openjpeg2 (2.3.1-1ubuntu4.20.04.1) focal-security; urgency=medium * SECURITY UPDATE: use-after-free via directory - debian/patches/CVE-2020-15389.patch: fix double-free on input directory with mix of valid and invalid images in src/bin/jp2/opj_decompress.c. - CVE-2020-15389 * SECURITY UPDATE: heap-buffer-overflow - debian/patches/CVE-2020-27814-1.patch: grow buffer size in src/lib/openjp2/tcd.c. - debian/patches/CVE-2020-27814-2.patch: grow it again - debian/patches/CVE-2020-27814-3.patch: and some more - debian/patches/CVE-2020-27814-4.patch: bigger, BIGGER!!! - CVE-2020-27814 * SECURITY UPDATE: heap-buffer-overflow write - debian/patches/CVE-2020-27823.patch: fix wrong computation in src/bin/jp2/convertpng.c. - CVE-2020-27823 * SECURITY UPDATE: global-buffer-overflow - debian/patches/CVE-2020-27824.patch: avoid global buffer overflow on irreversible conversion when too many decomposition levels are specified in src/lib/openjp2/dwt.c. - CVE-2020-27824 * SECURITY UPDATE: out-of-bounds read - debian/patches/CVE-2020-27841.patch: add extra checks to src/lib/openjp2/pi.c, src/lib/openjp2/pi.h, src/lib/openjp2/t2.c. - CVE-2020-27841 * SECURITY UPDATE: null pointer dereference - debian/patches/CVE-2020-27842.patch: add check to src/lib/openjp2/t2.c. - CVE-2020-27842 * SECURITY UPDATE: out-of-bounds read - debian/patches/CVE-2020-27843.patch: add check to src/lib/openjp2/t2.c. - CVE-2020-27843 * SECURITY UPDATE: out-of-bounds read - debian/patches/CVE-2020-27845.patch: add extra checks to src/lib/openjp2/pi.c. - CVE-2020-27845 -- Marc Deslauriers Wed, 06 Jan 2021 09:44:46 -0500 openjpeg2 (2.3.1-1ubuntu4) focal; urgency=medium * SECURITY UPDATE: denial of service via excessive iteration - debian/patches/CVE-2019-12973-1.patch: detect invalid file dimensions early in src/bin/jp2/convertbmp.c. - debian/patches/CVE-2019-12973-2.patch: avoid potential infinite loop in src/bin/jp2/convertbmp.c. - CVE-2019-12973 * SECURITY UPDATE: heap overflow in opj_t1_clbl_decode_processor - debian/patches/CVE-2020-6851.patch: reject images whose coordinates are beyond INT_MAX in src/lib/openjp2/j2k.c. - CVE-2020-6851 * SECURITY UPDATE: another heap overflow in opj_t1_clbl_decode_processor - debian/patches/CVE-2020-8112.patch: avoid integer overflow in src/lib/openjp2/tcd.c. - CVE-2020-8112 -- Marc Deslauriers Wed, 19 Feb 2020 09:52:00 -0500 openjpeg2 (2.3.1-1ubuntu3) focal; urgency=medium * Actually omit libopenjpip-server, not libkate-tools which is not in this package. -- Steve Langasek Mon, 17 Feb 2020 09:39:20 -0800 openjpeg2 (2.3.1-1ubuntu2) focal; urgency=medium * No-change rebuild with fixed binutils on arm64. -- Matthias Klose Mon, 10 Feb 2020 08:14:07 +0100 openjpeg2 (2.3.1-1ubuntu1) focal; urgency=medium * Omit libopenjpip-server on i386, we only want the libraries for compatibility. -- Steve Langasek Tue, 07 Jan 2020 14:52:51 -0800 openjpeg2 (2.3.1-1) unstable; urgency=medium * New upstream release, addressing following security issues: - CVE-2018-20847 (Closes: #931294) - CVE-2018-21010 (Closes: #939553) - CVE-2018-5727 (Closes: #888532) * Remove following patches, applied upstream: - CVE-2017-17480.patch - CVE-2018-14423.patch - CVE-2018-18088.patch - CVE-2018-5785.patch - CVE-2018-6616.patch * Remove debian/patches/multiarch_path.patch: - useless since latest upstream changes. * Bump Standards-Version to 4.4.1. * Refresh and rework manpages. * Remove debian/README.source (Closes: #846390). -- Hugo Lefeuvre Mon, 07 Oct 2019 13:46:43 +0200 openjpeg2 (2.3.0-3) unstable; urgency=medium [ Helmut Grohne ] * Demote java dependencies to Build-Depends-Indep. (Closes: #870644) [ Mathieu Malaterre ] * debian/control: update URLs to new salsa location -- Mathieu Malaterre Mon, 30 Sep 2019 15:17:58 +0200 openjpeg2 (2.3.0-2) unstable; urgency=high [ Hugo Lefeuvre ] * CVE-2017-17480: stack-based buffer overflow in the pgxtovolume function in jp3d/convert.c (Closes: #884738). * CVE-2018-14423: division-by-zero in pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in lib/openjp3d/pi.c (Closes: #904873). * CVE-2018-18088: null pointer dereference in imagetopnm in jp2/convert.c (Closes: #910763). * CVE-2018-5785: integer overflow caused by an out-of-bounds left shift in the opj_j2k_setup_encoder function (openjp2/j2k.c) (Closes: #888533). * CVE-2018-6616: excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c (Closes: #889683). [ Mathieu Malaterre ] * Add Hugo as Uploader -- Mathieu Malaterre Sun, 10 Mar 2019 18:34:51 +0100 openjpeg2 (2.3.0-1.1) unstable; urgency=medium * Non-maintainer upload. * Fix "FTBFS with Java 9 due to -source/-target only": apply patch by Markus Koschany to build with Java 9 or later. (Closes: #873997) -- gregor herrmann Sun, 02 Dec 2018 18:18:22 +0100 openjpeg2 (2.3.0-1) unstable; urgency=medium * New upstream release. Closes: #877758 * Drop explicit -dbg package. Closes: #877676 * Fix CVE-2017-14041. Closes: #874115 * Fix CVE-2017-14151. Closes: #874430 * Fix CVE-2017-14152. Closes: #874431 -- Mathieu Malaterre Mon, 16 Oct 2017 07:43:41 +0200 openjpeg2 (2.2.0-2) unstable; urgency=medium * Fix changelog. Closes: #876535 * Provide openjpeg-2.1 compat symlinks: + usr/include/openjpeg-2.1 + usr/lib/$(DEB_HOST_MULTIARCH)/openjpeg-2.1 -- Mathieu Malaterre Tue, 03 Oct 2017 07:20:44 +0200 openjpeg2 (2.2.0-1) unstable; urgency=medium * New upstream release. Closes: #872041 * Fix CVE-2016-9113. Closes: #844552 * Fix CVE-2016-9114. Closes: #844553 * Fix CVE-2016-9115. Closes: #844554 * Fix CVE-2016-9116. Closes: #844555 * Fix CVE-2016-9117. Closes: #844556 -- Mathieu Malaterre Fri, 22 Sep 2017 21:51:36 +0200 openjpeg2 (2.1.2-1.3) unstable; urgency=medium * Fix FTFBS (Closes: #871905) -- Moritz Muehlenhoff Sat, 12 Aug 2017 15:54:38 +0200 openjpeg2 (2.1.2-1.2) unstable; urgency=medium * Non-maintainer upload * Fix CVE-2016-1626, CVE-2016-1628, CVE-2016-5152, CVE-2016-9112 and CVE-2016-9118.patch -- Moritz Muehlenhoff Fri, 11 Aug 2017 22:17:07 +0200 openjpeg2 (2.1.2-1.1) unstable; urgency=medium * Non-maintainer upload. * Add CVE-2016-9572_CVE-2016-9573.patch patch. CVE-2016-9572: NULL pointer dereference in input decoding CVE-2016-9573: Heap out-of-bounds read due to insufficient check in imagetopnm(). (Closes: #851422) -- Salvatore Bonaccorso Sun, 22 Jan 2017 14:18:13 +0100 openjpeg2 (2.1.2-1) unstable; urgency=medium * New upstream. Closes: #839120 * Fix CVE-2016-7163. Closes: #837604 * Fix CVE-2016-7445. Closes: #838690 * Remove patches applied upstream: -- Mathieu Malaterre Thu, 29 Sep 2016 08:11:30 +0200 openjpeg2 (2.1.1-1) unstable; urgency=medium * New upstream. Closes: #829734 + d/watch points toward github now + Fix man page typos. Closes: #772889, #784377 + Raise priority to optional. Closes: #822577 + Fix multiple CVEs: Closes: #800453, #800149, #818399 * Fix pc file. Closes: #787383 * Remove reference to contrib. Closes: #820190 * Bump Std-Vers to 3.9.8, no changes needed -- Mathieu Malaterre Mon, 11 Jul 2016 09:28:19 +0200 openjpeg2 (2.1.0-2.1) unstable; urgency=high * Non-maintainer upload. * Apache 2.4 transition: (Closes: #786333) + d/rules: Added --with apache2. + Drop d/libopenjpip-server.install. + Drop d/libopenjpip-server.prerm. + d/control: Add build-depends on dh-apache2, replace depends on apache2.2-bin by ${misc:Recommends}, add recommends on libapache2-mod-fastcgi. + New d/libopenjpip-server.conf for apache2 fastcgi setup. + Drop d/libopenjpip-server.load. + New d/libopenjpip-server.apache2 to set up the configuration. -- Jean-Michel Vourgère Thu, 21 May 2015 23:05:40 +0200 openjpeg2 (2.1.0-2) unstable; urgency=low * Install *.pc files. Closes: #762251 * Remove cmake-fatal-error export stuff * Fix warnings in d/copyright * Bump Std-Vers to 3.9.6, no changes needed * Fix include path in export file to handle multi-arch install + debian/patches/multiarch_path.patch -- Mathieu Malaterre Tue, 07 Oct 2014 13:14:43 +0200 openjpeg2 (2.1.0-1) unstable; urgency=low * New upstream. Closes: #761154, #761155 * Rename binary packages to prevent conflicts. Closes: #760874 * Remove "Multi-Arch: same" for -dev package. Closes: #760421 -- Mathieu Malaterre Thu, 11 Sep 2014 17:40:46 +0200 openjpeg2 (2.0.0-1) unstable; urgency=low * New upstream. Closes: #738655. -- Mathieu Malaterre Fri, 23 May 2014 18:23:37 +0200