Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 801373 (CVE-2021-3598)

Summary: <media-libs/openexr-{2.5.7,3.0.5}: buffer overflow (CVE-2021-3598)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: media-video, proxy-maint, waebbl-gentoo
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1970987
See Also: https://github.com/gentoo/gentoo/pull/20930
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 787452    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-09 18:56:09 UTC
CVE-2021-3598:

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.


So, the RedHat bug says this is a buffer overflow, the upstream issue [1]
says this is a buffer overflow, but RedHat's CVE says this is a buffer
overread. This is OpenEXR too so no doubt will be more fuzzer bugs once this
is released.

[1] https://github.com/AcademySoftwareFoundation/openexr/issues/1033
Comment 1 Bernd 2021-07-09 19:12:08 UTC
AFAICS this will also be fixed in post 2.5.7 release for <v3 releases, see https://github.com/AcademySoftwareFoundation/openexr/pull/1040.

For v3 releases, there's a PR I'm working on for implementing slots for openexr. I'll add this bug, next time I push.
Comment 2 Larry the Git Cow gentoo-dev 2021-07-21 21:57:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c92b3342d9a7cd0d2c90f81244a02f23b249db46

commit c92b3342d9a7cd0d2c90f81244a02f23b249db46
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-05-21 23:12:34 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-07-21 21:57:28 +0000

    media-libs/openexr: bump to 3.0.5
    
    Improves slotting, so that openexr-2 and openexr-3
    can be installed in parallel.
    Drop multilib support. Only multilib-aware consumer was
    media-libs/opencv. Using multilib would require it on
    dev-libs/imath as well which is not possible.
    
    Closes: https://bugs.gentoo.org/788286
    Bug: https://bugs.gentoo.org/788310
    Bug: https://bugs.gentoo.org/801373
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 media-libs/openexr/Manifest                        |   1 +
 ...5-0001-changes-needed-for-proper-slotting.patch | 119 +++++++++++
 ...0002-add-version-to-binaries-for-slotting.patch | 229 +++++++++++++++++++++
 media-libs/openexr/openexr-3.0.5.ebuild            |  77 +++++++
 4 files changed, 426 insertions(+)
Comment 3 Bernd 2021-07-24 17:04:17 UTC
According to https://github.com/AcademySoftwareFoundation/openexr/blob/v3.0.5/CHANGES.md#version-305-july-1-2021 the above issue has been closed by PR #1037, which is referenced for 3.0.5.

It should also be solved in 2.5.7, c.f. https://github.com/AcademySoftwareFoundation/openexr/blob/RB-2.5/CHANGES.md#version-257-june-16-2021
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-24 17:18:49 UTC
(In reply to John Helmert III from comment #0)
> CVE-2021-3598:
> This is OpenEXR too so no doubt will be more fuzzer bugs once this
> is released.

Maybe I was wrong!

There are only two oss-fuzz issues in 2.5.7 changelog:

OSS-fuzz 28051 Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
OSS-fuzz 28155 Crash in Imf_2_5::PtrIStream::read

Then 3.0.5 only says

1036 detect buffer overflows in RleUncompress
Comment 5 Bernd 2021-07-24 17:47:12 UTC
3.0.5 and 2.5.7 both speak of

1037 verify data size in deepscanlines with NO_COMPRESSION

which is the PR that solves issue #1033, referenced in your description.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3598 only speaks of 3.0.5, but from the reference in CHANGES.md, I suppose, 2.5.7 has it solved as well.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-24 17:55:21 UTC
(In reply to Bernd from comment #5)
> 3.0.5 and 2.5.7 both speak of
> 
> 1037 verify data size in deepscanlines with NO_COMPRESSION
> 
> which is the PR that solves issue #1033, referenced in your description.
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3598 only speaks of
> 3.0.5, but from the reference in CHANGES.md, I suppose, 2.5.7 has it solved
> as well.

I agree. The CVE is wrong. I don't suppose RedHat cares.
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:21:07 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:29:16 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:37:12 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:45:16 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:53:18 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 18:01:14 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 18:09:34 UTC
Package list is empty or all packages have requested keywords.
Comment 14 Larry the Git Cow gentoo-dev 2022-01-09 15:48:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7683cc9603063d01488cfc83b79ca58f6cc1c207

commit 7683cc9603063d01488cfc83b79ca58f6cc1c207
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-01-09 15:04:56 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-01-09 15:47:59 +0000

    media-libs/ilmbase: Drop 2.5.6
    
    Drops ppc/ppc64 to ~arch.
    
    IUSE openexr has been stable-masked on ppc64 with commit 152f2066
    and remains in use.mask on ppc32 anyway.
    
    Bug: https://bugs.gentoo.org/787452
    Bug: https://bugs.gentoo.org/801373
    Bug: https://bugs.gentoo.org/810541
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/ilmbase/Manifest             |  1 -
 media-libs/ilmbase/ilmbase-2.5.6.ebuild | 41 ---------------------------------
 2 files changed, 42 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35787c9f4ca8dd500938349db43ecfee3fe44805

commit 35787c9f4ca8dd500938349db43ecfee3fe44805
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-01-09 14:55:16 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-01-09 15:47:58 +0000

    media-libs/openexr: Cleanup vulnerable 2.5.6
    
    Bug: https://bugs.gentoo.org/787452
    Bug: https://bugs.gentoo.org/801373
    Bug: https://bugs.gentoo.org/810541
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/openexr/Manifest             |  1 -
 media-libs/openexr/openexr-2.5.6.ebuild | 62 ---------------------------------
 2 files changed, 63 deletions(-)
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 01:29:19 UTC
GLSA request filed.
Comment 16 Larry the Git Cow gentoo-dev 2022-10-31 01:41:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d4c4a128904601416fe6b2663ba5e3ef91394c37

commit d4c4a128904601416fe6b2663ba5e3ef91394c37
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:28:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:17 +0000

    [ GLSA 202210-31 ] OpenEXR: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/787452
    Bug: https://bugs.gentoo.org/801373
    Bug: https://bugs.gentoo.org/810541
    Bug: https://bugs.gentoo.org/817431
    Bug: https://bugs.gentoo.org/830384
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-31.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:18:29 UTC
GLSA released, all done!