heap-based buffer overflow issue

[prasadayush]

A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.

Below are the risk factors associated to this issue -
Attack complexity: low, DoS - High, High severity, Remote execution

Vulnerability link - https://security-tracker.debian.org/tracker/CVE-2021-3575

[mrbean-bremen]

The CVE is fixed in openjpeg 2.5.1, while this package is based on 2.5.2. I've checked that the bugfix is included, I think this can be closed.

[scaramallion]

Looks like there are some unrelated fixes in v2.5.3, no harm in updating to the newest release.