Skip to content

Changelog openjpeg2 (2.3.1-1ubuntu4.20.04.1)

2021

openjpeg2 (2.3.1-1ubuntu4.20.04.1) focal-security; urgency=medium

   * SECURITY UPDATE: use-after-free via directory
     - debian/patches/CVE-2020-15389.patch: fix double-free on input
       directory with mix of valid and invalid images in
       src/bin/jp2/opj_decompress.c.
     - CVE-2020-15389
   * SECURITY UPDATE: heap-buffer-overflow
     - debian/patches/CVE-2020-27814-1.patch: grow buffer size in
       src/lib/openjp2/tcd.c.
     - debian/patches/CVE-2020-27814-2.patch: grow it again
     - debian/patches/CVE-2020-27814-3.patch: and some more
     - debian/patches/CVE-2020-27814-4.patch: bigger, BIGGER!!!
     - CVE-2020-27814
   * SECURITY UPDATE: heap-buffer-overflow write
     - debian/patches/CVE-2020-27823.patch: fix wrong computation in
       src/bin/jp2/convertpng.c.
     - CVE-2020-27823
   * SECURITY UPDATE: global-buffer-overflow
     - debian/patches/CVE-2020-27824.patch: avoid global buffer overflow on
       irreversible conversion when too many decomposition levels are
       specified in src/lib/openjp2/dwt.c.
     - CVE-2020-27824
   * SECURITY UPDATE: out-of-bounds read
     - debian/patches/CVE-2020-27841.patch: add extra checks to
       src/lib/openjp2/pi.c, src/lib/openjp2/pi.h, src/lib/openjp2/t2.c.
     - CVE-2020-27841
   * SECURITY UPDATE: null pointer dereference
     - debian/patches/CVE-2020-27842.patch: add check to
       src/lib/openjp2/t2.c.
     - CVE-2020-27842
   * SECURITY UPDATE: out-of-bounds read
     - debian/patches/CVE-2020-27843.patch: add check to
       src/lib/openjp2/t2.c.
     - CVE-2020-27843
   * SECURITY UPDATE: out-of-bounds read
     - debian/patches/CVE-2020-27845.patch: add extra checks to
       src/lib/openjp2/pi.c.
     - CVE-2020-27845

2020

openjpeg2 (2.3.1-1ubuntu4) focal; urgency=medium

   * SECURITY UPDATE: denial of service via excessive iteration
     - debian/patches/CVE-2019-12973-1.patch: detect invalid file dimensions
       early in src/bin/jp2/convertbmp.c.
     - debian/patches/CVE-2019-12973-2.patch: avoid potential infinite loop
       in src/bin/jp2/convertbmp.c.
     - CVE-2019-12973
   * SECURITY UPDATE: heap overflow in opj_t1_clbl_decode_processor
     - debian/patches/CVE-2020-6851.patch: reject images whose
       coordinates are beyond INT_MAX in src/lib/openjp2/j2k.c.
     - CVE-2020-6851
   * SECURITY UPDATE: another heap overflow in opj_t1_clbl_decode_processor
     - debian/patches/CVE-2020-8112.patch: avoid integer overflow in
       src/lib/openjp2/tcd.c.
     - CVE-2020-8112

openjpeg2 (2.3.1-1ubuntu3) focal; urgency=medium

   * Actually omit libopenjpip-server, not libkate-tools which is not in
     this package.

openjpeg2 (2.3.1-1ubuntu2) focal; urgency=medium

   * No-change rebuild with fixed binutils on arm64.

openjpeg2 (2.3.1-1ubuntu1) focal; urgency=medium

   * Omit libopenjpip-server on i386, we only want the libraries for
     compatibility.

2019

openjpeg2 (2.3.1-1) unstable; urgency=medium

   * New upstream release, addressing following security issues:
     - CVE-2018-20847 (Closes: #931294)
     - CVE-2018-21010 (Closes: #939553)
     - CVE-2018-5727 (Closes: #888532)
   * Remove following patches, applied upstream:
     - CVE-2017-17480.patch
     - CVE-2018-14423.patch
     - CVE-2018-18088.patch
     - CVE-2018-5785.patch
     - CVE-2018-6616.patch
   * Remove debian/patches/multiarch_path.patch:
     - useless since latest upstream changes.
   * Bump Standards-Version to 4.4.1.
   * Refresh and rework manpages.
   * Remove debian/README.source (Closes: #846390).

openjpeg2 (2.3.0-3) unstable; urgency=medium

   [ Helmut Grohne ]
   * Demote java dependencies to Build-Depends-Indep. (Closes: #870644)
 
   [ Mathieu Malaterre ]
   * debian/control: update URLs to new salsa location

openjpeg2 (2.3.0-2) unstable; urgency=high

   [ Hugo Lefeuvre ]
   * CVE-2017-17480: stack-based buffer overflow in the pgxtovolume function in
     jp3d/convert.c (Closes: #884738).
   * CVE-2018-14423: division-by-zero in pi_next_pcrl, pi_next_cprl, and
     pi_next_rpcl in lib/openjp3d/pi.c (Closes: #904873).
   * CVE-2018-18088: null pointer dereference in imagetopnm in jp2/convert.c
     (Closes: #910763).
   * CVE-2018-5785: integer overflow caused by an out-of-bounds left shift in the
     opj_j2k_setup_encoder function (openjp2/j2k.c) (Closes: #888533).
   * CVE-2018-6616: excessive iteration in the opj_t1_encode_cblks function of
     openjp2/t1.c (Closes: #889683).
 
