Your message dated Sat, 06 Sep 2025 12:14:50 +0100 with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk> and subject line Closing p-u requests for fixes included in 12.12 has caused the Debian Bug report #1110686, regarding bookworm-pu: package openjpeg2/2.5.0-2+deb12u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1110686: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110686 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package openjpeg2/2.5.0-2+deb12u2
- From: Adrian Bunk <bunk@debian.org>
- Date: Sun, 10 Aug 2025 06:27:23 +0300
- Message-id: <175479644353.3211402.6839971923328953836.reportbug@localhost>
Package: release.debian.org Severity: normal Tags: bookworm, moreinfo X-Debbugs-Cc: openjpeg2@packages.debian.org, security@debian.org Control: affects -1 + src:openjpeg2 User: release.debian.org@packages.debian.org Usertags: pu * CVE-2025-50952: Avoid potential undefined behaviour in opj_dwt_decode_tile() Tagged moreinfo, as question to the security team whether they want this in pu or as DSA.diffstat for openjpeg2-2.5.0 openjpeg2-2.5.0 changelog | 8 ++ patches/0001-opj_dwt_decode_tile-avoid-potential-UndefinedBehavio.patch | 28 ++++++++++ patches/series | 1 3 files changed, 37 insertions(+) diff -Nru openjpeg2-2.5.0/debian/changelog openjpeg2-2.5.0/debian/changelog --- openjpeg2-2.5.0/debian/changelog 2025-01-24 18:41:23.000000000 +0200 +++ openjpeg2-2.5.0/debian/changelog 2025-08-10 03:05:29.000000000 +0300 @@ -1,3 +1,11 @@ +openjpeg2 (2.5.0-2+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload. + * CVE-2025-50952: Avoid potential undefined behaviour + in opj_dwt_decode_tile() + + -- Adrian Bunk <bunk@debian.org> Sun, 10 Aug 2025 03:05:29 +0300 + openjpeg2 (2.5.0-2+deb12u1) bookworm-security; urgency=medium * CVE-2021-3575 (Closes: #989775) diff -Nru openjpeg2-2.5.0/debian/patches/0001-opj_dwt_decode_tile-avoid-potential-UndefinedBehavio.patch openjpeg2-2.5.0/debian/patches/0001-opj_dwt_decode_tile-avoid-potential-UndefinedBehavio.patch --- openjpeg2-2.5.0/debian/patches/0001-opj_dwt_decode_tile-avoid-potential-UndefinedBehavio.patch 1970-01-01 02:00:00.000000000 +0200 +++ openjpeg2-2.5.0/debian/patches/0001-opj_dwt_decode_tile-avoid-potential-UndefinedBehavio.patch 2025-08-10 03:05:04.000000000 +0300 @@ -0,0 +1,28 @@ +From d4ac96d6460a9f4cc4519dbfcc7da6ad385bbe58 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sun, 18 Feb 2024 17:17:00 +0100 +Subject: opj_dwt_decode_tile(): avoid potential UndefinedBehaviorSanitizer + 'applying zero offset to null pointer' (fixes #1505) + +--- + src/lib/openjp2/dwt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c +index abc500ec..6b18c5dd 100644 +--- a/src/lib/openjp2/dwt.c ++++ b/src/lib/openjp2/dwt.c +@@ -2083,7 +2083,9 @@ static OPJ_BOOL opj_dwt_decode_tile(opj_thread_pool_t* tp, + OPJ_SIZE_T h_mem_size; + int num_threads; + +- if (numres == 1U) { ++ /* Not entirely sure for the return code of w == 0 which is triggered per */ ++ /* https://github.com/uclouvain/openjpeg/issues/1505 */ ++ if (numres == 1U || w == 0) { + return OPJ_TRUE; + } + num_threads = opj_thread_pool_get_thread_count(tp); +-- +2.30.2 + diff -Nru openjpeg2-2.5.0/debian/patches/series openjpeg2-2.5.0/debian/patches/series --- openjpeg2-2.5.0/debian/patches/series 2025-01-24 18:17:00.000000000 +0200 +++ openjpeg2-2.5.0/debian/patches/series 2025-08-10 03:05:29.000000000 +0300 @@ -4,3 +4,4 @@ CVE-2023-39327.patch CVE-2024-56826.patch CVE-2024-56827.patch +0001-opj_dwt_decode_tile-avoid-potential-UndefinedBehavio.patch
--- End Message ---
--- Begin Message ---
