CVE-2018-16376
Published: 3 September 2018
An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact.
Priority
Low
CVSS 3 base score: 8.8
Status
| Package | Release | Status |
|---|---|---|
|
openjpeg2 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not built)
|
| cosmic |
Ignored
(reached end-of-life)
|
|
| disco |
Ignored
(reached end-of-life)
|
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Not vulnerable
(code not built)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(code not built)
|
Notes
| Author | Note |
|---|---|
| mdeslaur | Ubuntu packages are built with BUILD_MJ2:BOOL=OFF, so the affected code isn't compiled |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16376
- https://github.com/asarubbo/poc/blob/master/00322-openjpeg-heapoverflow-opj_t2_encode_packet/
- NVD
- Launchpad
- Debian