   [ Mathieu Malaterre ]
   * Add Hugo as Uploader

2018

openjpeg2 (2.3.0-1.1) unstable; urgency=medium

   * Non-maintainer upload.
   * Fix "FTBFS with Java 9 due to -source/-target only":
     apply patch by Markus Koschany to build with Java 9 or later.
     (Closes: #873997)

2017

openjpeg2 (2.3.0-1) unstable; urgency=medium

   * New upstream release. Closes: #877758
   * Drop explicit -dbg package. Closes: #877676
   * Fix CVE-2017-14041. Closes: #874115
   * Fix CVE-2017-14151. Closes: #874430
   * Fix CVE-2017-14152. Closes: #874431

openjpeg2 (2.2.0-2) unstable; urgency=medium

   * Fix changelog. Closes: #876535
   * Provide openjpeg-2.1 compat symlinks:
     + usr/include/openjpeg-2.1
     + usr/lib/$(DEB_HOST_MULTIARCH)/openjpeg-2.1

openjpeg2 (2.2.0-1) unstable; urgency=medium

   * New upstream release. Closes: #872041
   * Fix CVE-2016-9113. Closes: #844552
   * Fix CVE-2016-9114. Closes: #844553
   * Fix CVE-2016-9115. Closes: #844554
   * Fix CVE-2016-9116. Closes: #844555
   * Fix CVE-2016-9117. Closes: #844556

openjpeg2 (2.1.2-1.3) unstable; urgency=medium

   * Fix FTFBS (Closes: #871905)

openjpeg2 (2.1.2-1.2) unstable; urgency=medium

   * Non-maintainer upload
   * Fix CVE-2016-1626, CVE-2016-1628, CVE-2016-5152, CVE-2016-9112 and
     CVE-2016-9118.patch

openjpeg2 (2.1.2-1.1) unstable; urgency=medium

   * Non-maintainer upload.
   * Add CVE-2016-9572_CVE-2016-9573.patch patch.
     CVE-2016-9572: NULL pointer dereference in input decoding
     CVE-2016-9573: Heap out-of-bounds read due to insufficient check in
     imagetopnm(). (Closes: #851422)

2016

openjpeg2 (2.1.2-1) unstable; urgency=medium

   * New upstream. Closes: #839120
   * Fix CVE-2016-7163. Closes: #837604
   * Fix CVE-2016-7445. Closes: #838690
   * Remove patches applied upstream:

openjpeg2 (2.1.1-1) unstable; urgency=medium

   * New upstream. Closes: #829734
     + d/watch points toward github now
     + Fix man page typos. Closes: #772889, #784377
     + Raise priority to optional. Closes: #822577
     + Fix multiple CVEs: Closes: #800453, #800149, #818399
   * Fix pc file. Closes: #787383
   * Remove reference to contrib. Closes: #820190
   * Bump Std-Vers to 3.9.8, no changes needed

2015

openjpeg2 (2.1.0-2.1) unstable; urgency=high

   * Non-maintainer upload.
   * Apache 2.4 transition: (Closes: #786333)
     + d/rules: Added --with apache2.
     + Drop d/libopenjpip-server.install.
     + Drop d/libopenjpip-server.prerm.
     + d/control: Add build-depends on dh-apache2, replace depends on
       apache2.2-bin by ${misc:Recommends}, add recommends on
       libapache2-mod-fastcgi.
     + New d/libopenjpip-server.conf for apache2 fastcgi setup.
     + Drop d/libopenjpip-server.load.
     + New d/libopenjpip-server.apache2 to set up the configuration.

2014

openjpeg2 (2.1.0-2) unstable; urgency=low

   * Install *.pc files. Closes: #762251
   * Remove cmake-fatal-error export stuff
   * Fix warnings in d/copyright
   * Bump Std-Vers to 3.9.6, no changes needed
   * Fix include path in export file to handle multi-arch install
     + debian/patches/multiarch_path.patch

openjpeg2 (2.1.0-1) unstable; urgency=low

   * New upstream. Closes: #761154, #761155
   * Rename binary packages to prevent conflicts. Closes: #760874
   * Remove "Multi-Arch: same" for -dev package. Closes: #760421

openjpeg2 (2.0.0-1) unstable; urgency=low

   * New upstream. Closes: #738655.