CVE-2021-45942: OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). Patch: https://github.com/AcademySoftwareFoundation/openexr/commit/db217f29dfb24f6b4b5100c24ac5e7490e1c57d0
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26df8d02bf9c189b08efb6712e9f6a8217a74658 commit 26df8d02bf9c189b08efb6712e9f6a8217a74658 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2022-01-27 18:59:58 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-28 07:53:21 +0000 media-libs/openexr: bump to 3.1.4 Bug: https://bugs.gentoo.org/830384 Closes: https://bugs.gentoo.org/832143 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/23988 Signed-off-by: Sam James <sam@gentoo.org> media-libs/openexr/Manifest | 1 + media-libs/openexr/openexr-3.1.4.ebuild | 78 +++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+)
Thanks for merging @Sam. I'll give it a week or so to see, if any issues with the ebuild coming up, before stabilizing.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a1d9ccaaa866fd0a831653dc92588fc59be0085 commit 5a1d9ccaaa866fd0a831653dc92588fc59be0085 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2022-03-14 06:01:38 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-04-10 21:01:49 +0000 media-libs/openexr: drop 3.1.2, 3.1.3, 3.1.4 Cleanup old and vulnerable slot 3 versions. Bug: https://bugs.gentoo.org/817431 Bug: https://bugs.gentoo.org/820674 Bug: https://bugs.gentoo.org/830384 Closes: https://bugs.gentoo.org/833158 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/openexr/Manifest | 2 - ...1-0001-changes-needed-for-proper-slotting.patch | 119 ---------- ...0002-add-version-to-binaries-for-slotting.patch | 252 --------------------- media-libs/openexr/openexr-3.1.2.ebuild | 78 ------- media-libs/openexr/openexr-3.1.3.ebuild | 78 ------- media-libs/openexr/openexr-3.1.4.ebuild | 78 ------- 6 files changed, 607 deletions(-)
GLSA request filed.
According to upstreams Security.md file, the bug is not present in the 2.5 branch: https://github.com/AcademySoftwareFoundation/openexr/blob/RB-2.5/SECURITY.md
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d4c4a128904601416fe6b2663ba5e3ef91394c37 commit d4c4a128904601416fe6b2663ba5e3ef91394c37 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:28:08 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:17 +0000 [ GLSA 202210-31 ] OpenEXR: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/787452 Bug: https://bugs.gentoo.org/801373 Bug: https://bugs.gentoo.org/810541 Bug: https://bugs.gentoo.org/817431 Bug: https://bugs.gentoo.org/830384 Bug: https://bugs.gentoo.org/838079 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-31.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb815ca5634fd66f398d1e58cfd35a61688114cd commit cb815ca5634fd66f398d1e58cfd35a61688114cd Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2023-01-28 10:24:52 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-01-28 11:26:42 +0000 media-libs/openexr: drop 2.5.8 Bug: https://bugs.gentoo.org/817431 Bug: https://bugs.gentoo.org/830384 Bug: https://bugs.gentoo.org/838079 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/29317 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/openexr/Manifest | 1 - ....2-0001-IlmImfTest-main.cpp-disable-tests.patch | 40 ------------- ...xr-2.5.7-0002-increase-IlmImfTest-timeout.patch | 13 ---- media-libs/openexr/openexr-2.5.8.ebuild | 70 ---------------------- 4 files changed, 124 deletions(-)
Thanks!
