1) CVE-2020-11758 Description: "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h." 2) CVE-2020-11759 Description: "An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer." 3) CVE-2020-11760 Description: "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp." 4) CVE-2020-11761 Description: "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp." 5) CVE-2020-11762 Description: "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case." 6) CVE-2020-11763 Description: "An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp." 7) CVE-2020-11764 Description: "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp." 8) CVE-2020-11765 Description: "An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read." -- All reported in this bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 All fixed in 2.4.1: https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020 PR (merged): https://github.com/AcademySoftwareFoundation/openexr/pull/659
From the disclosure (Google): "Generally, most of the issues appear to be out-of-bounds reads and/or writes and could be exploitable (for information disclosure or remote code execution) depending on the usage scenario of the OpenEXR library."
@maintainer(s), please create an appropriate ebuild
CVE-2020-11765 (https://nvd.nist.gov/vuln/detail/CVE-2020-11765): An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read. CVE-2020-11764 (https://nvd.nist.gov/vuln/detail/CVE-2020-11764): An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp. CVE-2020-11763 (https://nvd.nist.gov/vuln/detail/CVE-2020-11763): An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp. CVE-2020-11762 (https://nvd.nist.gov/vuln/detail/CVE-2020-11762): An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case. CVE-2020-11761 (https://nvd.nist.gov/vuln/detail/CVE-2020-11761): An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp. CVE-2020-11760 (https://nvd.nist.gov/vuln/detail/CVE-2020-11760): An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp. CVE-2020-11759 (https://nvd.nist.gov/vuln/detail/CVE-2020-11759): An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer. CVE-2020-11758 (https://nvd.nist.gov/vuln/detail/CVE-2020-11758): An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h.
CVE-2020-15304: An issue was discovered in OpenEXR before 2.5.2. An invalid tiled input file could cause invalid memory access in TiledInputFile::TiledInputFile() in IlmImf/ImfTiledInputFile.cpp, as demonstrated by a NULL pointer dereference. CVE-2020-15305: An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp. CVE-2020-15306: An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp. All appear to be fixed in 2.5.2 according to the changelog: https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-252-june-15-2020
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dffcb2e509541795dae8dc842d07fe44525fa277 commit dffcb2e509541795dae8dc842d07fe44525fa277 Author: Bernd Waibel <waebbl@gmail.com> AuthorDate: 2020-03-03 22:46:55 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-07-21 18:58:25 +0000 media-libs/openexr: bump to 2.5.2 Move from an autotools based ebuild to a cmake based one. Solves CVE issues from bug #717474 Bug: https://bugs.gentoo.org/711456 Bug: https://bugs.gentoo.org/717474 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Bernd Waibel <waebbl@gmail.com> Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/openexr/Manifest | 1 + ....2-0001-IlmImfTest-main.cpp-disable-tests.patch | 40 ++++++++++++++ media-libs/openexr/metadata.xml | 7 ++- media-libs/openexr/openexr-2.5.2.ebuild | 63 ++++++++++++++++++++++ 4 files changed, 110 insertions(+), 1 deletion(-)
We'll give it a few days because quite a lot changed.
OpenEXR is one part of a bigger upstream package, all three of them need to be stabilised in sync.
(In reply to Andreas Sturmlechner from comment #7) > OpenEXR is one part of a bigger upstream package, all three of them need to > be stabilised in sync. Thanks. How are we looking?
Unable to check for sanity: > no match for package: dev-python/pyilmbase-2.5.2
All sanity-check issues have been resolved
(In reply to Sam James from comment #8) > (In reply to Andreas Sturmlechner from comment #7) > > OpenEXR is one part of a bigger upstream package, all three of them need to > > be stabilised in sync. > > Thanks. How are we looking? Any reason not to proceed? I'll CC-ARCHES if not..?
No reason not to continue from my point of view.
(In reply to Bernd from comment #12) > No reason not to continue from my point of view. Thanks!
arm64 done
amd64 stable
sparc stable
Sanity check failed: > dev-python/pyilmbase-2.5.2-r1 > depend x86 exp profile prefix/linux/x86 (2 total) > dev-lang/python:3.6 > rdepend x86 exp profile prefix/linux/x86 (2 total) > dev-lang/python:3.6
hppa stable
can we ignore the pyilmbase failure or drop it to ~arch, plz?
x86 stable
Unable to check for sanity: > no match for package: media-libs/openexr-2.5.2
Unable to check for sanity: > dependent bug #746794 has errors
Unable to check for sanity: > dependent bug #762862 is missing keywords
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0db1b5472c8e58243900a7341e1675fd05544aa commit a0db1b5472c8e58243900a7341e1675fd05544aa Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-02-27 14:35:56 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-27 16:36:57 +0000 profiles: mask media-libs/openexr-2.3.0 Several vulnerabilities. Mask until removal of media-gfx/openexr_viewers. Bug: https://bugs.gentoo.org/717474 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
This PR should finish the cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58d2ffc5446d020cde8d473c32485ad5f2e4c6f1 commit 58d2ffc5446d020cde8d473c32485ad5f2e4c6f1 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-03-26 16:46:35 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-03-31 06:29:14 +0000 media-libs/openexr: drop 2.3.0 Security cleanup Bug: https://bugs.gentoo.org/770229 Bug: https://bugs.gentoo.org/762862 Bug: https://bugs.gentoo.org/746794 Bug: https://bugs.gentoo.org/717474 Bug: https://bugs.gentoo.org/656680 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Joonas Niilola <juippis@gentoo.org> media-libs/openexr/Manifest | 1 - ...penexr-2.2.0-Install-missing-header-files.patch | 60 ----------- .../openexr-2.2.0-fix-config.h-collision.patch | 43 -------- .../openexr-2.2.0-fix-cpuid-on-abi_x86_32.patch | 75 ------------- .../openexr/files/openexr-2.3.0-bigendian.patch | 71 ------------- .../openexr/files/openexr-2.3.0-bigendian2.patch | 17 --- .../openexr/files/openexr-2.3.0-fix-bashisms.patch | 117 --------------------- .../files/openexr-2.3.0-fix-build-system.patch | 68 ------------ .../files/openexr-2.3.0-skip-bogus-tests.patch | 31 ------ .../files/openexr-2.3.0-tests-32bits-2.patch | 17 --- .../openexr/files/openexr-2.3.0-tests-32bits.patch | 36 ------- media-libs/openexr/openexr-2.3.0.ebuild | 79 -------------- 12 files changed, 615 deletions(-)
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-27 at https://security.gentoo.org/glsa/202107-27 by GLSA coordinator John Helmert III (ajak).