Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 787452 (CVE-2021-23169)

Summary: <media-libs/openexr-2.5.7: multiple vulnerabilities (CVE-2021-23169)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: media-video, ppc64, proxy-maint, waebbl-gentoo
Priority: Normal Keywords: CC-ARCHES, PullRequest, STABLEREQ
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/19964
https://github.com/gentoo/gentoo/pull/21373
Whiteboard: B3 [stable cve]
Package list:
media-libs/openexr-2.5.7 media-libs/ilmbase-2.5.7 dev-python/pyilmbase-2.5.7 amd64
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 801373, 810541    

Description GLSAMaker/CVETool Bot gentoo-dev 2021-05-01 15:59:52 UTC
CVE-2021-23169 (https://nvd.nist.gov/vuln/detail/CVE-2021-23169):
  Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer


https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28051
https://github.com/AcademySoftwareFoundation/openexr/commit/ae6d203892cc9311917a7f4f05354ef792b3e58e

Not yet backported to v2.5.x.
Comment 1 Bernd 2021-05-01 17:14:24 UTC
There's already a PR for 3.0.1 available which should fix this.
Comment 2 John Helmert III gentoo-dev Security 2021-06-17 21:37:54 UTC
This is fixed in 2.5.7 alongside another oss-fuzz issue:

OSS-fuzz [28155](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28155) Crash in Imf_2_5::PtrIStream::read

Please bump.
Comment 3 Larry the Git Cow gentoo-dev 2021-06-22 18:35:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=075636aa0f50bf863c6185af87942ee1eca5e044

commit 075636aa0f50bf863c6185af87942ee1eca5e044
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-06-21 22:38:44 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-22 18:35:06 +0000

    media-libs/openexr: bump to 2.5.7
    
    Closes: https://bugs.gentoo.org/656680
    Bug: https://bugs.gentoo.org/776808
    Bug: https://bugs.gentoo.org/787452
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest                        |  1 +
 ...nexr-2.5.7-0001-disable-testRgba-on-sparc.patch | 31 ++++++++++
 media-libs/openexr/openexr-2.5.7.ebuild            | 68 ++++++++++++++++++++++
 3 files changed, 100 insertions(+)
Comment 4 NATTkA bot gentoo-dev 2021-06-22 18:44:31 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-06-22 18:56:26 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-06-22 19:40:46 UTC Comment hidden (obsolete)
Comment 7 John Helmert III gentoo-dev Security 2021-07-09 18:41:36 UTC
Ping.
Comment 8 Agostino Sarubbo gentoo-dev 2021-07-10 10:44:00 UTC
amd64 stable
Comment 9 Sam James archtester gentoo-dev Security 2021-07-10 15:40:53 UTC
arm64 done
Comment 10 Sam James archtester gentoo-dev Security 2021-07-11 20:52:00 UTC
x86 done
Comment 11 Rolf Eike Beer archtester 2021-07-22 15:03:26 UTC
sparc stable
Comment 12 Rolf Eike Beer archtester 2021-08-05 12:45:44 UTC
hppa done
Comment 13 Bernd 2021-10-13 05:29:20 UTC
Can we continue with the stabilization, so 2.5.6 can be dropped? Thank you.
Comment 14 NATTkA bot gentoo-dev 2021-10-16 09:16:55 UTC Comment hidden (obsolete)