Amazon Linux 2022 Security Advisory: ALAS-2022-184
Advisory Release Date: 2022-11-01 21:24 Pacific
Advisory Updated Date: 2022-11-03 20:59 Pacific
Severity:
Low
Issue Overview:
There is a flaw in the opj2_compress program in openjpeg2. An attacker who is able to submit a large number of image files to be processed in a directory by opj2_compress, could trigger a heap out-of-bounds write due to an integer overflow, which is caused by the large number of image files. The greatest threat posed by this flaw is to confidentiality, integrity, and availability. (CVE-2021-29338)
A flaw was found in the opj2_decompress program in openjpeg2 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service. (CVE-2022-1122)
Affected Packages:
openjpeg2
Issue Correction:
Run dnf update openjpeg2 --releasever=2022.0.20221102 to update your system.
New Packages:
aarch64:
openjpeg2-tools-debuginfo-2.4.0-11.amzn2022.0.2.aarch64
openjpeg2-devel-2.4.0-11.amzn2022.0.2.aarch64
openjpeg2-debuginfo-2.4.0-11.amzn2022.0.2.aarch64
openjpeg2-2.4.0-11.amzn2022.0.2.aarch64
openjpeg2-debugsource-2.4.0-11.amzn2022.0.2.aarch64
openjpeg2-tools-2.4.0-11.amzn2022.0.2.aarch64
noarch:
openjpeg2-devel-docs-2.4.0-11.amzn2022.0.2.noarch
src:
openjpeg2-2.4.0-11.amzn2022.0.2.src
x86_64:
openjpeg2-tools-2.4.0-11.amzn2022.0.2.x86_64
openjpeg2-tools-debuginfo-2.4.0-11.amzn2022.0.2.x86_64
openjpeg2-2.4.0-11.amzn2022.0.2.x86_64
openjpeg2-debuginfo-2.4.0-11.amzn2022.0.2.x86_64
openjpeg2-devel-2.4.0-11.amzn2022.0.2.x86_64
openjpeg2-debugsource-2.4.0-11.amzn2022.0.2.x86_64