From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-announce+bounces-2985-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 30437158094
	for <garchives@archives.gentoo.org>; Wed,  7 Sep 2022 03:06:52 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id B4AE8E08DD;
	Wed,  7 Sep 2022 03:04:12 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id E1D1DE0636
	for <gentoo-announce@lists.gentoo.org>; Wed,  7 Sep 2022 02:52:45 +0000 (UTC)
Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165])
	by smtp.gentoo.org (Postfix) with ESMTP id 5754134118D
	for <gentoo-announce@lists.gentoo.org>; Wed,  7 Sep 2022 02:52:45 +0000 (UTC)
Received: from [172.24.0.3] (unknown [172.24.0.3])
	by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 4E777CF83F
	for <gentoo-announce@lists.gentoo.org>; Wed,  7 Sep 2022 02:52:45 +0000 (-00)
Subject: [gentoo-announce] [ GLSA 202209-04 ] OpenJPEG: Multiple Vulnerabilities
Precedence: bulk
List-Post: <mailto:gentoo-announce@lists.gentoo.org>
List-Help: <mailto:gentoo-announce+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-announce+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-announce+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-announce.gentoo.org>
X-BeenThere: gentoo-announce@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 micalg="pgp-sha512"; boundary="===============0159245330530061743=="
From: glsamaker@gentoo.org
To: gentoo-announce@lists.gentoo.org
Reply-To: security@gentoo.org
Date: Wed, 07 Sep 2022 02:52:45 -0000
Message-ID: <166251916531.14.12699814926344357814@713d1c2c1be1>
X-Archives-Salt: b8613065-7845-49ac-978e-d47c9898c081
X-Archives-Hash: 1fae9b8d5081aaca1a6ef3c89306db88

--===============0159245330530061743==
Content-Type: text/plain; charset="utf-8"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 202209-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: OpenJPEG: Multiple Vulnerabilities
     Date: September 07, 2022
     Bugs: #783513, #836969, #844064
       ID: 202209-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in OpenJPEG, the worst of
which could result in arbitrary code execution.

Background
==========

OpenJPEG is an open-source JPEG 2000 library.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  media-libs/openjpeg        < 2.5.0                      >= 2.5.0

Description
===========

Multiple vulnerabilities have been discovered in OpenJPEG. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenJPEG 2 users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=media-libs/openjpeg-2.5.0"

References
==========

[ 1 ] CVE-2021-29338
      https://nvd.nist.gov/vuln/detail/CVE-2021-29338
[ 2 ] CVE-2022-1122
      https://nvd.nist.gov/vuln/detail/CVE-2022-1122

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-04

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5
--===============0159245330530061743==
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmMYB30ACgkQFMQkOaVy
+9lNSxAApkl+SmgmAmoC+qTB00pJ3K0vGcTGVzOMzt3aM+ODSpbsFOG4fQLEpSr8
Z/FaC9XQYjlbj8x9MUc0gxx0mvZXyzSuMdYkFj46JRtjpEvyDGUdu4b+NxpRfZ6D
MqZAzzxoa9Y/Rld7JTixN0rzNhpHg6jnFoLtxqgB81sCzjCTFrk2nAyR6BPPe2pf
Awj7l84G4u75XEhKDh2ypp9J/gdzI9i5zJV04My57aA3cuyRc0Dl6WQFmgGQY4n5
rXeHM4rbwnzsVTs9ABBTtHImvyZ+KctXdN4BVq/GsQLLNrnB7tXQh/NLUmLTBU0u
z55ZU3EAqCz6lkW5geFfQ4mSySb44BsgDtfB+AmCl6n9S3+0NpCaFzjX4sVUBBIY
kBpKuMEhA3A1sNrKkCMfSUePBO4709sVaKoMon2KzK9pqr6AvlZOphuMvsfxY8Ti
uNN+xgY4FqYyR7U/lZQZQtEDH10lNwOP/XCIRMrpCTPVcrYcdfXk7TmNesljPJK4
tBVpYuiD70RI+r4t+goPkg+USQUT89ZsSCju16/Oz34m9dN6ehWOe9Fw8twS+HOF
VvCmtZFCB26AwjHTtXwi5rX/oVBHNdopx/JGokF8Jt+DXdgfL0y45ntKS7EsVqR5
8ZGTPLRKRPoJSXNXGr04RQbdNgoFyEdj4XlxFQswAqSruk+2O0k=
=ROwH
-----END PGP SIGNATURE-----

--===============0159245330530061743==--