- To: 1086622-done@bugs.debian.org, 1098225-done@bugs.debian.org, 1098229-done@bugs.debian.org, 1098783-done@bugs.debian.org, 1100607-done@bugs.debian.org, 1100960-done@bugs.debian.org, 1101144-done@bugs.debian.org, 1102091-done@bugs.debian.org, 1102675-done@bugs.debian.org, 1102752-done@bugs.debian.org, 1103926-done@bugs.debian.org, 1103927-done@bugs.debian.org, 1104028-done@bugs.debian.org, 1104154-done@bugs.debian.org, 1104821-done@bugs.debian.org, 1104874-done@bugs.debian.org, 1104882-done@bugs.debian.org, 1105009-done@bugs.debian.org, 1105113-done@bugs.debian.org, 1105816-done@bugs.debian.org, 1105888-done@bugs.debian.org, 1105957-done@bugs.debian.org, 1105971-done@bugs.debian.org, 1105996-done@bugs.debian.org, 1106300-done@bugs.debian.org, 1106328-done@bugs.debian.org, 1106348-done@bugs.debian.org, 1106536-done@bugs.debian.org, 1106721-done@bugs.debian.org, 1106756-done@bugs.debian.org, 1106761-done@bugs.debian.org, 1106867-done@bugs.debian.org, 1107069-done@bugs.debian.org, 1107116-done@bugs.debian.org, 1107147-done@bugs.debian.org, 1107217-done@bugs.debian.org, 1107252-done@bugs.debian.org, 1107253-done@bugs.debian.org, 1107568-done@bugs.debian.org, 1107852-done@bugs.debian.org, 1107902-done@bugs.debian.org, 1108122-done@bugs.debian.org, 1108127-done@bugs.debian.org, 1108137-done@bugs.debian.org, 1108185-done@bugs.debian.org, 1108308-done@bugs.debian.org, 1108353-done@bugs.debian.org, 1108504-done@bugs.debian.org, 1108508-done@bugs.debian.org, 1108543-done@bugs.debian.org, 1108548-done@bugs.debian.org, 1108921-done@bugs.debian.org, 1109012-done@bugs.debian.org, 1109034-done@bugs.debian.org, 1109084-done@bugs.debian.org, 1109087-done@bugs.debian.org, 1109095-done@bugs.debian.org, 1109127-done@bugs.debian.org, 1109147-done@bugs.debian.org, 1109207-done@bugs.debian.org, 1109545-done@bugs.debian.org, 1109611-done@bugs.debian.org, 1109763-done@bugs.debian.org, 1109819-done@bugs.debian.org, 1109943-done@bugs.debian.org, 1109945-done@bugs.debian.org, 1109947-done@bugs.debian.org, 1109995-done@bugs.debian.org, 1110034-done@bugs.debian.org, 1110080-done@bugs.debian.org, 1110114-done@bugs.debian.org, 1110340-done@bugs.debian.org, 1110489-done@bugs.debian.org, 1110643-done@bugs.debian.org, 1110686-done@bugs.debian.org, 1110813-done@bugs.debian.org, 1111034-done@bugs.debian.org, 1111076-done@bugs.debian.org, 1111426-done@bugs.debian.org, 1111486-done@bugs.debian.org, 1111600-done@bugs.debian.org, 1111607-done@bugs.debian.org, 1111653-done@bugs.debian.org, 1111666-done@bugs.debian.org, 1111835-done@bugs.debian.org, 1111859-done@bugs.debian.org, 1111924-done@bugs.debian.org, 1111959-done@bugs.debian.org, 1111966-done@bugs.debian.org, 1111969-done@bugs.debian.org, 1111987-done@bugs.debian.org, 1111989-done@bugs.debian.org, 1112039-done@bugs.debian.org, 1112053-done@bugs.debian.org, 1112070-done@bugs.debian.org, 1112074-done@bugs.debian.org, 1112124-done@bugs.debian.org, 1112129-done@bugs.debian.org, 1112141-done@bugs.debian.org, 1112195-done@bugs.debian.org, 1112239-done@bugs.debian.org, 1112252-done@bugs.debian.org, 1112340-done@bugs.debian.org, 1112347-done@bugs.debian.org, 1112368-done@bugs.debian.org, 1112449-done@bugs.debian.org, 1112459-done@bugs.debian.org, 1112467-done@bugs.debian.org, 1112542-done@bugs.debian.org
- Subject: Closing p-u requests for fixes included in 12.12
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 06 Sep 2025 12:14:50 +0100
- Message-id: <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 12.12 Hi, Each of the updates referenced by these requests was included in today's 12.12 point release for bookworm. Regards, Adam
--- End Message ---