[automatic] Publish and update 169 advisories for 42 packages

advisories/published/2025/JLSEC-0000-mnss5i5ta-1j3fvky.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mnss5i5ta-1j3fvky"
+modified = 2025-11-04T03:25:41.998Z
+upstream = ["CVE-2017-5950"]
+references = ["http://www.securityfocus.com/bid/97307", "https://github.com/jbeder/yaml-cpp/issues/459", "http://seclists.org/fulldisclosure/2024/Nov/0", "http://www.securityfocus.com/bid/97307", "https://github.com/jbeder/yaml-cpp/issues/459"]
+
+[[affected]]
+pkg = "yaml_cpp_jll"
+ranges = ["< 0.6.3+0"]
+
+[[jlsec_sources]]
+id = "CVE-2017-5950"
+imported = 2025-11-04T03:25:41.980Z
+modified = 2025-11-03T22:15:43.977Z
+published = 2017-04-03T05:59:00.800Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2017-5950"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2017-5950"
+```
+
+# The SingleDocParser::HandleNode function in yaml-cpp (aka LibYaml-C++) 0.5.3 allows remote attackers...
+
+The SingleDocParser::HandleNode function in yaml-cpp (aka LibYaml-C++) 0.5.3 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file.
+

advisories/published/2025/JLSEC-0000-mnss5iczu-kbr10h.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mnss5iczu-kbr10h"
+modified = 2025-11-04T03:25:51.306Z
+upstream = ["CVE-2021-29338"]
+references = ["https://github.com/uclouvain/openjpeg/issues/1338", "https://lists.debian.org/debian-lts-announce/2022/04/msg00006.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/", "https://security.gentoo.org/glsa/202209-04", "https://github.com/uclouvain/openjpeg/issues/1338", "https://lists.debian.org/debian-lts-announce/2022/04/msg00006.html", "https://lists.debian.org/debian-lts-announce/2025/04/msg00002.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/", "https://security.gentoo.org/glsa/202209-04"]
+
+[[affected]]
+pkg = "OpenJpeg_jll"
+ranges = [">= 2.4.0+0, < 2.5.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2021-29338"
+imported = 2025-11-04T03:25:51.306Z
+modified = 2025-11-03T20:15:46.223Z
+published = 2021-04-14T14:15:14.133Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-29338"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-29338"
+```
+
+# Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Deni...
+
+Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.
+

advisories/published/2025/JLSEC-0000-mnss5idbt-ntog76.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mnss5idbt-ntog76"
+modified = 2025-11-04T03:25:51.737Z
+upstream = ["CVE-2021-29921"]
+references = ["https://bugs.python.org/issue36384", "https://docs.python.org/3/library/ipaddress.html", "https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst", "https://github.com/python/cpython/pull/12577", "https://github.com/python/cpython/pull/25099", "https://github.com/sickcodes", "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md", "https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html", "https://security.gentoo.org/glsa/202305-02", "https://security.netapp.com/advisory/ntap-20210622-0003/", "https://sick.codes/sick-2021-014", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpujul2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://bugs.python.org/issue36384", "https://docs.python.org/3/library/ipaddress.html", "https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst", "https://github.com/python/cpython/pull/12577", "https://github.com/python/cpython/pull/25099", "https://github.com/sickcodes", "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md", "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html", "https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html", "https://security.gentoo.org/glsa/202305-02", "https://security.netapp.com/advisory/ntap-20210622-0003/", "https://sick.codes/sick-2021-014", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpujul2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html"]
+
+[[affected]]
+pkg = "Python_jll"
+ranges = ["< 3.10.7+0"]
+
+[[jlsec_sources]]
+id = "CVE-2021-29921"
+imported = 2025-11-04T03:25:51.737Z
+modified = 2025-11-03T22:15:48.057Z
+published = 2021-05-06T13:15:12.573Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-29921"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-29921"
+```
+
+# In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an...
+
+In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
+

