Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 627226 (CVE-2017-12596)

Summary: <media-libs/openexr-2.3.0: denial of service in hufDecode function (CVE-2017-12596)
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/9729
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 620324    
Bug Blocks:    

Description Aleksandr Wagner (Kivak) 2017-08-07 08:04:01 UTC 
CVE-2017-12596 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12596):

In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled execution; it may result in denial of service or possibly unspecified other impact. 

References:

https://github.com/openexr/openexr/issues/238
https://github.com/xiaoqx/pocs/blob/master/openexr.md