openjpeg2 (2.3.1-1ubuntu4.20.04.4+esm1) focal-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference
    - debian/patches/CVE-2025-50952.patch: Add a check to avoid null pointer
      dereference in src/lib/openjp2/dwt.c.
    - CVE-2025-50952

 -- Edwin Jiang <edwin.jiang@canonical.com>  Wed, 17 Sep 2025 18:26:22 +0000

openjpeg2 (2.3.1-1ubuntu4.20.04.4) focal-security; urgency=medium

  * SECURITY UPDATE: Heap buffer overflow.
    - debian/patches/CVE-2024-56826.patch: Add comp12w variable and
      comparisons in src/bin/common/color.c.
    - debian/patches/CVE-2024-56827.patch: Add l_current_tile_part comparison
      to check again total number of tile parts in src/bin/openjp2/j2k.c.
    - CVE-2024-56826
    - CVE-2024-56827

 -- Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com>  Tue, 21 Jan 2025 12:27:28 -0330

openjpeg2 (2.3.1-1ubuntu4.20.04.3) focal-security; urgency=medium

  * SECURITY UPDATE: integer overflow
    - debian/patches/CVE-2021-29338-1.patch:
    opj_compress/opj_uncompress: fix integer overflow in num_images
    - debian/patches/CVE-2021-29338-2.patch: Avoid overflow in
      multiplications in utilities related to big number of files in a
      directory
    - CVE-2021-29338
  * SECURITY UPDATE: heap buffer overflow
    - debian/patches/CVE-2021-3575.patch: opj_decompress: fix off-by-one
      read heap-buffer-overflow in sycc420_to_rgb() when x0 and y0 are odd
    - CVE-2021-3575
  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2022-1122.patch: Fix segfault in
      src/bin/jp2/opj_decompress.c due to uninitialized pointer
    - CVE-2022-1122

 -- Bruce Cable <bruce.cable@canonical.com>  Tue, 22 Oct 2024 16:03:30 +1100

openjpeg2 (2.3.1-1ubuntu4.20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: resource consumption loop
    - debian/patches/CVE-2023-39327.patch: when EPH markers are specified, 
      they are required
    - CVE-2023-39327

 -- Bruce Cable <bruce.cable@canonical.com>  Wed, 25 Sep 2024 12:59:17 +1000

openjpeg2 (2.3.1-1ubuntu4.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: use-after-free via directory
    - debian/patches/CVE-2020-15389.patch: fix double-free on input
      directory with mix of valid and invalid images in
      src/bin/jp2/opj_decompress.c.
    - CVE-2020-15389
  * SECURITY UPDATE: heap-buffer-overflow
    - debian/patches/CVE-2020-27814-1.patch: grow buffer size in
      src/lib/openjp2/tcd.c.
    - debian/patches/CVE-2020-27814-2.patch: grow it again
    - debian/patches/CVE-2020-27814-3.patch: and some more
    - debian/patches/CVE-2020-27814-4.patch: bigger, BIGGER!!!
    - CVE-2020-27814
  * SECURITY UPDATE: heap-buffer-overflow write
    - debian/patches/CVE-2020-27823.patch: fix wrong computation in
      src/bin/jp2/convertpng.c.
    - CVE-2020-27823
  * SECURITY UPDATE: global-buffer-overflow
    - debian/patches/CVE-2020-27824.patch: avoid global buffer overflow on
      irreversible conversion when too many decomposition levels are
      specified in src/lib/openjp2/dwt.c.
    - CVE-2020-27824
  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/CVE-2020-27841.patch: add extra checks to
      src/lib/openjp2/pi.c, src/lib/openjp2/pi.h, src/lib/openjp2/t2.c.
    - CVE-2020-27841
  * SECURITY UPDATE: null pointer dereference
    - debian/patches/CVE-2020-27842.patch: add check to
      src/lib/openjp2/t2.c.
    - CVE-2020-27842
  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/CVE-2020-27843.patch: add check to
      src/lib/openjp2/t2.c.
    - CVE-2020-27843
  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/CVE-2020-27845.patch: add extra checks to
      src/lib/openjp2/pi.c.
    - CVE-2020-27845

