Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 746794

Summary: <media-libs/openexr-2.5.3: Multiple unspecified vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: media-video, proxy-maint, waebbl-gentoo
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.3
See Also: https://github.com/gentoo/gentoo/pull/18923
https://github.com/gentoo/gentoo/pull/19684
https://github.com/gentoo/gentoo/pull/20133
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 746791, 762862    
Bug Blocks: 717474    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-05 23:39:51 UTC
"Patch release with various bug/security fixes and build/install fixes, plus a performance optimization:

    Various sanitizer/fuzz-identified issues related to handling of invalid input"
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-19 23:27:35 UTC
*** Bug 738866 has been marked as a duplicate of this bug. ***
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-19 23:29:11 UTC
Ping, please bump to 2.5.3.
Comment 4 Larry the Git Cow gentoo-dev 2021-01-24 01:48:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=918b36d2c8812022b83b25b234307af25725d9cd

commit 918b36d2c8812022b83b25b234307af25725d9cd
Author:     Bernd Waibel <waebbl@gmail.com>
AuthorDate: 2021-01-03 12:10:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-24 01:48:06 +0000

    media-libs/openexr: drop old 2.5.3
    
    Bug: https://bugs.gentoo.org/746794
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest             |  1 -
 media-libs/openexr/openexr-2.5.3.ebuild | 61 ---------------------------------
 2 files changed, 62 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e7a9131cc0456d6ad60fa91a1988c5f1823618d

commit 1e7a9131cc0456d6ad60fa91a1988c5f1823618d
Author:     Bernd Waibel <waebbl@gmail.com>
AuthorDate: 2021-01-03 11:58:50 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-24 01:48:05 +0000

    media-libs/ilmbase: drop old 2.5.3
    
    Bug: https://bugs.gentoo.org/746794
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/ilmbase/Manifest             |  1 -
 media-libs/ilmbase/ilmbase-2.5.3.ebuild | 45 ---------------------------------
 2 files changed, 46 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f49c50e51da2ea663ee68a683c07ae97f682f20

commit 0f49c50e51da2ea663ee68a683c07ae97f682f20
Author:     Bernd Waibel <waebbl@gmail.com>
AuthorDate: 2021-01-03 09:50:25 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-24 01:48:05 +0000

    media-libs/openexr: bump to 2.5.4
    
    Bug: https://bugs.gentoo.org/656680
    Bug: https://bugs.gentoo.org/762862
    Bug: https://bugs.gentoo.org/746794
    Closes: https://bugs.gentoo.org/762901
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest             |  1 +
 media-libs/openexr/openexr-2.5.4.ebuild | 62 +++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3879f7d07fd0e99b3dc26e63f1134ac202a6dd1a

commit 3879f7d07fd0e99b3dc26e63f1134ac202a6dd1a
Author:     Bernd Waibel <waebbl@gmail.com>
AuthorDate: 2021-01-02 22:26:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-24 01:48:04 +0000

    media-libs/ilmbase: bump to 2.5.4
    
    Bug: https://bugs.gentoo.org/746794
    Bug: https://bugs.gentoo.org/762862
    Bug: https://bugs.gentoo.org/762901
    
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/ilmbase/Manifest                        |  1 +
 ...2.5.4-0001-disable-failing-test-on-x86_32.patch | 24 +++++++++++++
 media-libs/ilmbase/ilmbase-2.5.4.ebuild            | 42 ++++++++++++++++++++++
 3 files changed, 67 insertions(+)
Comment 5 NATTkA bot gentoo-dev 2021-01-24 01:53:00 UTC
Unable to check for sanity:

> no match for package: media-libs/openexr-2.5.3
Comment 6 Larry the Git Cow gentoo-dev 2021-02-27 16:38:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=846308f2111948a93e71caf312b2fea8dec2f121

commit 846308f2111948a93e71caf312b2fea8dec2f121
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-02-27 14:13:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-27 16:37:13 +0000

    media-libs/openexr: drop 2.5.2
    
    Security cleanup.
    
    Bug: https://bugs.gentoo.org/770229
    Bug: https://bugs.gentoo.org/746794
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest                |  1 -
 media-libs/openexr/openexr-2.5.2-r1.ebuild | 63 ------------------------------
 2 files changed, 64 deletions(-)
Comment 7 Bernd 2021-03-26 17:04:20 UTC
This PR should finish the cleanup.
Comment 8 Larry the Git Cow gentoo-dev 2021-03-31 06:31:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58d2ffc5446d020cde8d473c32485ad5f2e4c6f1

commit 58d2ffc5446d020cde8d473c32485ad5f2e4c6f1
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-03-26 16:46:35 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-31 06:29:14 +0000

    media-libs/openexr: drop 2.3.0
    
    Security cleanup
    
    Bug: https://bugs.gentoo.org/770229
    Bug: https://bugs.gentoo.org/762862
    Bug: https://bugs.gentoo.org/746794
    Bug: https://bugs.gentoo.org/717474
    Bug: https://bugs.gentoo.org/656680
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-libs/openexr/Manifest                        |   1 -
 ...penexr-2.2.0-Install-missing-header-files.patch |  60 -----------
 .../openexr-2.2.0-fix-config.h-collision.patch     |  43 --------
 .../openexr-2.2.0-fix-cpuid-on-abi_x86_32.patch    |  75 -------------
 .../openexr/files/openexr-2.3.0-bigendian.patch    |  71 -------------
 .../openexr/files/openexr-2.3.0-bigendian2.patch   |  17 ---
 .../openexr/files/openexr-2.3.0-fix-bashisms.patch | 117 ---------------------
 .../files/openexr-2.3.0-fix-build-system.patch     |  68 ------------
 .../files/openexr-2.3.0-skip-bogus-tests.patch     |  31 ------
 .../files/openexr-2.3.0-tests-32bits-2.patch       |  17 ---
 .../openexr/files/openexr-2.3.0-tests-32bits.patch |  36 -------
 media-libs/openexr/openexr-2.3.0.ebuild            |  79 --------------
 12 files changed, 615 deletions(-)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-11 02:00:42 UTC
GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-07-11 02:34:20 UTC
This issue was resolved and addressed in
 GLSA 202107-27 at https://security.gentoo.org/glsa/202107-27
by GLSA coordinator John Helmert III (ajak).