Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 903807 (CVE-2023-22845, CVE-2023-24472, CVE-2023-24473)

Summary: <media-libs/openimageio-2.4.12.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: sci
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [stable?]
Package list:
Runtime testing required: ---
Bug Depends on: 917680    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-05 03:28:11 UTC
CVE-2023-22845 (https://talosintelligence.com/vulnerability_reports/TALOS-2023-1708):

An out-of-bounds read vulnerability exists in the TGAInput::decode_pixel() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2023-24472 (https://talosintelligence.com/vulnerability_reports/TALOS-2023-1709):

A denial of service vulnerability exists in the FitsOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide malicious input to trigger this vulnerability.

CVE-2023-24473 (https://talosintelligence.com/vulnerability_reports/TALOS-2023-1707):

An information disclosure vulnerability exists in the TGAInput::read_tga2_header functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability.

Unclear if fixed.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 04:02:40 UTC
These are fixed in v2.4.8.1: https://github.com/OpenImageIO/oiio/releases/tag/v2.4.8.1
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-21 17:53:08 UTC
Looks like 2.4.12.0 is the first version with fixes here. Probably will be covered by the stabilization in bug 917679.