Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2021-29338

Published: 14 April 2021

Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.

Notes

AuthorNote
iconstantin
ghostscript 9.26~dfsg+0-0ubuntu0.16.04.14+esm2 for xenial
was released to address this CVE but it was thereafter determined that
the impacted code is not compiled and so the package is not vulnerable.
still need to verify if commits from PR 1397 and 1398 should
be included as part of our patch.
sbeattie
fix is being worked in pull request 1346.
mdeslaur
this only affects the opj_* tools in the liopenjp2-tools
universe package

Priority

Low

Cvss 3 Severity Score

5.5

Score breakdown

Status

Package Release Status
blender
Launchpad, Ubuntu, Debian
jammy Needed

impish Ignored
(end of life)
kinetic Ignored
(end of life, was needed)
bionic Needed

focal Needed

hirsute Ignored
(end of life)
trusty Does not exist

upstream Needs triage

xenial Deferred
(2022-01-05)
groovy Ignored
(end of life)
mantic Needed

lunar Ignored
(end of life, was needed)
ghostscript
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not compiled)
focal Not vulnerable
(uses system openjpeg2)
groovy Not vulnerable
(uses system openjpeg2)
hirsute Not vulnerable
(uses system openjpeg2)
jammy Not vulnerable
(uses system openjpeg2)
kinetic Not vulnerable
(uses system openjpeg2)
trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code not compiled)
impish Not vulnerable
(uses system openjpeg2)
lunar Not vulnerable
(uses system openjpeg2)
mantic Not vulnerable
(uses system openjpeg2)
insighttoolkit4
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

groovy Ignored
(end of life)
hirsute Ignored
(end of life)
jammy Needed

trusty Does not exist

upstream Needs triage

xenial Deferred
(2022-01-05)
impish Ignored
(end of life)
kinetic Ignored
(end of life, was needed)
mantic Does not exist

lunar Ignored
(end of life, was needed)
openjpeg
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

jammy Does not exist

kinetic Does not exist

trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Not vulnerable
(code not present)
impish Does not exist

lunar Does not exist

mantic Does not exist

openjpeg2
Launchpad, Ubuntu, Debian
jammy Needed

trusty Does not exist

upstream
Released (2.5.0)
impish Ignored
(end of life)
kinetic Ignored
(end of life, was needed)
bionic Needed

focal Needed

groovy Ignored
(end of life)
hirsute Ignored
(end of life)
xenial Deferred
(2022-01-05)
mantic Not vulnerable
(2.5.0-1build1)
lunar Ignored
(end of life, was needed)
Patches:
upstream: https://github.com/uclouvain/openjpeg/commit/79c7d7af598b778c3cdcb455df23d50efc95eb3c
upstream: https://github.com/uclouvain/openjpeg/commit/1daaa0b909aebdf71be36238d16dfbec83c494ed
Binaries built from this source package are in Universe and so are supported by the community.
qtwebengine-opensource-src
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

groovy Ignored
(end of life)
hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Needed

trusty Does not exist

upstream Needs triage

xenial Does not exist

kinetic Ignored
(end of life, was needed)
mantic Needed

lunar Ignored
(end of life, was needed)
texmaker
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

groovy Ignored
(end of life)
hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Needed

trusty Does not exist

upstream Needs triage

xenial Deferred
(2022-01-05)
kinetic Ignored
(end of life, was needed)
mantic Needed

lunar Ignored
(end of life, was needed)

Severity score breakdown

Parameter Value
Base score 5.5
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H