CVE-2021-3605: There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
I can see the patch is in 3.1.1, what about 2.5.x?
Should be in 2.5.7 as well, if I'm not wrong, see [1][2][3]. [3] mentions PR 1036. [1] https://github.com/AcademySoftwareFoundation/openexr/pull/1036#ref-pullrequest-911002150 [2] https://github.com/AcademySoftwareFoundation/openexr/pull/1040 [3] https://github.com/AcademySoftwareFoundation/openexr/blob/RB-2.5/CHANGES.md
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7683cc9603063d01488cfc83b79ca58f6cc1c207 commit 7683cc9603063d01488cfc83b79ca58f6cc1c207 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2022-01-09 15:04:56 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-01-09 15:47:59 +0000 media-libs/ilmbase: Drop 2.5.6 Drops ppc/ppc64 to ~arch. IUSE openexr has been stable-masked on ppc64 with commit 152f2066 and remains in use.mask on ppc32 anyway. Bug: https://bugs.gentoo.org/787452 Bug: https://bugs.gentoo.org/801373 Bug: https://bugs.gentoo.org/810541 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/ilmbase/Manifest | 1 - media-libs/ilmbase/ilmbase-2.5.6.ebuild | 41 --------------------------------- 2 files changed, 42 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35787c9f4ca8dd500938349db43ecfee3fe44805 commit 35787c9f4ca8dd500938349db43ecfee3fe44805 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2022-01-09 14:55:16 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-01-09 15:47:58 +0000 media-libs/openexr: Cleanup vulnerable 2.5.6 Bug: https://bugs.gentoo.org/787452 Bug: https://bugs.gentoo.org/801373 Bug: https://bugs.gentoo.org/810541 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/openexr/Manifest | 1 - media-libs/openexr/openexr-2.5.6.ebuild | 62 --------------------------------- 2 files changed, 63 deletions(-)
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d4c4a128904601416fe6b2663ba5e3ef91394c37 commit d4c4a128904601416fe6b2663ba5e3ef91394c37 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:28:08 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:17 +0000 [ GLSA 202210-31 ] OpenEXR: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/787452 Bug: https://bugs.gentoo.org/801373 Bug: https://bugs.gentoo.org/810541 Bug: https://bugs.gentoo.org/817431 Bug: https://bugs.gentoo.org/830384 Bug: https://bugs.gentoo.org/838079 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-31.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)
GLSA released, all done!