advisories/published/2025/JLSEC-0000-mnss5ido5-ntjkh7.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mnss5ido5-ntjkh7"
+modified = 2025-11-04T03:25:52.181Z
+upstream = ["CVE-2021-3426"]
+references = ["https://bugzilla.redhat.com/show_bug.cgi?id=1935913", "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html", "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25HVHLBGO2KNPXJ3G426QEYSSCECJDU5/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF2K7HEWADHN6P52R3QLIOX27U3DJ4HI/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQYPUKLLBOZMKFPO7RD7CENTXHUUEUV7/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LM5V4VPLBHBEASSAROYPSHXGXGGPHNOE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNGAFMPIYIVJ47FCF2NK2PIX22HUG35B/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPX7Y5GQDNB4FJTREWONGC4ZSVH7TGHF/", "https://security.gentoo.org/glsa/202104-04", "https://security.netapp.com/advisory/ntap-20210629-0003/", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://bugzilla.redhat.com/show_bug.cgi?id=1935913", "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html", "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25HVHLBGO2KNPXJ3G426QEYSSCECJDU5/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF2K7HEWADHN6P52R3QLIOX27U3DJ4HI/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQYPUKLLBOZMKFPO7RD7CENTXHUUEUV7/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LM5V4VPLBHBEASSAROYPSHXGXGGPHNOE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNGAFMPIYIVJ47FCF2NK2PIX22HUG35B/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPX7Y5GQDNB4FJTREWONGC4ZSVH7TGHF/", "https://security.gentoo.org/glsa/202104-04", "https://security.netapp.com/advisory/ntap-20210629-0003/", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpuoct2021.html"]
+
+[[affected]]
+pkg = "Python_jll"
+ranges = ["< 3.8.8+0"]
+
+[[jlsec_sources]]
+id = "CVE-2021-3426"
+imported = 2025-11-04T03:25:52.181Z
+modified = 2025-11-03T22:15:50.480Z
+published = 2021-05-20T13:15:07.753Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-3426"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-3426"
+```
+
+# There's a flaw in Python 3's pydoc
+
+There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.
+

advisories/published/2025/JLSEC-0000-mnss5if47-fiwpvy.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mnss5if47-fiwpvy"
+modified = 2025-11-04T03:25:54.055Z
+upstream = ["CVE-2021-24119"]
+references = ["https://github.com/ARMmbed/mbedtls/releases", "https://github.com/UzL-ITS/util-lookup/blob/main/cve-vulnerability-publication.md", "https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html", "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DRRVY7DMTX3ECFNZKDYTSFEG5AI2HBC6/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYJW7HAW3TDV2YMDFYXP3HD6WRQRTLJW/", "https://github.com/ARMmbed/mbedtls/releases", "https://github.com/UzL-ITS/util-lookup/blob/main/cve-vulnerability-publication.md", "https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html", "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html", "https://lists.debian.org/debian-lts-announce/2025/06/msg00034.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DRRVY7DMTX3ECFNZKDYTSFEG5AI2HBC6/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYJW7HAW3TDV2YMDFYXP3HD6WRQRTLJW/"]
+
+[[affected]]
+pkg = "MbedTLS_jll"
+ranges = ["< 2.26.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2021-24119"
+imported = 2025-11-04T03:25:54.055Z
+modified = 2025-11-03T20:15:45.783Z
+published = 2021-07-14T13:15:08.100Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-24119"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-24119"
+```
+
+# In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows...
+
+In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.
+

advisories/published/2025/JLSEC-0000-mnss5ifc6-1lbuai5.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mnss5ifc6-1lbuai5"
+modified = 2025-11-04T03:25:54.342Z
+upstream = ["CVE-2021-36976"]
+references = ["http://seclists.org/fulldisclosure/2022/Mar/27", "http://seclists.org/fulldisclosure/2022/Mar/28", "http://seclists.org/fulldisclosure/2022/Mar/29", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375", "https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libarchive/OSV-2021-557.yaml", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SE5NJQNM22ZE5Z55LPAGCUHSBQZBKMKC/", "https://security.gentoo.org/glsa/202208-26", "https://support.apple.com/kb/HT213182", "https://support.apple.com/kb/HT213183", "https://support.apple.com/kb/HT213193", "http://seclists.org/fulldisclosure/2022/Mar/27", "http://seclists.org/fulldisclosure/2022/Mar/28", "http://seclists.org/fulldisclosure/2022/Mar/29", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375", "https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libarchive/OSV-2021-557.yaml", "https://lists.debian.org/debian-lts-announce/2024/11/msg00007.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SE5NJQNM22ZE5Z55LPAGCUHSBQZBKMKC/", "https://security.gentoo.org/glsa/202208-26", "https://support.apple.com/kb/HT213182", "https://support.apple.com/kb/HT213183", "https://support.apple.com/kb/HT213193"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.7.4+0"]
+
+[[jlsec_sources]]
+id = "CVE-2021-36976"
+imported = 2025-11-04T03:25:54.342Z
+modified = 2025-11-03T22:15:49.807Z
+published = 2021-07-20T07:15:07.950Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-36976"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-36976"
+```
+
+# libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block ...
+
+libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).
+

