Vulnerability roundup 63: openjpeg-2.3.0: 8 advisories

[ckauhaus]

search, files

• CVE-2017-17479 (nixos-19.03)
• CVE-2018-14423 (nixos-19.03)
• CVE-2018-16375 (nixos-19.03)
• CVE-2018-16376 (nixos-19.03)
• CVE-2018-5727 (nixos-19.03)
• CVE-2018-5785 (nixos-19.03)
• CVE-2018-6616 (nixos-19.03)
• CVE-2019-6988 (nixos-19.03)

Scanned versions: nixos-19.03: 5847485. May contain false positives.

[ckauhaus]

See also #55389

[danderson]

What a bounty of CVEs!

There is a 2.3.1 patch release that seems to include most of these:

• CVE-2017-17479 (nixos-19.03)

uclouvain/openjpeg#1044 , in 2.3.1.

• CVE-2018-14423 (nixos-19.03)

uclouvain/openjpeg#1123 , in 2.3.1.

• CVE-2018-16375 (nixos-19.03)

uclouvain/openjpeg#1126 , in 2.3.1.

• CVE-2018-16376 (nixos-19.03)

uclouvain/openjpeg#1127 , not fixed upstream.

• CVE-2018-5727 (nixos-19.03)

uclouvain/openjpeg#1053 , in 2.3.1.

• CVE-2018-5785 (nixos-19.03)

uclouvain/openjpeg#1057 , in 2.3.1.

• CVE-2018-6616 (nixos-19.03)

uclouvain/openjpeg#1059 , in 2.3.1.

• CVE-2019-6988 (nixos-19.03)

uclouvain/openjpeg#1178 , not fixed upstream.

So, upgrading to 2.3.1 will fix all the CVEs that are fixed upstream... But it still leaves 2 unfixed CVEs. Unfortunately openjpeg is a widely used package, marking it insecure would break a large package closure.

I will send a PR to upgrade to 2.3.1 at least, but we need to decide what to do about the unfixed CVEs.

[danderson]

My mistake, unstable + 19.09 + 20.03 are already on 2.3.1. So most of these are patched, and we're as patched as we can be given the status of upstream.

[andir]

@danderson I marked all but CVE-2019-6988 as solved in the initial post. That seems like the correct state. Do you agree?

[danderson]

@andir CVE-2018-16376 is also not patched right now (no upstream patch).

[ckauhaus]

Asked upstream

[rnhmjoj]

Closing as Nixos 19.03 is no longer supported.