1
Candidate: CVE-2016-8332
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8332
5
http://www.talosintelligence.com/reports/TALOS-2016-0193/
6
https://github.com/uclouvain/openjpeg/pull/820
8
A buffer overflow in OpenJPEG 2.1.1 causes arbitrary code execution when
9
parsing a crafted image. An exploitable code execution vulnerability exists
10
in the jpeg2000 image file format parser as implemented in the OpenJpeg
11
library. A specially crafted jpeg2000 file can cause an out of bound heap
12
write resulting in heap corruption leading to arbitrary code execution. For
13
a successful attack, the target user needs to open a malicious jpeg2000
14
file. The jpeg2000 image file format is mostly used for embedding images
15
inside PDF documents and the OpenJpeg library is used by a number of
16
popular PDF renderers making PDF documents a likely attack vector.
19
sbeattie> code not present in openjpeg 1.x
21
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/1630702
27
upstream_openjpeg: needs-triage
28
precise_openjpeg: not-affected (code not present)
29
trusty_openjpeg: not-affected (code not present)
30
vivid/stable-phone-overlay_openjpeg: DNE
31
vivid/ubuntu-core_openjpeg: DNE
32
xenial_openjpeg: not-affected (code not present)
33
devel_openjpeg: not-affected (code not present)
36
upstream: https://github.com/uclouvain/openjpeg/commit/734d57d5f7842aa7c2c9f36d62131ab4d8bd6c87
37
upstream: https://github.com/uclouvain/openjpeg/commit/805972f4c85fd4b34e08e499c12c68334706df47 (testcase)
38
upstream_openjpeg2: released (2.1.2-1)
39
precise_openjpeg2: DNE
41
vivid/stable-phone-overlay_openjpeg2: DNE
42
vivid/ubuntu-core_openjpeg2: DNE
43
xenial_openjpeg2: released (2.1.0-2.1ubuntu0.1)
44
devel_openjpeg2: released (2.1.1-1ubuntu0.1)