| Summary: | <media-libs/openexr-2.5.5: multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Bernd <waebbl-gentoo> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ionen, media-video, mgorny, proxy-maint, waebbl-gentoo |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.5 | ||
| See Also: |
https://github.com/gentoo/gentoo/pull/19470 https://github.com/gentoo/gentoo/pull/19684 https://github.com/gentoo/gentoo/pull/20133 https://github.com/gentoo/gentoo/pull/20899 |
||
| Whiteboard: | B2 [glsa+ cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 776808 | ||
| Bug Blocks: | 762862 | ||
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42498dcff76d3e714a374ca102e93fa1974ebc6a commit 42498dcff76d3e714a374ca102e93fa1974ebc6a Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-02-14 20:06:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-16 19:19:52 +0000 dev-python/pyilmbase: bump to 2.5.5 Bug: https://bugs.gentoo.org/770229 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/19470 Signed-off-by: Sam James <sam@gentoo.org> dev-python/pyilmbase/Manifest | 1 + dev-python/pyilmbase/pyilmbase-2.5.5.ebuild | 62 +++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a24be9405212a46b1bf14c5a3a4b57e090ef10c5 commit a24be9405212a46b1bf14c5a3a4b57e090ef10c5 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-02-14 14:44:49 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-16 19:19:52 +0000 media-libs/openexr: bump to 2.5.5 Mostly security related fuzzer fixes. Bug: https://bugs.gentoo.org/770229 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> media-libs/openexr/Manifest | 1 + media-libs/openexr/openexr-2.5.5.ebuild | 62 +++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77796280d796d69b8cfe8e31bf60813bf2a86bf4 commit 77796280d796d69b8cfe8e31bf60813bf2a86bf4 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-02-14 10:01:14 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-16 19:19:52 +0000 media-libs/ilmbase: bump to 2.5.5 Bug: https://bugs.gentoo.org/770229 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> media-libs/ilmbase/Manifest | 1 + media-libs/ilmbase/ilmbase-2.5.5.ebuild | 42 +++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) Please let us know when ready to stable. I think we should give it a few days, to verify revdeps are building successfully. The packages have almost exclusively security fixes and the stabilization process for 2.5.4 was already ongoing. (In reply to Bernd from comment #3) > I think we should give it a few days, to verify revdeps are building > successfully. The packages have almost exclusively security fixes and the > stabilization process for 2.5.4 was already ongoing. Ok, but just FYI stabilization here isn't blocked by 2.5.4 stabilization. (In reply to John Helmert III (ajak) from comment #4) > Ok, but just FYI stabilization here isn't blocked by 2.5.4 stabilization. Although I didn't know this, I wasn't thinking about this being the case. My thinking was, because stabilization for 2.5.4 is already going and there are no major code changes, a few days to test revdeps should be enough. No need to wait 2 weeks or more. Please stabilize. *** Bug 772515 has been marked as a duplicate of this bug. *** sparc done ppc done ppc64 done arm64 done x86 stable amd64 done hppa stable Please cleanup. 2.3.0 will have to wait a bit. There has been an open last-rite PR since around end of december to mask openexr_viewers, in preparation for this cleanup, which hasn't been merged yet. See https://github.com/gentoo/gentoo/pull/18796 What's the shortest time for a last-rite? The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dee93092207d54d88c00d3e68de87899c7f9600f commit dee93092207d54d88c00d3e68de87899c7f9600f Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-02-07 17:14:53 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-27 10:51:44 +0000 profiles/package.mask: last rite media-gfx/openexr_viewers Bug: https://bugs.gentoo.org/770229 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/18796 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+) (In reply to Bernd from comment #16) > 2.3.0 will have to wait a bit. There has been an open last-rite PR since > around end of december to mask openexr_viewers, in