CVE-2018-16376
Published: 3 September 2018
An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact.
Priority
CVSS 3 base score: 8.8
Status
Package | Release | Status |
---|---|---|
openjpeg2 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not built)
|
cosmic |
Ignored
(reached end-of-life)
|
|
disco |
Ignored
(reached end-of-life)
|
|
eoan |
Ignored
(reached end-of-life)
|
|
focal |
Not vulnerable
(code not built)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(code not built)
|
Notes
Author | Note |
---|---|
mdeslaur | Ubuntu packages are built with BUILD_MJ2:BOOL=OFF, so the affected code isn't compiled |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16376
- https://github.com/asarubbo/poc/blob/master/00322-openjpeg-heapoverflow-opj_t2_encode_packet/
- NVD
- Launchpad
- Debian