Summary: | <media-libs/openexr-2.5.2: Multiple vulnerabilities (CVE-2020-{11758,11759,11760,11761,11762,11763,11764,17765,15304,15305,15306}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ajak, asturm, media-video, mgorny, proxy-maint, scantlight, waebbl-gentoo |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/gentoo/pull/19685 https://github.com/gentoo/gentoo/pull/20133 |
||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 733858, 746794 | ||
Bug Blocks: |
Description
Sam James
2020-04-15 00:03:36 UTC
From the disclosure (Google): "Generally, most of the issues appear to be out-of-bounds reads and/or writes and could be exploitable (for information disclosure or remote code execution) depending on the usage scenario of the OpenEXR library." @maintainer(s), please create an appropriate ebuild CVE-2020-11765 (https://nvd.nist.gov/vuln/detail/CVE-2020-11765): An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read. CVE-2020-11764 (https://nvd.nist.gov/vuln/detail/CVE-2020-11764): An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp. CVE-2020-11763 (https://nvd.nist.gov/vuln/detail/CVE-2020-11763): An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp. CVE-2020-11762 (https://nvd.nist.gov/vuln/detail/CVE-2020-11762): An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case. CVE-2020-11761 (https://nvd.nist.gov/vuln/detail/CVE-2020-11761): An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp. CVE-2020-11760 (https://nvd.nist.gov/vuln/detail/CVE-2020-11760): An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp. CVE-2020-11759 (https://nvd.nist.gov/vuln/detail/CVE-2020-11759): An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer. CVE-2020-11758 (https://nvd.nist.gov/vuln/detail/CVE-2020-11758): An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h. CVE-2020-15304: An issue was discovered in OpenEXR before 2.5.2. An invalid tiled input file could cause invalid memory access in TiledInputFile::TiledInputFile() in IlmImf/ImfTiledInputFile.cpp, as demonstrated by a NULL pointer dereference. CVE-2020-15305: An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp. CVE-2020-15306: An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp. All appear to be fixed in 2.5.2 according to the changelog: https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-252-june-15-2020 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dffcb2e509541795dae8dc842d07fe44525fa277 commit dffcb2e509541795dae8dc842d07fe44525fa277 Author: Bernd Waibel <waebbl@gmail.com> AuthorDate: 2020-03-03 22:46:55 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-07-21 18:58:25 +0000 media-libs/openexr: bump to 2.5.2 Move from an autotools based ebuild to a cmake based one. Solves CVE issues from bug #717474 Bug: https://bugs.gentoo.org/711456 Bug: https://bugs.gentoo.org/717474 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Bernd Waibel <waebbl@gmail.com> Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/openexr/Manifest | 1 + ....2-0001-IlmImfTest-main.cpp-disable-tests.patch | 40 ++++++++++++++ media-libs/openexr/metadata.xml | 7 ++- media-libs/openexr/openexr-2.5.2.ebuild | 63 ++++++++++++++++++++++ 4 files changed, 110 insertions(+), 1 deletion(-) We'll give it a few days because quite a lot changed. OpenEXR is one part of a bigger upstream package, all three of them need to be stabilised in sync. (In reply to Andreas Sturmlechner from comment #7) > OpenEXR is one part of a bigger upstream package, all three of them need to > be stabilised in sync. Thanks. How are we looking? Unable to check for sanity:
> no match for package: dev-python/pyilmbase-2.5.2
All sanity-check issues have been resolved (In reply to Sam James from comment #8) > (In reply to Andreas Sturmlechner from comment #7) > > OpenEXR is one part of a bigger upstream package, all three of them need to > > be stabilised in sync. > > Thanks. How are we looking? Any reason not to proceed? I'll CC-ARCHES if not..? No reason not to continue from my point of view. (In reply to Bernd from comment #12) > No reason not to continue from my point of view. Thanks! arm64 done amd64 stable sparc stable Sanity check failed:
> dev-python/pyilmbase-2.5.2-r1
> depend x86 exp profile prefix/linux/x86 (2 total)
> dev-lang/python:3.6
> rdepend x86 exp profile prefix/linux/x86 (2 total)
> dev-lang/python:3.6
All sanity-check issues have been resolved hppa stable can we ignore the pyilmbase failure or drop it to ~arch, plz? x86 stable Unable to check for sanity:
> no match for package: media-libs/openexr-2.5.2
Unable to check for sanity:
> dependent bug #746794 has errors
All sanity-check issues have been resolved Unable to check for sanity:
> dependent bug #762862 is missing keywords
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0db1b5472c8e58243900a7341e1675fd05544aa commit a0db1b5472c8e58243900a7341e1675fd05544aa Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-02-27 14:35:56 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-27 16:36:57 +0000 profiles: mask media-libs/openexr-2.3.0 Several vulnerabilities. Mask until removal of media-gfx/openexr_viewers. Bug: https://bugs.gentoo.org/717474 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+) This PR should finish the cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58d2ffc5446d020cde8d473c32485ad5f2e4c6f1 commit 58d2ffc5446d020cde8d473c32485ad5f2e4c6f1 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-03-26 16:46:35 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-03-31 06:29:14 +0000 media-libs/openexr: drop 2.3.0 Security cleanup Bug: https://bugs.gentoo.org/770229 Bug: https://bugs.gentoo.org/762862 Bug: https://bugs.gentoo.org/746794 Bug: https://bugs.gentoo.org/717474 Bug: https://bugs.gentoo.org/656680 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Joonas Niilola <juippis@gentoo.org> media-libs/openexr/Manifest | 1 - ...penexr-2.2.0-Install-missing-header-files.patch | 60 ----------- .../openexr-2.2.0-fix-config.h-collision.patch | 43 -------- .../openexr-2.2.0-fix-cpuid-on-abi_x86_32.patch | 75 ------------- .../openexr/files/openexr-2.3.0-bigendian.patch | 71 ------------- .../openexr/files/openexr-2.3.0-bigendian2.patch | 17 --- .../openexr/files/openexr-2.3.0-fix-bashisms.patch | 117 --------------------- .../files/openexr-2.3.0-fix-build-system.patch | 68 ------------ .../files/openexr-2.3.0-skip-bogus-tests.patch | 31 ------ .../files/openexr-2.3.0-tests-32bits-2.patch | 17 --- .../openexr/files/openexr-2.3.0-tests-32bits.patch | 36 ------- media-libs/openexr/openexr-2.3.0.ebuild | 79 -------------- 12 files changed, 615 deletions(-) GLSA request filed. This issue was resolved and addressed in GLSA 202107-27 at https://security.gentoo.org/glsa/202107-27 by GLSA coordinator John Helmert III (ajak). |