CVE-2021-29338
Publication date 14 April 2021
Last updated 24 July 2024
Ubuntu priority
Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| blender | 24.10 oracular |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| 14.04 LTS trusty | Not in release | |
| ghostscript | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| insighttoolkit4 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| 14.04 LTS trusty | Not in release | |
| openjpeg | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| openjpeg2 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| 14.04 LTS trusty | Not in release | |
| qtwebengine-opensource-src | 24.10 oracular |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| texmaker | 24.10 oracular |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| 14.04 LTS trusty | Not in release |
Notes
iconstantin
ghostscript 9.26~dfsg+0-0ubuntu0.16.04.14+esm2 for xenial was released to address this CVE but it was thereafter determined that the impacted code is not compiled and so the package is not vulnerable. still need to verify if commits from PR 1397 and 1398 should be included as part of our patch.
sbeattie
fix is being worked in pull request 1346.
mdeslaur
this only affects the opj_* tools in the liopenjp2-tools universe package
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.5 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |