- Package:
- src:openjpeg2
- Source:
- src:openjpeg2
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-08-22 10:49:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for openjpeg2. CVE-2025-54874[0]: | OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG 2.5.3 and | earlier, a call to opj_jp2_read_header may lead to OOB heap memory | write when the data stream p_stream is too short and p_image is not | initialized. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-54874 https://www.cve.org/CVERecord?id=CVE-2025-54874 [1] https://github.com/uclouvain/openjpeg/pull/1573 [2] https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d Regards, Salvatore
Dear maintainer, I've prepared an NMU for openjpeg2 (versioned as 2.5.3-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1110443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated openjpeg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 09 Aug 2025 18:19:52 +0300
Source: openjpeg2
Architecture: source
Version: 2.5.3-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1110443
Changes:
openjpeg2 (2.5.3-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-54874: Out-of-bounds write in opj_jp2_read_header()
(Closes: #1110443)
Checksums-Sha1:
de54442487b527bba20508f1d7c624fc7b762aa1 2571 openjpeg2_2.5.3-2.1.dsc
2a8469449f17ff8ea4b27e0e3a5cf5f6213c0533 15688 openjpeg2_2.5.3-2.1.debian.tar.xz
Checksums-Sha256:
66e3aa987aab26f375d089a717d142e1477eb511ae9b28988c62d627d6b492f4 2571 openjpeg2_2.5.3-2.1.dsc
c0dd797a04819119243651ab5219073688b395e95d12a7aca1c2f882e27ecf3e 15688 openjpeg2_2.5.3-2.1.debian.tar.xz
Files:
7ec499c7e3d3c867a96b35faa877f5c6 2571 libs optional openjpeg2_2.5.3-2.1.dsc
1038d1c1ca899c939390b76859214f79 15688 libs optional openjpeg2_2.5.3-2.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmiYFL0ACgkQiNJCh6LY
mLHplw/+N6tKjSrBmX01J8rShPPBw6lHuuOPG+E6ZLnLEVaoENJmtKAb3XYYaeBq
J3BmjqQ9HZA2okZ1H5Xb51N5dPXABQkTx5KKKi2yYKOrJ8PMdAC0f8MYmbjaVkhr
UJtauaPVw5tWuH4kGxOCd/FvElPpA4AIYlKKbH+VayhY81K+cicHHIbT31iflls6
W/njqSmCxouKCUYDc7EXonYk4uepRLBuqffitPPbZURuaqczl7UQ826rk4CCBWDl
ukuVsryrP0rDz8Rh/PZLPkbArZfpHq2nEvKzkoVmWYh4iFz+yLRQbNk44jo0wgxW
LpnEeetuLmKBXWJgE8bNuuIgmmsFKMaLu9c9W3EwFnbq9GYtXB2RW02XF2jeHH39
j6H1uOX7Y+k7gVpNqkwI5oVU++WaHV2RKFx9sg3vFANeEQAOZHeYF9eNyPblbD/p
EwR6LNhk7xNe18i2nAtwC990SCE7mvOue9E3VP2k2nDQQ6KrEUdTlA5NwBUVPBw/
yrI//i9cwtNKR/flL+sTLrSZa6ED4aW4KoX5abXzIgynJYFwT0uteGl0zilPm29w
Ws5tXJh0ulV6eIzQPTx+14Rzl5AVpMzVvSmMaiiXdgfDHlB2smriuA/DwCQ6B3Ot
6UUdHvRifxzvwikpz8s6IGrR4/tCDIgEp3sQPBgKtdVIKzjwObI=
=L32U
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1110443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated openjpeg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 17 Aug 2025 18:30:07 +0300
Source: openjpeg2
Architecture: source
Version: 2.5.3-2.1~deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1110443
Changes:
openjpeg2 (2.5.3-2.1~deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* Rebuild for trixie.
.
openjpeg2 (2.5.3-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-54874: Out-of-bounds write in opj_jp2_read_header()
(Closes: #1110443)
Checksums-Sha1:
ffc99059ae12dc10ba248609189938b382ab8d68 2603 openjpeg2_2.5.3-2.1~deb13u1.dsc
961cb14b3c82c52d2899f3de8d12c280196d2aaf 15740 openjpeg2_2.5.3-2.1~deb13u1.debian.tar.xz
Checksums-Sha256:
2ce5eadf61b824d95de389088f2c7815c24fe8d9e4a3500bea3ca351d8409d51 2603 openjpeg2_2.5.3-2.1~deb13u1.dsc
3b9cdd83dcbe421a079708f0532037d8ce81582eda8fb719761154342d91615b 15740 openjpeg2_2.5.3-2.1~deb13u1.debian.tar.xz
Files:
f4cd5fe26c6e8794b755c7a88b95d78f 2603 libs optional openjpeg2_2.5.3-2.1~deb13u1.dsc
45866eca936ca341953d9e7d7ca90d5d 15740 libs optional openjpeg2_2.5.3-2.1~deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmiiRPoACgkQiNJCh6LY
mLEVrw/9HlTOWH9QdhA101NlbLfkghsP/wP0OHtlzLLKJxVrEHx8hOH9prYuccsa
J+vilZ0as67/aDGwlUIoeKGcrSNo8NVKiDBEGyMPxE4LCF2lNAaGtSB+JDVXA77e
rNx4Mx3u2hL3cHzeMp8ujEE2IUogkn/zM/QQW0C161wTENzOrxteH00eGi8nGCWe
htZhGPGuXt1boX6zUQhxEEydxipQ4C4JhfVks/KNQjvkP61w1tvz3xEaM1fjEmm/
S2mJ8RqGENJpQo+O1qj+dVqjvB8C4KBZ1RTnLflj+/4tytsRMQ12102W9+vuTg0c
KwFB5IYQEuPCGPxP5RlRkgJ+0vkWZr06f5ahvq+wFGEF7W8Kf3/P6RDN8JVyyc3B
06rMJlONK54HPO+kmdyn1b+MFrttnIoStz/7zJxHmXCZvc7gQTWRi/Joyyjrmr/T
uuxivjXwR5mlKEx5n7eZgXN6Pa6ATXLKQIcAxw0d8VD7FUE91iS91tDmm4FWAyow
WTuGAIGi4PzOVOY0GNVsOzoieoUz/B66AL91Br6B7+BSgvA/CYJ/zOKwylYCFj/6
iaukjYsnJg5pmKl5mwONd454erT6wYdgmzv62cFwHBuq/JmE/QRsaf2uCygP6isL
T5f85+5T9oE7q+X0mPn/Or2/v0jdqzclbLvU9VBuB3DggY4kciU=
=Ct9E
-----END PGP SIGNATURE-----