preparation for this > cleanup, which hasn't been merged yet. See > https://github.com/gentoo/gentoo/pull/18796 > > What's the shortest time for a last-rite? We can wait the 30 days, it's not a big problem. Plus, we could mask the older versions with it The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00ce4f7721d0c886ba613dbe3d5c67f7361f1934 commit 00ce4f7721d0c886ba613dbe3d5c67f7361f1934 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-02-27 14:25:14 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-27 16:37:15 +0000 media-libs/openexr: drop 2.5.4 Security cleanup. Bug: https://bugs.gentoo.org/770229 Bug: https://bugs.gentoo.org/762862 Package-Manager: Portage-3.0.15, Repoman-3.0.2 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> media-libs/openexr/Manifest | 1 - media-libs/openexr/openexr-2.5.4.ebuild | 62 --------------------------------- 2 files changed, 63 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=846308f2111948a93e71caf312b2fea8dec2f121 commit 846308f2111948a93e71caf312b2fea8dec2f121 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-02-27 14:13:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-27 16:37:13 +0000 media-libs/openexr: drop 2.5.2 Security cleanup. Bug: https://bugs.gentoo.org/770229 Bug: https://bugs.gentoo.org/746794 Package-Manager: Portage-3.0.15, Repoman-3.0.2 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> media-libs/openexr/Manifest | 1 - media-libs/openexr/openexr-2.5.2-r1.ebuild | 63 ------------------------------ 2 files changed, 64 deletions(-) This PR should finish the cleanup. This PR should finish the cleanup. Sorry double post :/ The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58d2ffc5446d020cde8d473c32485ad5f2e4c6f1 commit 58d2ffc5446d020cde8d473c32485ad5f2e4c6f1 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-03-26 16:46:35 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-03-31 06:29:14 +0000 media-libs/openexr: drop 2.3.0 Security cleanup Bug: https://bugs.gentoo.org/770229 Bug: https://bugs.gentoo.org/762862 Bug: https://bugs.gentoo.org/746794 Bug: https://bugs.gentoo.org/717474 Bug: https://bugs.gentoo.org/656680 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Joonas Niilola <juippis@gentoo.org> media-libs/openexr/Manifest | 1 - ...penexr-2.2.0-Install-missing-header-files.patch | 60 ----------- .../openexr-2.2.0-fix-config.h-collision.patch | 43 -------- .../openexr-2.2.0-fix-cpuid-on-abi_x86_32.patch | 75 ------------- .../openexr/files/openexr-2.3.0-bigendian.patch | 71 ------------- .../openexr/files/openexr-2.3.0-bigendian2.patch | 17 --- .../openexr/files/openexr-2.3.0-fix-bashisms.patch | 117 --------------------- .../files/openexr-2.3.0-fix-build-system.patch | 68 ------------ .../files/openexr-2.3.0-skip-bogus-tests.patch | 31 ------ .../files/openexr-2.3.0-tests-32bits-2.patch | 17 --- .../openexr/files/openexr-2.3.0-tests-32bits.patch | 36 ------- media-libs/openexr/openexr-2.3.0.ebuild | 79 -------------- 12 files changed, 615 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e719b19ac0d518305ec3ca9cef56cb8741742b1 commit 0e719b19ac0d518305ec3ca9cef56cb8741742b1 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-05-19 21:41:38 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-01 00:27:50 +0000 media-libs/openexr: bump to 2.5.6 Bug: https://bugs.gentoo.org/791136 Bug: https://bugs.gentoo.org/776808 Bug: https://bugs.gentoo.org/770229 Bug: https://bugs.gentoo.org/656680 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> media-libs/openexr/Manifest | 1 + media-libs/openexr/openexr-2.5.6.ebuild | 61 +++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) GLSA request filed. This issue was resolved and addressed in GLSA 202107-27 at https://security.gentoo.org/glsa/202107-27 by GLSA coordinator John Helmert III (ajak). |
There's been a new release 2.5.5 with fixes to the following vulnerabilities: OSS-fuzz #30291 Timeout in openexr_exrcheck_fuzzer OSS-fuzz #29106 Heap-buffer-overflow in Imf_2_5::FastHufDecoder::decode OSS-fuzz #28971 Undefined-shift in Imf_2_5::cachePadding OSS-fuzz #29829 Integer-overflow in Imf_2_5::DwaCompressor::initializeBuffers OSS-fuzz #30121 Out-of-memory in openexr_exrcheck_fuzzer Reproducible: Always I'm gonna prepare updated ebuilds.