Bug 13914

Summary: [CVE 21] openexr 2.5.8 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: Highest CC: a.proklov, e.kosachev, s.matveev, v.potapov, y.tumanov
Version: AllFlags: y.tumanov: secteam_verified?
Target Milestone: 2021.1 Fresh R12   
Hardware: All   
OS: Linux   
URL: CVE-2021-23169, CVE-2021-23215, CVE-2021-26260, CVE-2021-26945, CVE-2021-3474, CVE-2021-3475, CVE-2021-3476, CVE-2021-3477, CVE-2021-3478, CVE-2021-3479, CVE-2021-3598, CVE-2021-3605, CVE-2021-3933,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-10-18 20:29:32 MSK 
Please patch CVEs for package openexr version 2.5.8
  
INFO (CVEs are): openexr 2.5.8
 cves found
CVE-2021-23169
Desc: A heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-23169
Severity: HIGH
CVE-2021-23215
Desc: An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-23215
Severity: MEDIUM
CVE-2021-26260
Desc: An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-26260
Severity: MEDIUM
CVE-2021-26945
Desc: An integer overflow leading to a heap-buffer overflow was found in OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-26945
Severity: MEDIUM
CVE-2021-3474
Desc: There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3474
Severity: MEDIUM
CVE-2021-3475
Desc: There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow, potentially leading to problems with application availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3475
Severity: MEDIUM
CVE-2021-3476
Desc: A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially affecting application availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3476
Severity: MEDIUM
CVE-2021-3477
Desc: There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3477
Severity: MEDIUM
CVE-2021-3478
Desc: There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3478
Severity: MEDIUM
CVE-2021-3479
Desc: There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3479
Severity: MEDIUM
CVE-2021-3598
Desc: There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3598
Severity: MEDIUM
CVE-2021-3605
Desc: There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3605
Severity: MEDIUM
CVE-2021-3933
Desc: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3933
Severity: MEDIUM
Comment 1 Vladimir Potapov 2023-10-20 18:02:35 MSK 
*** Bug 13782 has been marked as a duplicate of this bug. ***
Comment 2 Svyatoslav Matveev 2023-10-22 19:15:26 MSK 
В этой версии все исправлено,
кроме CVE-2021-26945 ,он неполный не будем его применять.
Comment 3 Yury 2023-10-27 18:00:59 MSK 
(In reply to Svyatoslav Matveev from comment #2)
> В этой версии все исправлено,
> кроме CVE-2021-26945 ,он неполный не будем его применять.

В мэйне две версии исходников

openexr 2.5.8
openexr3 3.1.4


И для openexr 2.5.8 сканер срабатывает?
Он точно нужен в репах?

openexr3 3.1.4 оставить нельзя ?
Comment 4 Aleksandr Proklov 2023-11-07 12:59:20 MSK 
разные программы используют разную версию openexr
Comment 5 Aleksandr Proklov 2023-11-08 11:14:20 MSK 
вот кому оно нужно:

$ dnf rq --whatrequires lib64IlmImf2_5*
aqsis-0:1.8.3-2.git0dfff4.2.x86_64 контриб
kdelibs4-core-5:4.14.38-6.x86_64 контриб
lib64aqsis1-0:1.8.3-2.git0dfff4.2.x86_64 контриб
luminance-hdr-0:2.6.1.1-3.x86_64 конотриб
openscenegraph-plugins-0:3.6.5-3.x86_64 контриб

т.е. предлагаю сослать в контриб openexr-2.5.8
Comment 6 Aleksandr Proklov 2023-11-08 11:19:36 MSK 
Еще один тест:

$ dnf rq --qf '%{sourcerpm} %{repoid}' --whatrequires lib64IlmImf2_5*

aqsis-1.8.3-2.git0dfff4.2.src.rpm mirror-rosa-x86_64-contrib
kdelibs4-4.14.38-6.src.rpm mirror-rosa-x86_64-contrib
luminance-hdr-2.6.1.1-3.src.rpm mirror-rosa-x86_64-contrib
openexr-2.5.8-1.src.rpm mirror-rosa-x86_64-main
openscenegraph-3.6.5-3.src.rpm mirror-rosa-x86_64-contrib
Comment 7 Aleksandr Proklov 2023-12-06 06:13:08 MSK 
openexr 2.5.8 перенесен в contrib во всех платформах. пакеты зачищены.
Comment 8 Aleksandr Proklov 2023-12-06 06:13:30 MSK 
можно снять флаг secteam