Your submission was sent successfully! Close

CVE-2018-5727

Published: 16 January 2018

In OpenJPEG 2.3.0, there is an integer overflow vulnerability in the opj_t1_encode_cblks function (openjp2/t1.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file.

From the Ubuntu security team

It was discovered that OpenJPEG incorrectly handled certain BMP files. A remote attacker could possibly use this issue to cause a denial of service.

Priority

Negligible

CVSS 3 base score: 6.5

Status

Package Release Status
ghostscript
Launchpad, Ubuntu, Debian
bionic
Released (9.26~dfsg+0-0ubuntu0.18.04.14)
focal Not vulnerable
(uses system openjpeg2)
groovy Not vulnerable
(uses system openjpeg2)
hirsute Not vulnerable
(uses system openjpeg2)
impish Not vulnerable
(uses system openjpeg2)
jammy Not vulnerable
(uses system openjpeg2)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial
Released (9.26~dfsg+0-0ubuntu0.16.04.14)
openjpeg
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Needed

upstream
Released (2.3.1)
xenial Ignored
(end of standard support, was needed)
Patches:
upstream: https://github.com/uclouvain/openjpeg/commit/a1d32a596a94280178c44a55d7e7f1acd992ed5d

openjpeg2
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(2.3.1-1)
groovy Not vulnerable
(2.3.1-1)
hirsute Not vulnerable
(2.3.1-1)
impish Not vulnerable
(2.3.1-1)
jammy Not vulnerable
(2.3.1-1)
precise Does not exist

trusty Does not exist

upstream
Released (2.3.1)
xenial Ignored
(end of standard support, was needed)
Patches:

upstream: https://github.com/uclouvain/openjpeg/pull/1187