A vulnerability identified as CVE-2016-9534 was discovered and fixed in LibTiff. However, related file isn't updated in the OpenJPEG project.
Details
This was fixed on LibTiff with the following commit: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a, which amended the TIFFFlushData1 function located in libtiff/tif_write.c file.
The OpenJPEG project contains an identical TIFFFlushData1 function in the thirdparty/libtiff/tif_write.c file, which has not been updated.
Summary
A vulnerability identified as CVE-2016-9534 was discovered and fixed in LibTiff. However, related file isn't updated in the OpenJPEG project.
Details
This was fixed on LibTiff with the following commit: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a, which amended the TIFFFlushData1 function located in libtiff/tif_write.c file. The OpenJPEG project contains an identical TIFFFlushData1 function in the thirdparty/libtiff/tif_write.c file, which has not been updated.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-9534 https://my.f5.com/manage/s/article/K34527393 https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a
openjpeg version
All versions prior to 2.5.2, which is the latest version at the time of this report, are potentially affected by this unpatched vulnerability.
Report Origin
The bug is reported by a tool developed at CAST