Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717474 (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764, CVE-2020-11765, CVE-2020-15304, CVE-2020-15305, CVE-2020-15306)

Summary: <media-libs/openexr-2.5.2: Multiple vulnerabilities (CVE-2020-{11758,11759,11760,11761,11762,11763,11764,17765,15304,15305,15306})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: ajak, asturm, media-video, mgorny, proxy-maint, scantlight, waebbl-gentoo
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/19685
https://github.com/gentoo/gentoo/pull/20133
Whiteboard: B2 [glsa? cve]
Package list:
Runtime testing required: ---
Bug Depends on: 746794, 733858    
Bug Blocks:    

Description Sam James archtester gentoo-dev Security 2020-04-15 00:03:36 UTC
1) CVE-2020-11758

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h."

2) CVE-2020-11759

Description:
"An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer."

3) CVE-2020-11760

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp."

4) CVE-2020-11761

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp."

5) CVE-2020-11762

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case."

6) CVE-2020-11763

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp."

7) CVE-2020-11764

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp."

8) CVE-2020-11765

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read."

--
All reported in this bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987

All fixed in 2.4.1: https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020

PR (merged): https://github.com/AcademySoftwareFoundation/openexr/pull/659
Comment 1 Sam James archtester gentoo-dev Security 2020-04-15 00:04:59 UTC
From the disclosure (Google):
"Generally, most of the issues appear to be out-of-bounds reads and/or writes and could be exploitable (for information disclosure or remote code execution) depending on the usage scenario of the OpenEXR library."
Comment 2 Sam James archtester gentoo-dev Security 2020-04-15 00:05:12 UTC
@maintainer(s), please create an appropriate ebuild
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-04-15 21:12:34 UTC
CVE-2020-11765 (https://nvd.nist.gov/vuln/detail/CVE-2020-11765):
  An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one
  error in use of the ImfXdr.h read function by
  DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read.

CVE-2020-11764 (https://nvd.nist.gov/vuln/detail/CVE-2020-11764):
  An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds
  write in copyIntoFrameBuffer in ImfMisc.cpp.

CVE-2020-11763 (https://nvd.nist.gov/vuln/detail/CVE-2020-11763):
  An issue was discovered in OpenEXR before 2.4.1. There is an std::vector
  out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp.

CVE-2020-11762 (https://nvd.nist.gov/vuln/detail/CVE-2020-11762):
  An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds
  read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when
  handling the UNKNOWN compression case.

CVE-2020-11761 (https://nvd.nist.gov/vuln/detail/CVE-2020-11761):
  An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds
  read during Huffman uncompression, as demonstrated by FastHufDecoder::refill
  in ImfFastHuf.cpp.

CVE-2020-11760 (https://nvd.nist.gov/vuln/detail/CVE-2020-11760):
  An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds
  read during RLE uncompression in rleUncompress in ImfRle.cpp.

CVE-2020-11759 (https://nvd.nist.gov/vuln/detail/CVE-2020-11759):
  An issue was discovered in OpenEXR before 2.4.1. Because of integer
  overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and
  readSampleCountForLineBlock, an attacker can write to an out-of-bounds
  pointer.

CVE-2020-11758 (https://nvd.nist.gov/vuln/detail/CVE-2020-11758):
  An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds
  read in ImfOptimizedPixelReading.h.
Comment 4 John Helmert III gentoo-dev Security 2020-06-26 05:41:56 UTC
CVE-2020-15304:

An issue was discovered in OpenEXR before 2.5.2. An invalid tiled input file could cause invalid memory access in TiledInputFile::TiledInputFile() in IlmImf/ImfTiledInputFile.cpp, as demonstrated by a NULL pointer dereference.

CVE-2020-15305:

An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp.

CVE-2020-15306:

An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp.

All appear to be fixed in 2.5.2 according to the changelog:

https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-252-june-15-2020
Comment 5 Larry the Git Cow gentoo-dev 2020-07-21 18:58:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dffcb2e509541795dae8dc842d07fe44525fa277

commit dffcb2e509541795dae8dc842d07fe44525fa277
Author:     Bernd Waibel <waebbl@gmail.com>
AuthorDate: 2020-03-03 22:46:55 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-07-21 18:58:25 +0000

    media-libs/openexr: bump to 2.5.2
    
    Move from an autotools based ebuild to a cmake based one.
    
    Solves CVE issues from bug #717474
    
    Bug: https://bugs.gentoo.org/711456
    Bug: https://bugs.gentoo.org/717474
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Bernd Waibel <waebbl@gmail.com>
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/openexr/Manifest                        |  1 +
 ....2-0001-IlmImfTest-main.cpp-disable-tests.patch | 40 ++++++++++++++
 media-libs/openexr/metadata.xml                    |  7 ++-
 media-libs/openexr/openexr-2.5.2.ebuild            | 63 ++++++++++++++++++++++
 4 files changed, 110 insertions(+), 1 deletion(-)
Comment 6 Sam James archtester gentoo-dev Security 2020-07-21 19:04:23 UTC
We'll give it a few days because quite a lot changed.
Comment 7 Andreas Sturmlechner gentoo-dev 2020-07-21 19:13:15 UTC
OpenEXR is one part of a bigger upstream package, all three of them need to be stabilised in sync.
Comment 8 Sam James archtester gentoo-dev Security 2020-08-01 04:48:59 UTC
(In reply to Andreas Sturmlechner from comment #7)
> OpenEXR is one part of a bigger upstream package, all three of them need to
> be stabilised in sync.

