Security update for openjpeg2

Announcement ID:	SUSE-SU-2022:1129-1
Rating:	important
References:	bsc#1102016 bsc#1106881 bsc#1106882 bsc#1140130 bsc#1140205 bsc#1162090 bsc#1173578 bsc#1180457 bsc#1184774 bsc#1197738 bsc#971617 bsc#980504
Cross-References:	CVE-2016-1924 CVE-2016-3183 CVE-2016-4797 CVE-2018-14423 CVE-2018-16375 CVE-2018-16376 CVE-2018-20845 CVE-2018-20846 CVE-2020-15389 CVE-2020-27823 CVE-2020-8112 CVE-2021-29338 CVE-2022-1122
CVSS scores:	CVE-2016-1924 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2016-1924 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2016-3183 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2016-4797 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2016-4797 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-14423 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-14423 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-16375 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L CVE-2018-16375 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-16376 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2018-16376 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-20845 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-20845 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-20845 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-20846 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-20846 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-20846 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-15389 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-15389 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2020-27823 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-27823 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-8112 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-8112 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29338 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-29338 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2022-1122 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2022-1122 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	HPE Helion OpenStack 8 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3 SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3 SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9

An update that solves 13 vulnerabilities can now be installed.

Description:

This update for openjpeg2 fixes the following issues:

• CVE-2016-1924: Fixed heap buffer overflow (bsc#980504).
• CVE-2016-3183: Fixed out-of-bounds read in sycc422_to_rgb function (bsc#971617).
• CVE-2016-4797: Fixed heap buffer overflow (bsc#980504).
• CVE-2018-14423: Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c (bsc#1102016).
• CVE-2018-16375: Fixed missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c (bsc#1106882).
• CVE-2018-16376: Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c (bsc#1106881).
• CVE-2018-20845: Fixed division-by-zero in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.c (bsc#1140130).
• CVE-2018-20846: Fixed out-of-bounds accesses in pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c (bsc#1140205).
• CVE-2020-8112: Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c (bsc#1162090).
• CVE-2020-15389: Fixed use-after-free if t a mix of valid and invalid files in a directory operated on by the decompressor (bsc#1173578).
• CVE-2020-27823: Fixed heap buffer over-write in opj_tcd_dc_level_shift_encode() (bsc#1180457).
• CVE-2021-29338: Fixed integer overflow that allows remote attackers to crash the application (bsc#1184774).
• CVE-2022-1122: Fixed segmentation fault in opj2_decompress due to uninitialized pointer (bsc#1197738).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• HPE Helion OpenStack 8
  zypper in -t patch HPE-Helion-OpenStack-8-2022-1129=1
• SUSE OpenStack Cloud 8
  zypper in -t patch SUSE-OpenStack-Cloud-8-2022-1129=1
• SUSE OpenStack Cloud 9
  zypper in -t patch SUSE-OpenStack-Cloud-9-2022-1129=1
• SUSE OpenStack Cloud Crowbar 8
  zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2022-1129=1
• SUSE OpenStack Cloud Crowbar 9
  zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-1129=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP3
  zypper in -t patch SUSE-SLE-SAP-12-SP3-2022-1129=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP4
  zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-1129=1
• SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-1129=1
• SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-1129=1
• SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-ESPOS-2022-1129=1
• SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-2022-1129=1
• SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4
  zypper in -t patch SUSE-SLE-SERVER-12-SP4-ESPOS-2022-1129=1
• SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4
  zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-1129=1
• SUSE Linux Enterprise High Performance Computing 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-1129=1
• SUSE Linux Enterprise Server 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-1129=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-1129=1

Package List:

• HPE Helion OpenStack 8 (x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
• SUSE OpenStack Cloud 8 (x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
• SUSE OpenStack Cloud 9 (x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
• SUSE OpenStack Cloud Crowbar 8 (x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
• SUSE OpenStack Cloud Crowbar 9 (x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP3 (ppc64le x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP4 (ppc64le x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
• SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
• SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3 (x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
• SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3 (aarch64 x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
• SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3 (aarch64 ppc64le s390x x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
• SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (aarch64 x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
• SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (aarch64 ppc64le s390x x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
• SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
• SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
  • libopenjp2-7-debuginfo-2.1.0-4.15.1
  • openjpeg2-debugsource-2.1.0-4.15.1
  • openjpeg2-debuginfo-2.1.0-4.15.1
  • libopenjp2-7-2.1.0-4.15.1

References:

• https://www.suse.com/security/cve/CVE-2016-1924.html
• https://www.suse.com/security/cve/CVE-2016-3183.html
• https://www.suse.com/security/cve/CVE-2016-4797.html
• https://www.suse.com/security/cve/CVE-2018-14423.html
• https://www.suse.com/security/cve/CVE-2018-16375.html
• https://www.suse.com/security/cve/CVE-2018-16376.html
• https://www.suse.com/security/cve/CVE-2018-20845.html
• https://www.suse.com/security/cve/CVE-2018-20846.html
• https://www.suse.com/security/cve/CVE-2020-15389.html
• https://www.suse.com/security/cve/CVE-2020-27823.html
• https://www.suse.com/security/cve/CVE-2020-8112.html
• https://www.suse.com/security/cve/CVE-2021-29338.html
• https://www.suse.com/security/cve/CVE-2022-1122.html
• https://bugzilla.suse.com/show_bug.cgi?id=1102016
• https://bugzilla.suse.com/show_bug.cgi?id=1106881
• https://bugzilla.suse.com/show_bug.cgi?id=1106882
• https://bugzilla.suse.com/show_bug.cgi?id=1140130
• https://bugzilla.suse.com/show_bug.cgi?id=1140205
• https://bugzilla.suse.com/show_bug.cgi?id=1162090
• https://bugzilla.suse.com/show_bug.cgi?id=1173578
• https://bugzilla.suse.com/show_bug.cgi?id=1180457
• https://bugzilla.suse.com/show_bug.cgi?id=1184774
• https://bugzilla.suse.com/show_bug.cgi?id=1197738
• https://bugzilla.suse.com/show_bug.cgi?id=971617
• https://bugzilla.suse.com/show_bug.cgi?id=980504