Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 787452 (CVE-2021-23169) - <media-libs/openexr-2.5.7: multiple vulnerabilities (CVE-2021-23169)
Summary: <media-libs/openexr-2.5.7: multiple vulnerabilities (CVE-2021-23169)
Status: RESOLVED FIXED
Alias: CVE-2021-23169
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords: PullRequest
Depends on:
Blocks: CVE-2021-3598 CVE-2021-3605
  Show dependency tree
 
Reported: 2021-05-01 15:59 UTC by GLSAMaker/CVETool Bot
Modified: 2022-10-31 02:20 UTC (History)
3 users (show)

See Also:
Package list:
media-libs/openexr-2.5.7 media-libs/ilmbase-2.5.7 dev-python/pyilmbase-2.5.7 amd64
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2021-05-01 15:59:52 UTC
CVE-2021-23169 (https://nvd.nist.gov/vuln/detail/CVE-2021-23169):
  Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer


https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28051
https://github.com/AcademySoftwareFoundation/openexr/commit/ae6d203892cc9311917a7f4f05354ef792b3e58e

Not yet backported to v2.5.x.
Comment 1 Bernd 2021-05-01 17:14:24 UTC
There's already a PR for 3.0.1 available which should fix this.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-17 21:37:54 UTC
This is fixed in 2.5.7 alongside another oss-fuzz issue:

OSS-fuzz [28155](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28155) Crash in Imf_2_5::PtrIStream::read

Please bump.
Comment 3 Larry the Git Cow gentoo-dev 2021-06-22 18:35:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=075636aa0f50bf863c6185af87942ee1eca5e044

commit 075636aa0f50bf863c6185af87942ee1eca5e044
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-06-21 22:38:44 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-22 18:35:06 +0000

    media-libs/openexr: bump to 2.5.7
    
    Closes: https://bugs.gentoo.org/656680
    Bug: https://bugs.gentoo.org/776808
    Bug: https://bugs.gentoo.org/787452
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest                        |  1 +
 ...nexr-2.5.7-0001-disable-testRgba-on-sparc.patch | 31 ++++++++++
 media-libs/openexr/openexr-2.5.7.ebuild            | 68 ++++++++++++++++++++++
 3 files changed, 100 insertions(+)
Comment 4 NATTkA bot gentoo-dev 2021-06-22 18:44:31 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-06-22 18:56:26 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-06-22 19:40:46 UTC Comment hidden (obsolete)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-09 18:41:36 UTC
Ping.
Comment 8 Agostino Sarubbo gentoo-dev 2021-07-10 10:44:00 UTC
amd64 stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-10 15:40:53 UTC
arm64 done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-11 20:52:00 UTC
x86 done
Comment 11 Rolf Eike Beer archtester 2021-07-22 15:03:26 UTC
sparc stable
Comment 12 Rolf Eike Beer archtester 2021-08-05 12:45:44 UTC
hppa done
Comment 13 Bernd 2021-10-13 05:29:20 UTC
Can we continue with the stabilization, so 2.5.6 can be dropped? Thank you.
Comment 14 NATTkA bot gentoo-dev 2021-10-16 09:16:55 UTC Comment hidden (obsolete)
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-11 15:56:15 UTC
Ping ppc
Comment 16 Larry the Git Cow gentoo-dev 2021-11-14 04:42:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c1fdfbd693349f06ad3f03472a544a97c2963e3

commit 3c1fdfbd693349f06ad3f03472a544a97c2963e3
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-11-14 04:22:06 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-14 04:42:46 +0000

    media-libs/ctl: destabilize for ppc64
    
    [Same as for openexr:
    
    We already had to mask this on ppc64be and mark it -ppc
    entirely and I don't usually do testing on ppc64le.
    
    Let's see if we can drop the stable keyword
    entirely here to make life easier.]
    
    Bug: https://bugs.gentoo.org/787452
    Signed-off-by: Sam James <sam@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/22940
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/ctl/ctl-1.5.2-r1.ebuild | 2 +-
 media-libs/ctl/ctl-1.5.2-r2.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=152f206623d2848e2220bad786cc413b90b79653

commit 152f206623d2848e2220bad786cc413b90b79653
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-11-14 04:04:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-14 04:42:45 +0000

    profiles/arch/powerpc/ppc64: stable-mask USE=openexr
    
    Bug: https://bugs.gentoo.org/787452
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/arch/powerpc/ppc64/64le/use.stable.mask | 5 +++++
 profiles/arch/powerpc/ppc64/use.stable.mask      | 5 +++++
 2 files changed, 10 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ffcf0f8824fe88f79bb0cb9f7695b30b36acd083

commit ffcf0f8824fe88f79bb0cb9f7695b30b36acd083
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-11-14 03:35:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-14 04:42:41 +0000

    media-libs/openexr: destabilize 2.5.6 for ~ppc64
    
    We already had to mask this on ppc64be and mark it -ppc
    entirely and I don't usually do testing on ppc64le.
    
    Let's see if we can drop the stable keyword
    entirely here to make life easier.
    
    Bug: https://bugs.gentoo.org/787452
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/openexr-2.5.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-14 04:43:12 UTC
ppc64 dropped to ~arch.
Comment 18 NATTkA bot gentoo-dev 2021-11-14 04:48:46 UTC Comment hidden (obsolete)
Comment 19 Larry the Git Cow gentoo-dev 2022-01-09 15:48:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7683cc9603063d01488cfc83b79ca58f6cc1c207

commit 7683cc9603063d01488cfc83b79ca58f6cc1c207
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-01-09 15:04:56 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-01-09 15:47:59 +0000

    media-libs/ilmbase: Drop 2.5.6
    
    Drops ppc/ppc64 to ~arch.
    
    IUSE openexr has been stable-masked on ppc64 with commit 152f2066
    and remains in use.mask on ppc32 anyway.
    
    Bug: https://bugs.gentoo.org/787452
    Bug: https://bugs.gentoo.org/801373
    Bug: https://bugs.gentoo.org/810541
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/ilmbase/Manifest             |  1 -
 media-libs/ilmbase/ilmbase-2.5.6.ebuild | 41 ---------------------------------
 2 files changed, 42 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35787c9f4ca8dd500938349db43ecfee3fe44805

commit 35787c9f4ca8dd500938349db43ecfee3fe44805
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-01-09 14:55:16 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-01-09 15:47:58 +0000

    media-libs/openexr: Cleanup vulnerable 2.5.6
    
    Bug: https://bugs.gentoo.org/787452
    Bug: https://bugs.gentoo.org/801373
    Bug: https://bugs.gentoo.org/810541
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/openexr/Manifest             |  1 -
 media-libs/openexr/openexr-2.5.6.ebuild | 62 ---------------------------------
 2 files changed, 63 deletions(-)
Comment 20 NATTkA bot gentoo-dev 2022-02-15 19:52:52 UTC
Unable to check for sanity:

> no match for package: media-libs/ilmbase-2.5.7
Comment 21 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 01:29:12 UTC
GLSA request filed.
Comment 22 Larry the Git Cow gentoo-dev 2022-10-31 01:41:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d4c4a128904601416fe6b2663ba5e3ef91394c37

commit d4c4a128904601416fe6b2663ba5e3ef91394c37
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:28:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:17 +0000

    [ GLSA 202210-31 ] OpenEXR: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/787452
    Bug: https://bugs.gentoo.org/801373
    Bug: https://bugs.gentoo.org/810541
    Bug: https://bugs.gentoo.org/817431
    Bug: https://bugs.gentoo.org/830384
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-31.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
Comment 23 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:20:54 UTC
GLSA released, all done!