Bug 11103

Summary: Updated openexr packages fix security vulnerabilities (multiple CVE)
Product: [ROSA-based products] ROSA Fresh Reporter: Zombie Ryushu <zombie.ryushu>
Component: Contributed PackagesAssignee: ROSA Linux Bugs <bugs>
Status: CONFIRMED --- QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: alzim, andrey.bondrov, denis.silakov, mc2374
Version: All   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://advisories.mageia.org/MGASA-2021-0015.html
Whiteboard:
Platform: 2016.1 ROSA Vulnerability identifier: CVE-2020-15304 , CVE-2020-15305 , CVE-2020-15306 , CVE-2020-16587 , CVE-2020-16588 , CVE-2020-16589
RPM Package: openexr-2.2.0-3.src.rpm (2016.1) openexr-2.3.0-1.src.rpm (2019.1) ISO-related:
Bad POT generating: Upstream:

Description Zombie Ryushu 2021-01-11 15:44:59 MSK 
An issue was discovered in OpenEXR before 2.5.2. An invalid tiled input file
could cause invalid memory access in TiledInputFile::TiledInputFile() in
IlmImf/ImfTiledInputFile.cpp, as demonstrated by a NULL pointer dereference
(CVE-2020-15304).

An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a
use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in
IlmImf/ImfDeepScanLineInputFile.cpp (CVE-2020-15305).

An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes
could cause a heap buffer overflow in getChunkOffsetTableSize() in
IlmImf/ImfMisc.cpp (CVE-2020-15306).

A heap-based buffer overflow vulnerability exists in Academy Software
Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in
ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR
file (CVE-2020-16587).

A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR
2.3.0 in generatePreview in makePreview.cpp that can cause a denial of
service via a crafted EXR file (CVE-2020-16588).

A head-based buffer overflow exists in Academy Software Foundation OpenEXR
2.3.0 in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of
service via a crafted EXR file (CVE-2020-16589).
Comment 1 Giovanni Mariani 2021-03-23 12:10:32 MSK 
*** Bug 11051 has been marked as a duplicate of this bug. ***
Comment 2 Giovanni Mariani 2021-03-23 12:32:14 MSK 
I would like a report more exact: at least one could look at the CVE database
(https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=OpenEXR)...

Doing so shows that there are a lot more CVEs affecting the 2016.1 package:
at least the ones from CVE-2017-9110 to CVE-2017-9116, and CVE-2017-12596; possibly also all the CVEs listed for later releases.

The package for 2019.1, beside the CVE listed here, is affected by the folowinbg ones:
CVE-2018-18443 and CVE-2018-18444; from CVE-2020-11759 to CVE-2020-11765.

The right thing to fix all the above CVEs would be upgrading to the latest 2.5.3 release; this should be OK for 2019.1, but I don't know if this is doable for 2016.1: the library changed soname 5 times going from our actual 2.2.0 to 2.5.3 and there are about 30 packages that would need a rebuild (inclusive of 4 or 5 other libraries)...