Alpine: multiple openjpeg packages: security update to 2.3.1-r5

high Tenable Self-Hosted Container Security Plugin ID 424252

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c.
Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file.
This issue is similar to CVE-2018-6616. (CVE-2019-12973)

- jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free that can be triggered if there is a
mix of valid and invalid files in a directory operated on by the decompressor. Triggering a double-free
may also be possible. This is related to calling opj_image_destroy twice. (CVE-2020-15389)

- A heap-buffer overflow was found in the way openjpeg2 handled certain PNG format files. An attacker could
use this flaw to cause an application crash or in some cases execute arbitrary code with the permission of
the user running such an application. (CVE-2020-27814)

- A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset
input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to
confidentiality, integrity, as well as system availability. (CVE-2020-27823)

- A flaw was found in OpenJPEG’s encoder in the opj_dwt_calc_explicit_stepsizes() function. This flaw allows
an attacker who can supply crafted input to decomposition levels to cause a buffer overflow. The highest
threat from this vulnerability is to system availability. (CVE-2020-27824)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-12973

https://security.alpinelinux.org/vuln/CVE-2020-15389

https://security.alpinelinux.org/vuln/CVE-2020-27814

https://security.alpinelinux.org/vuln/CVE-2020-27823

https://security.alpinelinux.org/vuln/CVE-2020-27824

Plugin Details

Severity: High

ID: 424252

Version: Revision 1.7

Type: Local

Published: 4/4/2025

Updated: 5/30/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-27823

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 6/26/2019

Reference Information

CVE: CVE-2019-12973, CVE-2020-15389, CVE-2020-27814, CVE-2020-27823, CVE-2020-27824

BID: 108900