Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 917679 (CVE-2023-36183, CVE-2023-42295, CVE-2023-42299)

Summary: <media-libs/openimageio-2.5.4.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: sci
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [stable?]
Package list:
Runtime testing required: ---
Bug Depends on: 917680    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-21 17:50:33 UTC 
CVE-2023-42299 (https://github.com/OpenImageIO/oiio/issues/3840):

Buffer Overflow vulnerability in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_subimage_data function.

Patch (in 2.5.4.0): https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/e5733a0607e7ea9f728f94181aa0689dc693189c

CVE-2023-42295 (https://github.com/OpenImageIO/oiio/issues/3947):

An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_rle_image function of file bifs/unquantize.c

Patch (in 2.5.4.0): https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/15750af31a5d130ea63ac133453eb5448cefa636

CVE-2023-36183 (https://github.com/OpenImageIO/oiio/issues/3871):

Buffer Overflow vulnerability in OpenImageIO v.2.4.12.0 and before allows a remote to execute arbitrary code and obtain sensitive information via a crafted file to the readimg function.

Patch (in 2.5.4.0): https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/aad99bad9a4f6b965f99a291f9c67458c8c982e8

Please stabilize 2.5.4.0.