Thanks. How are we looking?
Comment 9 NATTkA bot gentoo-dev 2020-08-02 10:44:50 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2020-08-02 10:48:52 UTC Comment hidden (obsolete)
Comment 11 Sam James archtester gentoo-dev Security 2020-08-05 18:14:39 UTC
(In reply to Sam James from comment #8)
> (In reply to Andreas Sturmlechner from comment #7)
> > OpenEXR is one part of a bigger upstream package, all three of them need to
> > be stabilised in sync.
> 
> Thanks. How are we looking?

Any reason not to proceed? I'll CC-ARCHES if not..?
Comment 12 Bernd 2020-08-05 18:42:54 UTC
No reason not to continue from my point of view.
Comment 13 Sam James archtester gentoo-dev Security 2020-08-05 18:44:55 UTC
(In reply to Bernd from comment #12)
> No reason not to continue from my point of view.

Thanks!
Comment 14 Sam James archtester gentoo-dev Security 2020-08-06 02:09:24 UTC
arm64 done
Comment 15 Agostino Sarubbo gentoo-dev 2020-08-07 11:44:48 UTC
amd64 stable
Comment 16 Sergei Trofimovich gentoo-dev 2020-08-12 19:05:40 UTC
sparc stable
Comment 17 NATTkA bot gentoo-dev 2020-09-13 10:49:51 UTC Comment hidden (obsolete)
Comment 18 NATTkA bot gentoo-dev 2020-09-13 13:39:08 UTC Comment hidden (obsolete)
Comment 19 Rolf Eike Beer 2020-09-14 17:23:48 UTC
hppa stable
Comment 20 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-16 14:05:59 UTC
can we ignore the pyilmbase failure or drop it to ~arch, plz?
Comment 21 Thomas Deutschmann gentoo-dev Security 2020-09-20 16:28:57 UTC
x86 stable
Comment 22 NATTkA bot gentoo-dev 2020-10-07 18:13:02 UTC Comment hidden (obsolete)
Comment 23 NATTkA bot gentoo-dev 2021-01-24 01:53:08 UTC Comment hidden (obsolete)
Comment 24 NATTkA bot gentoo-dev 2021-01-24 02:33:16 UTC Comment hidden (obsolete)
Comment 25 NATTkA bot gentoo-dev 2021-02-18 22:05:06 UTC
Unable to check for sanity:

> dependent bug #762862 is missing keywords
Comment 26 Larry the Git Cow gentoo-dev 2021-02-27 16:38:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0db1b5472c8e58243900a7341e1675fd05544aa

commit a0db1b5472c8e58243900a7341e1675fd05544aa
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-02-27 14:35:56 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-27 16:36:57 +0000

    profiles: mask media-libs/openexr-2.3.0
    
    Several vulnerabilities. Mask until removal of
    media-gfx/openexr_viewers.
    
    Bug: https://bugs.gentoo.org/717474
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)
Comment 27 Bernd 2021-03-26 17:04:44 UTC
This PR should finish the cleanup.
Comment 28 Larry the Git Cow gentoo-dev 2021-03-31 06:31:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58d2ffc5446d020cde8d473c32485ad5f2e4c6f1

commit 58d2ffc5446d020cde8d473c32485ad5f2e4c6f1
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-03-26 16:46:35 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-31 06:29:14 +0000

    media-libs/openexr: drop 2.3.0
    
    Security cleanup
    
    Bug: https://bugs.gentoo.org/770229
    Bug: https://bugs.gentoo.org/762862
    Bug: https://bugs.gentoo.org/746794
    Bug: https://bugs.gentoo.org/717474
    Bug: https://bugs.gentoo.org/656680
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-libs/openexr/Manifest                        |   1 -
 ...penexr-2.2.0-Install-missing-header-files.patch |  60 -----------
 .../openexr-2.2.0-fix-config.h-collision.patch     |  43 --------
 .../openexr-2.2.0-fix-cpuid-on-abi_x86_32.patch    |  75 -------------
 .../openexr/files/openexr-2.3.0-bigendian.patch    |  71 -------------
 .../openexr/files/openexr-2.3.0-bigendian2.patch   |  17 ---
 .../openexr/files/openexr-2.3.0-fix-bashisms.patch | 117 ---------------------
 .../files/openexr-2.3.0-fix-build-system.patch     |  68 ------------
 .../files/openexr-2.3.0-skip-bogus-tests.patch     |  31 ------
 .../files/openexr-2.3.0-tests-32bits-2.patch       |  17 ---
 .../openexr/files/openexr-2.3.0-tests-32bits.patch |  36 -------
 media-libs/openexr/openexr-2.3.0.ebuild            |  79 --------------
 12 files changed, 615 deletions(-)