5.el8.i686.rpm
openjpeg2-devel-2.4.0-5.el8.x86_64.rpm
openjpeg2-tools-2.4.0-5.el8.i686.rpm
openjpeg2-tools-debuginfo-2.4.0-5.el8.i686.rpm
openjpeg2-tools-debuginfo-2.4.0-5.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-1122
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY2pSWNzjgjWX9erEAQg6GhAAiOBUk8qXJuDlt6tD7lrGqBFWfDTN5jTR
dSzKPRnp3ctiwIn8hbe8UsXapg7+NB4f1zS2+bsjvBvqbES6xctG3gKdY9jPAB/e
jWkWzhsfHCHpOrkDxCenU8RDQQ7XdMYKn2KTypVUhSLKn7jktbaUQMCH1cUbzvaI
1z0qXSdHvsMG+1vVzhhh4ZWSPL4gTI9r6+ndYbLRIEJAPApoKuDkI6Z+OqkiZsaR
2pssPowTJmPHb/72/ojSPQ6sQ07Gyjz0POG07SPFah2PM4F1p+Haa3kARgcthdPr
vDjqTLeeg4dlq5ohEfr6ki/c6s6Pm6Ziz3+QIHMVtoXuLdqegKyZZeoywOo7Xihf
A4gXAajdB1X3W+ClWVcPTvZVGFaIGbVSFjfLPLtYGfEdTx80/7QkVWoDwuaP+KD9
E5JZ7yVTCkwTbikIs8Aen4JQQa5ieUCoWbDSLPq0wtgva7S8dFQ7R7XvkiBYVTAX
DOpVa5cMQ9B7zdmg1lB/n0zjXqYGIxovhA4ydZRxV94w1f7MW0Z6iak60OrBdyZ7
nk1YZM4sikPMVTGAOYmY7oSYEeWWnOY3NE9kvQsmEbfB+K6WIgfbCKdPaw6rOJkZ
lMFa7/btx5yRZEGEklUQqrGgkXHNs9VFQ169eIHb17FdnfD0vcGoIhfvFcjsqkUx
m/NyIG6kTcM=5Pm+
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Ubuntu Security Notice 7083-1 - It was discovered that OpenJPEG incorrectly handled certain memory operations when using the command line "-ImgDir" in a directory with a large number of files, leading to an integer overflow vulnerability. An attacker could potentially use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that OpenJPEG incorrectly handled decompressing certain .j2k files in sycc420_to_rgb, leading to a heap-based buffer overflow vulnerability. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to execute arbitrary code.
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Red Hat Security Advisory 2023-1174-01 - OpenShift API for Data Protection (OADP) 1.1.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate.
OpenShift API for Data Protection (OADP) 1.1.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic. * CVE-2022...
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
The Migration Toolkit for Containers (MTC) 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in G...
Red Hat Security Advisory 2022-8207-01 - OpenJPEG is an open source library for reading and writing image files in JPEG2000 format.
An update for openjpeg2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1122: openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer
An update for openjpeg2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1122: openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer
Gentoo Linux Security Advisory 202209-4 - Multiple vulnerabilities have been discovered in OpenJPEG, the worst of which could result in arbitrary code execution. Versions less than 2.5.0 are affected.
A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service.