CVE-2017-14152

Name of the Vulnerable Software and Affected Versions OpenJPEG version 2.2.0

Description A mishandled zero case was discovered in opj j2k set cinema parameters in lib/openjp2/j2k.c, causing an out-of-bounds write. This may lead to remote denial of service, specifically a heap-based buffer overflow affecting opj write bytes LE in lib/openjp2/cio.c and opj j2k write sot in lib/openjp2/j2k.c, or possibly remote code execution.

Recommendations As a temporary workaround, consider disabling the opj j2k set cinema parameters function until a patch is available. Restrict access to the opj write bytes LE and opj j2k write sot functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.