OpenSUSE Linux update for openjpeg2
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2015-1239 CVE-2017-17479 CVE-2017-17480 |
| CWE-ID | CWE-415 CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
openSUSE Leap Operating systems & Components / Operating system package or component |
| Vendor | SDB |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Double free memory error
EUVDB-ID: #VU13106
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2015-1239
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to double free memory error in the j2k_read_ppm_v3 function. A remote attacker can send a specially crafted PDF file, trigger memory corruption and cause the service to crash.
MitigationUpdate the affected packages.
openSUSE Leap: 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2018-05/msg00091.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory corruption
EUVDB-ID: #VU13107
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-17479
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.
The vulnerability exists due to stack-based buffer overflow in the pgxtoimage function in jpwl/convert.c. A remote unauthenticated attacker can trigger memory corruption that leads to out-of-bounds write and cause the service to crash or execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
openSUSE Leap: 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2018-05/msg00091.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Memory corruption
EUVDB-ID: #VU13108
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-17480
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.
The vulnerability exists due to stack-based buffer overflow in the pgxtoimage function in jpwl/convert.c. A remote unauthenticated attacker can trigger memory corruption that leads to out-of-bounds write and cause the service to crash or execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
openSUSE Leap: 42.3
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2018-05/msg00091.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
