Summary: | <media-libs/openexr-{2.5.7,3.0.5}: buffer overflow (CVE-2021-3598) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | media-video, proxy-maint, waebbl-gentoo |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1970987 | ||
See Also: | https://github.com/gentoo/gentoo/pull/20930 | ||
Whiteboard: | B2 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 787452 | ||
Bug Blocks: |
Description
John Helmert III
2021-07-09 18:56:09 UTC
AFAICS this will also be fixed in post 2.5.7 release for <v3 releases, see https://github.com/AcademySoftwareFoundation/openexr/pull/1040. For v3 releases, there's a PR I'm working on for implementing slots for openexr. I'll add this bug, next time I push. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c92b3342d9a7cd0d2c90f81244a02f23b249db46 commit c92b3342d9a7cd0d2c90f81244a02f23b249db46 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-05-21 23:12:34 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-07-21 21:57:28 +0000 media-libs/openexr: bump to 3.0.5 Improves slotting, so that openexr-2 and openexr-3 can be installed in parallel. Drop multilib support. Only multilib-aware consumer was media-libs/opencv. Using multilib would require it on dev-libs/imath as well which is not possible. Closes: https://bugs.gentoo.org/788286 Bug: https://bugs.gentoo.org/788310 Bug: https://bugs.gentoo.org/801373 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Marek Szuba <marecki@gentoo.org> media-libs/openexr/Manifest | 1 + ...5-0001-changes-needed-for-proper-slotting.patch | 119 +++++++++++ ...0002-add-version-to-binaries-for-slotting.patch | 229 +++++++++++++++++++++ media-libs/openexr/openexr-3.0.5.ebuild | 77 +++++++ 4 files changed, 426 insertions(+) According to https://github.com/AcademySoftwareFoundation/openexr/blob/v3.0.5/CHANGES.md#version-305-july-1-2021 the above issue has been closed by PR #1037, which is referenced for 3.0.5. It should also be solved in 2.5.7, c.f. https://github.com/AcademySoftwareFoundation/openexr/blob/RB-2.5/CHANGES.md#version-257-june-16-2021 (In reply to John Helmert III from comment #0) > CVE-2021-3598: > This is OpenEXR too so no doubt will be more fuzzer bugs once this > is released. Maybe I was wrong! There are only two oss-fuzz issues in 2.5.7 changelog: OSS-fuzz 28051 Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer OSS-fuzz 28155 Crash in Imf_2_5::PtrIStream::read Then 3.0.5 only says 1036 detect buffer overflows in RleUncompress 3.0.5 and 2.5.7 both speak of 1037 verify data size in deepscanlines with NO_COMPRESSION which is the PR that solves issue #1033, referenced in your description. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3598 only speaks of 3.0.5, but from the reference in CHANGES.md, I suppose, 2.5.7 has it solved as well. (In reply to Bernd from comment #5) > 3.0.5 and 2.5.7 both speak of > > 1037 verify data size in deepscanlines with NO_COMPRESSION > > which is the PR that solves issue #1033, referenced in your description. > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3598 only speaks of > 3.0.5, but from the reference in CHANGES.md, I suppose, 2.5.7 has it solved > as well. I agree. The CVE is wrong. I don't suppose RedHat cares. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7683cc9603063d01488cfc83b79ca58f6cc1c207 commit 7683cc9603063d01488cfc83b79ca58f6cc1c207 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2022-01-09 15:04:56 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-01-09 15:47:59 +0000 media-libs/ilmbase: Drop 2.5.6 Drops ppc/ppc64 to ~arch. IUSE openexr has been stable-masked on ppc64 with commit 152f2066 and remains in use.mask on ppc32 anyway. Bug: https://bugs.gentoo.org/787452 Bug: https://bugs.gentoo.org/801373 Bug: https://bugs.gentoo.org/810541 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/ilmbase/Manifest | 1 - media-libs/ilmbase/ilmbase-2.5.6.ebuild | 41 --------------------------------- 2 files changed, 42 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35787c9f4ca8dd500938349db43ecfee3fe44805 commit 35787c9f4ca8dd500938349db43ecfee3fe44805 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2022-01-09 14:55:16 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-01-09 15:47:58 +0000 media-libs/openexr: Cleanup vulnerable 2.5.6 Bug: https://bugs.gentoo.org/787452 Bug: https://bugs.gentoo.org/801373 Bug: https://bugs.gentoo.org/810541 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/openexr/Manifest | 1 - media-libs/openexr/openexr-2.5.6.ebuild | 62 --------------------------------- 2 files changed, 63 deletions(-) GLSA request filed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d4c4a128904601416fe6b2663ba5e3ef91394c37 commit d4c4a128904601416fe6b2663ba5e3ef91394c37 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:28:08 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:17 +0000 [ GLSA 202210-31 ] OpenEXR: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/787452 Bug: https://bugs.gentoo.org/801373 Bug: https://bugs.gentoo.org/810541 Bug: https://bugs.gentoo.org/817431 Bug: https://bugs.gentoo.org/830384 Bug: https://bugs.gentoo.org/838079 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-31.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) GLSA released, all done! |