Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 917679 (CVE-2023-36183, CVE-2023-42295, CVE-2023-42299)

Summary: <media-libs/openimageio-2.5.4.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: sci
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 917680    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-21 17:50:33 UTC 
CVE-2023-42299 (https://github.com/OpenImageIO/oiio/issues/3840):

Buffer Overflow vulnerability in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_subimage_data function.

Patch (in 2.5.4.0): https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/e5733a0607e7ea9f728f94181aa0689dc693189c

CVE-2023-42295 (https://github.com/OpenImageIO/oiio/issues/3947):

An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_rle_image function of file bifs/unquantize.c

Patch (in 2.5.4.0): https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/15750af31a5d130ea63ac133453eb5448cefa636

CVE-2023-36183 (https://github.com/OpenImageIO/oiio/issues/3871):

Buffer Overflow vulnerability in OpenImageIO v.2.4.12.0 and before allows a remote to execute arbitrary code and obtain sensitive information via a crafted file to the readimg function.

Patch (in 2.5.4.0): https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/aad99bad9a4f6b965f99a291f9c67458c8c982e8

Please stabilize 2.5.4.0.
Comment 1 Larry the Git Cow gentoo-dev 2025-06-12 08:57:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f0b25787de9e17e5ca15e087fad7d43ae70a20ab

commit f0b25787de9e17e5ca15e087fad7d43ae70a20ab
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2025-06-12 08:57:10 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2025-06-12 08:57:17 +0000

    [ GLSA 202506-09 ] OpenImageIO: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/903807
    Bug: https://bugs.gentoo.org/917679
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202506-09.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)