CVE-2018-16376
Publication date 3 September 2018
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact.
Status
Package | Ubuntu Release | Status |
---|---|---|
openjpeg | 20.04 LTS focal | Not in release |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Ignored end of standard support | |
14.04 LTS trusty | Ignored end of ESM support, was ignored [see notes] | |
openjpeg2 | 20.04 LTS focal |
Not affected
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Not in release |
Notes
mdeslaur
Ubuntu packages are built with BUILD_MJ2:BOOL=OFF, so the affected code isn't compiled
ccdm94
according to the comments available in issue 1328 of openjpeg (https://github.com/uclouvain/openjpeg/issues/1328), this issue will not be fixed by upstream, as the vulnerable components were simply removed from the code in pull request #1350. For this reason, xenial and trusty cannot be patched for this issue in package openjpeg.
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.8 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |