Hi openjpeg maintainers,
I've been part of a lengthy discussion about this issue with Debian LTS team (
https://lists.debian.org/debian-lts/2024/04/msg00058.html) and the conclusion for now is that we would like to have your confirmation that the vulnerability reported in CVE-2019-12214 has been adressed in your code.
From what I've seen, the affected function j2k_read_ppm_v3 in file j2k.c has been removed in openjpeg 2.1.0. But, we would like confirmation that the out-of-bound vulnerability hasn't been re-introduced elsewhere at that time. Could you please give us some assurance for this? Don't be afraid to go technical if needed ;-)
Best regards,
Cyrille