Bug 13286

Summary: [CVE 21] openexr 2.5.5 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2021-23169, CVE-2021-23215, CVE-2021-26260, CVE-2021-26945, CVE-2021-3474, CVE-2021-3475, CVE-2021-3476, CVE-2021-3477, CVE-2021-3478, CVE-2021-3479, CVE-2021-3598, CVE-2021-3605, CVE-2021-3933,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:
Attachments: gdal.png

Description Yury 2023-05-03 18:01:17 MSK 
Please patch CVEs for package openexr version 2.5.5
  
INFO (CVEs are): openexr 2.5.5
 cves found
CVE-2021-23169
Desc: A heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-23169
Severity: HIGH
CVE-2021-23215
Desc: An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-23215
Severity: MEDIUM
CVE-2021-26260
Desc: An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-26260
Severity: MEDIUM
CVE-2021-26945
Desc: An integer overflow leading to a heap-buffer overflow was found in OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-26945
Severity: MEDIUM
CVE-2021-3474
Desc: There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3474
Severity: MEDIUM
CVE-2021-3475
Desc: There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow, potentially leading to problems with application availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3475
Severity: MEDIUM
CVE-2021-3476
Desc: A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially affecting application availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3476
Severity: MEDIUM
CVE-2021-3477
Desc: There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3477
Severity: MEDIUM
CVE-2021-3478
Desc: There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3478
Severity: MEDIUM
CVE-2021-3479
Desc: There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3479
Severity: MEDIUM
CVE-2021-3598
Desc: There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3598
Severity: MEDIUM
CVE-2021-3605
Desc: There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3605
Severity: MEDIUM
CVE-2021-3933
Desc: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3933
Severity: MEDIUM
Comment 1 Aleksandr Proklov 2023-05-26 10:28:53 MSK 
CVE fixed in openexr-2.5.8

CVE-2021-3933 fixed

---------------------------------------
ilmbase	2.5.8-1

https://abf.io/build_lists/4445190
https://abf.io/build_lists/4445191
https://abf.io/build_lists/4445192
https://abf.io/build_lists/4445193
https://abf.io/build_lists/4445194

OpenEXR	2.5.8-1

https://abf.io/build_lists/4445218
https://abf.io/build_lists/4445219
https://abf.io/build_lists/4445220
https://abf.io/build_lists/4445221
https://abf.io/build_lists/4445222

-----------------------------------------
позже пересоберу зависимые проекты т.к. мажор поменялся у либы
Comment 2 Aleksandr Proklov 2023-05-26 11:02:06 MSK 
aqsis	1.8.3-2.git0dfff4.2 (контриб)

https://abf.io/build_lists/4445240
https://abf.io/build_lists/4445241
https://abf.io/build_lists/4445242
https://abf.io/build_lists/4445243
https://abf.io/build_lists/4445244

gdal	3.4.1-4 (+ включил openjpeg2) - main

https://abf.io/build_lists/4445245
https://abf.io/build_lists/4445246
https://abf.io/build_lists/4445247
https://abf.io/build_lists/4445248
https://abf.io/build_lists/4445249

Больше в маин зависимого нет, в контрибе пересоберу по repoclosure после публикации
Comment 3 Dmitry Postnikov 2023-05-26 19:37:07 MSK 
Created attachment 5898 [details]
gdal.png

Поставил с Контриба qmamshack, он притянул все либы из контейнеров.
Но в QMapTool ругается на не найденые gdal*** файлы. Их действительно нет.

Может это qmapshack так себя ведет, либо действительно касяк в gdal.
Comment 4 Dmitry Postnikov 2023-05-26 19:37:40 MSK 
(In reply to Aleksandr from comment #1)
> CVE fixed in openexr-2.5.8
> 
> CVE-2021-3933 fixed
> 
> ---------------------------------------
> ilmbase	2.5.8-1
> 
> https://abf.io/build_lists/4445190
> https://abf.io/build_lists/4445191
> https://abf.io/build_lists/4445192
> https://abf.io/build_lists/4445193
> https://abf.io/build_lists/4445194
> 
> OpenEXR	2.5.8-1
> 
> https://abf.io/build_lists/4445218
> https://abf.io/build_lists/4445219
> https://abf.io/build_lists/4445220
> https://abf.io/build_lists/4445221
> https://abf.io/build_lists/4445222
> 
> aqsis	1.8.3-2.git0dfff4.2 (контриб)
> 
> https://abf.io/build_lists/4445240
> https://abf.io/build_lists/4445241
> https://abf.io/build_lists/4445242
> https://abf.io/build_lists/4445243
> https://abf.io/build_lists/4445244


***************************
The update sent to testings
Comment 6 Aleksandr Proklov 2023-06-05 13:01:12 MSK 
gdal	3.4.3-1

https://abf.io/build_lists/4480303 (x64)
https://abf.io/build_lists/4480304
https://abf.io/build_lists/4480305
https://abf.io/build_lists/4480311


- minor updated
- restore missing files
Comment 7 Dmitry Postnikov 2023-06-06 09:29:52 MSK 
***************************
The update sent to testings
Comment 8 Vladimir Potapov 2023-06-13 11:48:08 MSK 
gdal-3.4.3-1
https://abf.io/build_lists/4480303 (x64)
https://abf.io/build_lists/4480304
https://abf.io/build_lists/4480305
https://abf.io/build_lists/4480311
************************* Advisory ********************
- minor updated
- restore missing files
*******************************************************
QA Verified
Comment 9 Yury 2023-07-05 11:08:02 MSK 
Secteam Approved