CVE-2016-9573
Published: 1 August 2018
An out-of-bounds read vulnerability was found in OpenJPEG 2.1.2, in the j2k_to_image tool. Converting a specially crafted JPEG2000 file to another format could cause the application to crash or, potentially, disclose some data from the heap.
Notes
Author | Note |
---|---|
ccdm94 | It seems like commit a817832c223 (szukw000:AFL_PATCH_0) was the final commit created by a contributor in order to fix this issue. This commit contains the changes in commit 7b28bd2b723 (szukw000:863-862) which originally attempts to fix this issue. Commit a817832c223 (pull request 895 for more information) contains the changes in commit 7b28bd2b723, which fixes more than just issues 862 and 863. This commit, however, was never merged and issue 892, related to this CVE, was instead fixed by another commit: 2fa0fc61f2d (which seems to have introduced a regression, fixed by 784d4d47e97). |
eslerm | upstream patches are also for issue 970 |
Priority
Status
Package | Release | Status |
---|---|---|
openjpeg Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Ignored
(changes too intrusive)
|
|
upstream |
Released
(2.2.0)
|
|
xenial |
Ignored
(changes too intrusive)
|
|
Patches: upstream: https://github.com/uclouvain/openjpeg/commit/2fa0fc61f2d546c8b67e7c5a9cbc61d98e1f7af0 upstream: https://github.com/uclouvain/openjpeg/commit/784d4d47e97b5d0fccccbd931349997a0e2074cc |
||
openjpeg2 Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(2.3.0-1)
|
|
focal |
Not vulnerable
(2.3.1-1ubuntu4)
|
|
jammy |
Not vulnerable
(2.4.0-6)
|
|
kinetic |
Not vulnerable
(2.5.0-1)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(2.2.0, 2.1.2-1.1)
|
|
xenial |
Released
(2.1.2-1.1+deb9u2build0.1)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
Patches: upstream: https://github.com/uclouvain/openjpeg/commit/2fa0fc61f2d546c8b67e7c5a9cbc61d98e1f7af0 upstream: https://github.com/uclouvain/openjpeg/commit/784d4d47e97b5d0fccccbd931349997a0e2074cc |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |