Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2016-9114

Published: 30 October 2016

There is a NULL Pointer Access in function imagetopnm of convert.c:1943(jp2) of OpenJPEG 2.1.2. image->comps[compno].data is not assigned a value after initialization(NULL). Impact is Denial of Service.

Notes

AuthorNote
ccdm94
According to comments in issue 863 (related to CVE-2016-9572),
https://github.com/uclouvain/openjpeg/issues/863#issuecomment-258071962
to be more specific, and the changes in commit 2fa0fc61f2d, which
fixes 862, it seems like this issue might be fixed by commit
2fa0fc61f2d (this commit, however, seems to be incomplete, and this
is fixed by additionally adding 784d4d47e97).
eslerm
in addition to 2fa0fc6 and 784d4d4, c22cbd8 and 00f4568 was applied to this set of CVEs note that 00f4568 is part of 0394f8d

Priority

Low

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
openjpeg2
Launchpad, Ubuntu, Debian
upstream
Released (2.2.0)
impish Not vulnerable
(2.2.0-1)
groovy Not vulnerable
(2.2.0-1)
jammy Not vulnerable
(2.2.0-1)
xenial Needed

kinetic Not vulnerable
(2.2.0-1)
lunar Not vulnerable
(2.2.0-1)
artful Ignored
(end of life)
bionic Not vulnerable
(2.2.0-1)
cosmic Not vulnerable
(2.2.0-1)
disco Not vulnerable
(2.2.0-1)
eoan Not vulnerable
(2.2.0-1)
focal Not vulnerable
(2.2.0-1)
hirsute Not vulnerable
(2.2.0-1)
precise Does not exist

trusty Does not exist

yakkety Ignored
(end of life)
zesty Ignored
(end of life)
mantic Not vulnerable
(2.2.0-1)
Patches:


upstream: https://github.com/uclouvain/openjpeg/commit/2fa0fc61f2d546c8b67e7c5a9cbc61d98e1f7af0
upstream: https://github.com/uclouvain/openjpeg/commit/784d4d47e97b5d0fccccbd931349997a0e2074cc
ghostscript
Launchpad, Ubuntu, Debian
impish Not vulnerable
(uses system openjpeg2)
bionic Not vulnerable
(code not compiled)
xenial Not vulnerable
(code not compiled)
jammy Not vulnerable
(uses system openjpeg2)
kinetic Not vulnerable
(uses system openjpeg2)
lunar Not vulnerable
(uses system openjpeg2)
focal Not vulnerable
(uses system openjpeg2)
groovy Not vulnerable
(uses system openjpeg2)
hirsute Not vulnerable
(uses system openjpeg2)
trusty Does not exist

upstream Needs triage

mantic Not vulnerable
(uses system openjpeg2)
openjpeg
Launchpad, Ubuntu, Debian
impish Does not exist

trusty Ignored
(changes too intrusive)
jammy Does not exist

kinetic Does not exist

lunar Does not exist

bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

upstream
Released (2.2.0)
xenial Ignored
(changes too intrusive)
mantic Does not exist

Patches:
upstream: https://github.com/uclouvain/openjpeg/commit/2fa0fc61f2d546c8b67e7c5a9cbc61d98e1f7af0
upstream: https://github.com/uclouvain/openjpeg/commit/784d4d47e97b5d0fccccbd931349997a0e2074cc


Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H