Bug 838079

Summary:	<media-libs/openexr-3.1.5: oss-fuzz issues
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	media-video, proxy-maint, waebbl-gentoo
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.1.5
See Also:	https://github.com/gentoo/gentoo/pull/25022 https://github.com/gentoo/gentoo/pull/27522 https://github.com/gentoo/gentoo/pull/29317
Whiteboard:	B2 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	878149, 837911, 839582, 877865, 877901, 878173, 878243, 878247
Bug Blocks:	878213

Description John Helmert III archtester

2022-04-12 14:02:26 UTC

From URL:

"Specific OSS-fuzz issues addressed:
- OSS-fuzz [46309](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46309) Heap-buffer-overflow in Imf_3_1::memstream_read
- OSS-fuzz [46083](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46083) Out-of-memory in openexr_exrcheck_fuzzer
- OSS-fuzz [45899](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45899) Integer-overflow in internal_exr_compute_chunk_offset_size
- OSS-fuzz [44084](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44084) Out-of-memory in openexr_exrcheck_fuzzer"

Please bump to 3.1.5.

Comment 1 Larry the Git Cow gentoo-dev

2022-04-19 06:41:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2cad20e1001813a9869391b4281a435a174a0401

commit 2cad20e1001813a9869391b4281a435a174a0401
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2022-04-14 04:38:58 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-04-19 06:41:31 +0000

    media-libs/openexr: add 3.1.5
    
    Closes: https://bugs.gentoo.org/837911
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/25022
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-libs/openexr/Manifest             |  1 +
 media-libs/openexr/openexr-3.1.5.ebuild | 67 +++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)

Comment 2 John Helmert III archtester

2022-04-19 15:44:24 UTC

Thanks! Please stabilize 3.1.5 when ready

Comment 3 John Helmert III archtester

2022-09-28 22:46:48 UTC

Please cleanup

Comment 4 Larry the Git Cow gentoo-dev

2022-09-29 05:53:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7f15717240e71aad00ea50b1661095658a6390b

commit e7f15717240e71aad00ea50b1661095658a6390b
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2022-09-29 05:21:38 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-09-29 05:52:59 +0000

    media-libs/openexr: drop 3.1.4-r1
    
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/27522
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-libs/openexr/Manifest                |  1 -
 media-libs/openexr/openexr-3.1.4-r1.ebuild | 73 ------------------------------
 2 files changed, 74 deletions(-)

Comment 5 John Helmert III archtester

2022-10-22 01:29:43 UTC

GLSA request filed.

Comment 6 Bernd 2022-10-22 07:18:16 UTC

AFAICS the bugs are all related to the OpenEXRCore C engine, which isn't present in the RB-2.5 branch.

Additionally, according to upstreams Security.md file, the issues are not present in the 2.x versions of OpenEXR: https://github.com/AcademySoftwareFoundation/openexr/blob/RB-2.5/SECURITY.md

Comment 7 Larry the Git Cow gentoo-dev

2022-10-31 01:42:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d4c4a128904601416fe6b2663ba5e3ef91394c37

commit d4c4a128904601416fe6b2663ba5e3ef91394c37
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:28:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:17 +0000

    [ GLSA 202210-31 ] OpenEXR: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/787452
    Bug: https://bugs.gentoo.org/801373
    Bug: https://bugs.gentoo.org/810541
    Bug: https://bugs.gentoo.org/817431
    Bug: https://bugs.gentoo.org/830384
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-31.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

Comment 8 Larry the Git Cow gentoo-dev

2023-01-28 11:27:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb815ca5634fd66f398d1e58cfd35a61688114cd

commit cb815ca5634fd66f398d1e58cfd35a61688114cd
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2023-01-28 10:24:52 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-01-28 11:26:42 +0000

    media-libs/openexr: drop 2.5.8
    
    Bug: https://bugs.gentoo.org/817431
    Bug: https://bugs.gentoo.org/830384
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/29317
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/openexr/Manifest                        |  1 -
 ....2-0001-IlmImfTest-main.cpp-disable-tests.patch | 40 -------------
 ...xr-2.5.7-0002-increase-IlmImfTest-timeout.patch | 13 ----
 media-libs/openexr/openexr-2.5.8.ebuild            | 70 ----------------------
 4 files changed, 124 deletions(-)