838079 – <media-libs/openexr-3.1.5: oss-fuzz issues

Bug 838079 - <media-libs/openexr-3.1.5: oss-fuzz issues

Summary: <media-libs/openexr-3.1.5: oss-fuzz issues

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/AcademySoftwareFou...
Whiteboard:	B2 [glsa+]
Keywords:	PullRequest

Depends on:	837911 839582 877865 877901 878149 878173 878243 878247
Blocks:	878213
	Show dependency tree

Reported:	2022-04-12 14:02 UTC by John Helmert III
Modified:	2023-01-29 20:17 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/25022 https://github.com/gentoo/gentoo/pull/27522 https://github.com/gentoo/gentoo/pull/29317
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-04-12 14:02:26 UTC

From URL:

"Specific OSS-fuzz issues addressed:
- OSS-fuzz [46309](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46309) Heap-buffer-overflow in Imf_3_1::memstream_read
- OSS-fuzz [46083](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46083) Out-of-memory in openexr_exrcheck_fuzzer
- OSS-fuzz [45899](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45899) Integer-overflow in internal_exr_compute_chunk_offset_size
- OSS-fuzz [44084](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44084) Out-of-memory in openexr_exrcheck_fuzzer"

Please bump to 3.1.5.

Comment 1 Larry the Git Cow gentoo-dev

2022-04-19 06:41:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2cad20e1001813a9869391b4281a435a174a0401

commit 2cad20e1001813a9869391b4281a435a174a0401
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2022-04-14 04:38:58 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-04-19 06:41:31 +0000

    media-libs/openexr: add 3.1.5
    
    Closes: https://bugs.gentoo.org/837911
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/25022
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-libs/openexr/Manifest             |  1 +
 media-libs/openexr/openexr-3.1.5.ebuild | 67 +++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)

Comment 2 John Helmert III archtester

2022-04-19 15:44:24 UTC

Thanks! Please stabilize 3.1.5 when ready

Comment 3 John Helmert III archtester

2022-09-28 22:46:48 UTC

Please cleanup

Comment 4 Larry the Git Cow gentoo-dev

2022-09-29 05:53:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7f15717240e71aad00ea50b1661095658a6390b

commit e7f15717240e71aad00ea50b1661095658a6390b
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2022-09-29 05:21:38 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-09-29 05:52:59 +0000

    media-libs/openexr: drop 3.1.4-r1
    
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/27522
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-libs/openexr/Manifest                |  1 -
 media-libs/openexr/openexr-3.1.4-r1.ebuild | 73 ------------------------------
 2 files changed, 74 deletions(-)

Comment 5 John Helmert III archtester

2022-10-22 01:29:43 UTC

GLSA request filed.

Comment 6 Bernd 2022-10-22 07:18:16 UTC

AFAICS the bugs are all related to the OpenEXRCore C engine, which isn't present in the RB-2.5 branch.

Additionally, according to upstreams Security.md file, the issues are not present in the 2.x versions of OpenEXR: https://github.com/AcademySoftwareFoundation/openexr/blob/RB-2.5/SECURITY.md

Comment 7 Larry the Git Cow gentoo-dev

2022-10-31 01:42:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d4c4a128904601416fe6b2663ba5e3ef91394c37

commit d4c4a128904601416fe6b2663ba5e3ef91394c37
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:28:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:17 +0000

    [ GLSA 202210-31 ] OpenEXR: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/787452
    Bug: https://bugs.gentoo.org/801373
    Bug: https://bugs.gentoo.org/810541
    Bug: https://bugs.gentoo.org/817431
    Bug: https://bugs.gentoo.org/830384
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-31.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

Comment 8 Larry the Git Cow gentoo-dev

2023-01-28 11:27:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb815ca5634fd66f398d1e58cfd35a61688114cd

commit cb815ca5634fd66f398d1e58cfd35a61688114cd
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2023-01-28 10:24:52 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-01-28 11:26:42 +0000

    media-libs/openexr: drop 2.5.8
    
    Bug: https://bugs.gentoo.org/817431
    Bug: https://bugs.gentoo.org/830384
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/29317
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/openexr/Manifest                        |  1 -
 ....2-0001-IlmImfTest-main.cpp-disable-tests.patch | 40 -------------
 ...xr-2.5.7-0002-increase-IlmImfTest-timeout.patch | 13 ----
 media-libs/openexr/openexr-2.5.8.ebuild            | 70 ----------------------
 4 files changed, 124 deletions(-)