CVE-2021-29338
Publication date 14 April 2021
Last updated 5 November 2024
Ubuntu priority
Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| blender | 24.10 oracular |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| 14.04 LTS trusty | Not in release | |
| ghostscript | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| insighttoolkit4 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| 14.04 LTS trusty | Not in release | |
| openjpeg | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| openjpeg2 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 2.4.0-6ubuntu0.2
|
|
| 20.04 LTS focal |
Fixed 2.3.1-1ubuntu4.20.04.3
|
|
| 18.04 LTS bionic |
Fixed 2.3.0-2+deb10u2ubuntu0.1~esm3
|
|
| 16.04 LTS xenial |
Fixed 2.1.2-1.1+deb9u6ubuntu0.1~esm6
|
|
| 14.04 LTS trusty | Not in release | |
| qtwebengine-opensource-src | 24.10 oracular |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| texmaker | 24.10 oracular |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| 14.04 LTS trusty | Not in release |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
iconstantin
ghostscript 9.26~dfsg+0-0ubuntu0.16.04.14+esm2 for xenial was released to address this CVE but it was thereafter determined that the impacted code is not compiled and so the package is not vulnerable. still need to verify if commits from PR 1397 and 1398 should be included as part of our patch.
sbeattie
fix is being worked in pull request 1346.
mdeslaur
this only affects the opj_* tools in the liopenjp2-tools universe package
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.5 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7083-1
- OpenJPEG vulnerabilities
- 5 November 2024