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 06 Jan 2021 09:44:46 -0500

openjpeg2 (2.3.1-1ubuntu4) focal; urgency=medium

  * SECURITY UPDATE: denial of service via excessive iteration
    - debian/patches/CVE-2019-12973-1.patch: detect invalid file dimensions
      early in src/bin/jp2/convertbmp.c.
    - debian/patches/CVE-2019-12973-2.patch: avoid potential infinite loop
      in src/bin/jp2/convertbmp.c.
    - CVE-2019-12973
  * SECURITY UPDATE: heap overflow in opj_t1_clbl_decode_processor
    - debian/patches/CVE-2020-6851.patch: reject images whose
      coordinates are beyond INT_MAX in src/lib/openjp2/j2k.c.
    - CVE-2020-6851
  * SECURITY UPDATE: another heap overflow in opj_t1_clbl_decode_processor
    - debian/patches/CVE-2020-8112.patch: avoid integer overflow in
      src/lib/openjp2/tcd.c.
    - CVE-2020-8112

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 19 Feb 2020 09:52:00 -0500

openjpeg2 (2.3.1-1ubuntu3) focal; urgency=medium

  * Actually omit libopenjpip-server, not libkate-tools which is not in
    this package.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 17 Feb 2020 09:39:20 -0800

openjpeg2 (2.3.1-1ubuntu2) focal; urgency=medium

  * No-change rebuild with fixed binutils on arm64.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 10 Feb 2020 08:14:07 +0100

openjpeg2 (2.3.1-1ubuntu1) focal; urgency=medium

  * Omit libopenjpip-server on i386, we only want the libraries for
    compatibility.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Jan 2020 14:52:51 -0800

openjpeg2 (2.3.1-1) unstable; urgency=medium

  * New upstream release, addressing following security issues:
    - CVE-2018-20847 (Closes: #931294)
    - CVE-2018-21010 (Closes: #939553)
    - CVE-2018-5727 (Closes: #888532)
  * Remove following patches, applied upstream:
    - CVE-2017-17480.patch
    - CVE-2018-14423.patch
    - CVE-2018-18088.patch
    - CVE-2018-5785.patch
    - CVE-2018-6616.patch
  * Remove debian/patches/multiarch_path.patch:
    - useless since latest upstream changes.
  * Bump Standards-Version to 4.4.1.
  * Refresh and rework manpages.
  * Remove debian/README.source (Closes: #846390).

 -- Hugo Lefeuvre <hle@debian.org>  Mon, 07 Oct 2019 13:46:43 +0200

openjpeg2 (2.3.0-3) unstable; urgency=medium

  [ Helmut Grohne ]
  * Demote java dependencies to Build-Depends-Indep. (Closes: #870644)

  [ Mathieu Malaterre ]
  * debian/control: update URLs to new salsa location

 -- Mathieu Malaterre <malat@debian.org>  Mon, 30 Sep 2019 15:17:58 +0200

openjpeg2 (2.3.0-2) unstable; urgency=high

  [ Hugo Lefeuvre ]
  * CVE-2017-17480: stack-based buffer overflow in the pgxtovolume function in
    jp3d/convert.c (Closes: #884738).
  * CVE-2018-14423: division-by-zero in pi_next_pcrl, pi_next_cprl, and
    pi_next_rpcl in lib/openjp3d/pi.c (Closes: #904873).
  * CVE-2018-18088: null pointer dereference in imagetopnm in jp2/convert.c
    (Closes: #910763).
  * CVE-2018-5785: integer overflow caused by an out-of-bounds left shift in the
    opj_j2k_setup_encoder function (openjp2/j2k.c) (Closes: #888533).
  * CVE-2018-6616: excessive iteration in the opj_t1_encode_cblks function of
    openjp2/t1.c (Closes: #889683).

  [ Mathieu Malaterre ]
  * Add Hugo as Uploader

 -- Mathieu Malaterre <malat@debian.org>  Sun, 10 Mar 2019 18:34:51 +0100

openjpeg2 (2.3.0-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix "FTBFS with Java 9 due to -source/-target only":
    apply patch by Markus Koschany to build with Java 9 or later.
    (Closes: #873997)

 -- gregor herrmann <gregoa@debian.org>  Sun, 02 Dec 2018 18:18:22 +0100

openjpeg2 (2.3.0-1) unstable; urgency=medium

  * New upstream release. Closes: #877758
  * Drop explicit -dbg package. Closes: #877676
  * Fix CVE-2017-14041. Closes: #874115
  * Fix CVE-2017-14151. Closes: #874430
  * Fix CVE-2017-14152. Closes: #874431

 -- Mathieu Malaterre <malat@debian.org>  Mon, 16 Oct 2017 07:43:41 +0200

openjpeg2 (2.2.0-2) unstable; urgency=medium

  * Fix changelog. Closes: #876535
  * Provide openjpeg-2.1 compat symlinks:
    + usr/include/openjpeg-2.1
    + usr/lib/$(DEB_HOST_MULTIARCH)/openjpeg-2.1

 -- Mathieu Malaterre <malat@debian.org>  Tue, 03 Oct 2017 07:20:44 +0200

openjpeg2 (2.2.0-1) unstable; urgency=medium

  * New upstream release. Closes: #872041
  * Fix CVE-2016-9113. Closes: #844552
  * Fix CVE-2016-9114. Closes: #844553
  * Fix CVE-2016-9115. Closes: #844554
  * Fix CVE-2016-9116. Closes: #844555
  * Fix CVE-2016-9117. Closes: #844556

 -- Mathieu Malaterre <malat@debian.org>  Fri, 22 Sep 2017 21:51:36 +0200

openjpeg2 (2.1.2-1.3) unstable; urgency=medium

  * Fix FTFBS (Closes: #871905)

 -- Moritz Muehlenhoff <jmm@debian.org>  Sat, 12 Aug 2017 15:54:38 +0200

openjpeg2 (2.1.2-1.2) unstable; urgency=medium

  * Non-maintainer upload
  * Fix CVE-2016-1626, CVE-2016-1628, CVE-2016-5152, CVE-2016-9112 and
    CVE-2016-9118.patch

 -- Moritz Muehlenhoff <jmm@debian.org>  Fri, 11 Aug 2017 22:17:07 +0200

openjpeg2 (2.1.2-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Add CVE-2016-9572_CVE-2016-9573.patch patch.
    CVE-2016-9572: NULL pointer dereference in input decoding
    CVE-2016-9573: Heap out-of-bounds read due to insufficient check in
    imagetopnm(). (Closes: #851422)

 -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 22 Jan 2017 14:18:13 +0100

openjpeg2 (2.1.2-1) unstable; urgency=medium

  * New upstream. Closes: #839120
  * Fix CVE-2016-7163. Closes: #837604
  * Fix CVE-2016-7445. Closes: #838690
  * Remove patches applied upstream:

 -- Mathieu Malaterre <malat@debian.org>  Thu, 29 Sep 2016 08:11:30 +0200

openjpeg2 (2.1.1-1) unstable; urgency=medium

  * New upstream. Closes: #829734
    + d/watch points toward github now
    + Fix man page typos. Closes: #772889, #784377
    + Raise priority to optional. Closes: #822577
    + Fix multiple CVEs: Closes: #800453, #800149, #818399
  * Fix pc file. Closes: #787383
  * Remove reference to contrib. Closes: #820190
  * Bump Std-Vers to 3.9.8, no changes needed

 -- Mathieu Malaterre <malat@debian.org>  Mon, 11 Jul 2016 09:28:19 +0200

openjpeg2 (2.1.0-2.1) unstable; urgency=high

  * Non-maintainer upload.
  * Apache 2.4 transition: (Closes: #786333)
    + d/rules: Added --with apache2.
    + Drop d/libopenjpip-server.install.
    + Drop d/libopenjpip-server.prerm.
    + d/control: Add build-depends on dh-apache2, replace depends on
      apache2.2-bin by ${misc:Recommends}, add recommends on
      libapache2-mod-fastcgi.
    + New d/libopenjpip-server.conf for apache2 fastcgi setup.
    + Drop d/libopenjpip-server.load.
    + New d/libopenjpip-server.apache2 to set up the configuration.

 -- Jean-Michel Vourgère <nirgal@debian.org>  Thu, 21 May 2015 23:05:40 +0200

openjpeg2 (2.1.0-2) unstable; urgency=low

  * Install *.pc files. Closes: #762251
  * Remove cmake-fatal-error export stuff
  * Fix warnings in d/copyright
  * Bump Std-Vers to 3.9.6, no changes needed
  * Fix include path in export file to handle multi-arch install
    + debian/patches/multiarch_path.patch

 -- Mathieu Malaterre <malat@debian.org>  Tue, 07 Oct 2014 13:14:43 +0200

openjpeg2 (2.1.0-1) unstable; urgency=low

  * New upstream. Closes: #761154, #761155
  * Rename binary packages to prevent conflicts. Closes: #760874
  * Remove "Multi-Arch: same" for -dev package. Closes: #760421

 -- Mathieu Malaterre <malat@debian.org>  Thu, 11 Sep 2014 17:40:46 +0200

openjpeg2 (2.0.0-1) unstable; urgency=low

  * New upstream. Closes: #738655.

 -- Mathieu Malaterre <malat@debian.org>  Fri, 23 May 2014 18:23:37 +0200
