Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2020-27845

Published: 5 January 2021

There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior to 2.4.0. If an attacker is able to provide untrusted input to openjpeg's conversion/encoding functionality, they could cause an out-of-bounds read. The highest impact of this flaw is to application availability.

Priority

Medium

Cvss 3 Severity Score

5.5

Score breakdown

Status

Package Release Status
insighttoolkit4
Launchpad, Ubuntu, Debian
groovy Ignored
(end of life)
kinetic Ignored
(end of life, was needed)
xenial Needed

bionic Needed

focal Needed

hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Needed

lunar Needed

trusty Does not exist

upstream Needs triage

mantic Does not exist

qtwebengine-opensource-src
Launchpad, Ubuntu, Debian
groovy Ignored
(end of life)
kinetic Ignored
(end of life, was needed)
bionic Needed

focal Needed

hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Needed

lunar Needed

trusty Does not exist

upstream Needs triage

xenial Does not exist

mantic Needed

blender
Launchpad, Ubuntu, Debian
focal Not vulnerable
(code not present)
groovy Not vulnerable
(code not present)
hirsute Not vulnerable
(code not present)
bionic Needed

impish Not vulnerable
(code not present)
jammy Not vulnerable
(code not present)
kinetic Not vulnerable
(code not present)
lunar Not vulnerable
(code not present)
trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code not present)
mantic Not vulnerable
(code not present)
texmaker
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

groovy Ignored
(end of life)
hirsute Ignored
(end of life)
trusty Does not exist

upstream Needs triage

kinetic Ignored
(end of life, was needed)
impish Ignored
(end of life)
jammy Needed

lunar Needed

xenial Not vulnerable
(code not present)
mantic Needed

ghostscript
Launchpad, Ubuntu, Debian
bionic
Released (9.26~dfsg+0-0ubuntu0.18.04.14)
xenial
Released (9.26~dfsg+0-0ubuntu0.16.04.14)
focal Not vulnerable
(uses system openjpeg2)
groovy Not vulnerable
(uses system openjpeg2)
hirsute Not vulnerable
(uses system openjpeg2)
impish Not vulnerable
(uses system openjpeg2)
jammy Not vulnerable
(uses system openjpeg2)
kinetic Not vulnerable
(uses system openjpeg2)
lunar Not vulnerable
(uses system openjpeg2)
trusty Does not exist

upstream Needs triage

mantic Not vulnerable
(uses system openjpeg2)
openjpeg
Launchpad, Ubuntu, Debian
trusty Ignored
(changes too intrusive)
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

lunar Does not exist

upstream Needs triage

xenial Ignored
(changes too intrusive)
mantic Does not exist

openjpeg2
Launchpad, Ubuntu, Debian
bionic
Released (2.3.0-2+deb10u2build0.18.04.1)
focal
Released (2.3.1-1ubuntu4.20.04.1)
groovy
Released (2.3.1-1ubuntu4.20.10.1)
hirsute
Released (2.3.1-1ubuntu5)
impish
Released (2.3.1-1ubuntu5)
jammy
Released (2.3.1-1ubuntu5)
kinetic
Released (2.3.1-1ubuntu5)
lunar
Released (2.3.1-1ubuntu5)
trusty Does not exist

upstream Needs triage

xenial
Released (2.1.2-1.1+deb9u6build0.16.04.1)
mantic
Released (2.3.1-1ubuntu5)
Patches:
upstream: https://github.com/uclouvain/openjpeg/commit/8f5aff1dff510a964d3901d0fba281abec98ab63

Severity score breakdown

Parameter Value
Base score 5.5
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H