advisories/published/2025/JLSEC-0000-mnss5iki5-1ga5quy.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mnss5iki5-1ga5quy"
+modified = 2025-11-04T03:26:01.037Z
+upstream = ["CVE-2021-44732"]
+references = ["https://bugs.gentoo.org/829660", "https://github.com/ARMmbed/mbedtls/releases", "https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12", "https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0", "https://github.com/ARMmbed/mbedtls/releases/tag/v3.1.0", "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html", "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12", "https://bugs.gentoo.org/829660", "https://github.com/ARMmbed/mbedtls/releases", "https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12", "https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0", "https://github.com/ARMmbed/mbedtls/releases/tag/v3.1.0", "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html", "https://lists.debian.org/debian-lts-announce/2025/06/msg00034.html", "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12"]
+
+[[affected]]
+pkg = "MbedTLS_jll"
+ranges = ["< 2.28.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2021-44732"
+imported = 2025-11-04T03:26:01.037Z
+modified = 2025-11-03T20:15:51.403Z
+published = 2021-12-20T08:15:06.620Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-44732"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-44732"
+```
+
+# Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an m...
+
+Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failure.
+

advisories/published/2025/JLSEC-0000-mnss5imam-zsv4oi.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mnss5imam-zsv4oi"
+modified = 2025-11-04T03:26:03.358Z
+upstream = ["CVE-2022-0391"]
+references = ["https://bugs.python.org/issue43882", "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSD2YBXP3ZF44E44QMIIAR5VTO35KTRB/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDBDBAU6HUPZHISBOARTXZ5GKHF2VH5U/", "https://security.gentoo.org/glsa/202305-02", "https://security.netapp.com/advisory/ntap-20220225-0009/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://bugs.python.org/issue43882", "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", "https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html", "https://lists.debian.org/debian-lts-announce/2025/03/msg00013.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSD2YBXP3ZF44E44QMIIAR5VTO35KTRB/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDBDBAU6HUPZHISBOARTXZ5GKHF2VH5U/", "https://security.gentoo.org/glsa/202305-02", "https://security.netapp.com/advisory/ntap-20220225-0009/", "https://www.oracle.com/security-alerts/cpuapr2022.html"]
+
+[[affected]]
+pkg = "Python_jll"
+ranges = ["< 3.10.7+0"]
+
+[[jlsec_sources]]
+id = "CVE-2022-0391"
+imported = 2025-11-04T03:26:03.358Z
+modified = 2025-11-03T22:15:54.307Z
+published = 2022-02-09T23:15:16.580Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-0391"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2022-0391"
+```
+
+# A flaw was found in Python, specifically within the urllib.parse module
+
+A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
+

advisories/published/2025/JLSEC-0000-mnss5inqo-rqycve.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mnss5inqo-rqycve"
+modified = 2025-11-04T03:26:05.232Z
+upstream = ["CVE-2021-3575"]
+references = ["https://bugzilla.redhat.com/show_bug.cgi?id=1957616", "https://github.com/uclouvain/openjpeg/issues/1347", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/", "https://ubuntu.com/security/CVE-2021-3575", "https://bugzilla.redhat.com/show_bug.cgi?id=1957616", "https://github.com/uclouvain/openjpeg/issues/1347", "https://lists.debian.org/debian-lts-announce/2025/04/msg00002.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/", "https://ubuntu.com/security/CVE-2021-3575"]
+
+[[affected]]
+pkg = "OpenJpeg_jll"
+ranges = ["< 2.5.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2021-3575"
+imported = 2025-11-04T03:26:05.232Z
+modified = 2025-11-03T20:15:50.027Z
+published = 2022-03-04T18:15:08.193Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-3575"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-3575"
+```
+
+# A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompre...
+
+A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.
+