This afternoon, Canonical published a report in which they are detailed 5 security flaws in the openjpeg2 - JPEG 2000 decompression compression library that could cause Ubuntu to crash or worse. Initially, the flaws found in OpenJPEG affect only Ubuntu 18.04 LTS, so the other two official versions that still have official support would be released, which are Ubuntu 16.04 Xenial Xerus (they were corrected in the past) and Ubuntu 19.04, the latest version of Canonical's operating system that it was released last April.
Unlike some security researchers who release vulnerabilities before they are fixed, Canonical only releases security flaws after patches have been released. In total 5 bugs have been fixed and all of them could be used to cause denial of service (DoS). In one of the rulings, they also mention that could allow remote code execution.
OpenJPEG bug could allow remote code execution
The bugs fixed have been:
- CVE-2017-17480: OpenJPEG was found to incorrectly handle certain PGX files. An attacker could use this flaw to cause denial of service or perform remote code execution.
- CVE-2018-14423: OpenJPEG was found to incorrectly handle certain files. An attacker could use this flaw to cause denial of service.
- CVE-2018-18088: OpenJPEG was found to incorrectly handle certain PNM files. An attacker could use this flaw to cause denial of service.
- CVE-2018-5785 y CVE-2018-6616: OpenJPEG was also incorrectly handling some BMP files. An attacker could use the flaw to cause denial of service.
The patches that fix these 5 bugs are already available in the official repositories of Ubuntu 18.04 LTS. The files to install are libopenjp2-7 – 2.3.0-2build0.18.04.1, libopenjp3d7 – 2.3.0-2build0.18.04.1 ylibopenjpip7 - 2.3.0-2build0.18.04.1. To do this, just open the Software Update app or the different software centers available and update the mentioned packages.
