Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 277202 (CVE-2009-1720) - <media-libs/openexr-1.7.0: multiple vulnerabilities (CVE-2009-{1720,1721})
Summary: <media-libs/openexr-1.7.0: multiple vulnerabilities (CVE-2009-{1720,1721})
Alias: CVE-2009-1720
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
: 346657 (view as bug list)
Depends on:
Reported: 2009-07-09 15:05 UTC by Robert Buchholz (RETIRED)
Modified: 2013-12-09 06:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

openexr-CVE-2009-1720+CVE-2009-1721.patch (openexr-CVE-2009-1720+CVE-2009-1721.patch,20.17 KB, patch)
2009-08-06 22:24 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
openexr-1.6.1-CVE-2009-1720+CVE-2009-1721.patch (openexr-1.6.1-CVE-2009-1720+CVE-2009-1721.patch,19.71 KB, patch)
2009-08-06 22:24 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-09 15:05:53 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Drew Yao of Apple Product Security reported two integer overflows and one free() on an uninitialized pointer in OpenEXR 1.6.1 and earlier. The following is an excerpt of his email. He also provided patches, but I'd like upstream to sign-off on them first.

Bugs 1 and 2: CVE-2009-1720
Bug 3: CVE-2009-1721
Bug 4: CVE-2009-1722

Bug 1)

Integer overflow in Imf::PreviewImage::PreviewImage in  

PreviewImage::PreviewImage (unsigned int width,
                            unsigned int height,
                            const PreviewRgba pixels[])
  _width = width;
  _height = height;
  _pixels = new PreviewRgba [_width * _height];

If _width * _height * sizeof(PreviewRgba) wraps around to a small  
number, an unexpectedly small buffer will be allocated, leading to  
memory corruption.

Bug 2)
Integer overflows in compressor constructors


Pxr24Compressor::Pxr24Compressor (const Header &hdr,
                                  int maxScanLineSize,
                                  int numScanLines)
  Compressor (hdr),
  _maxScanLineSize (maxScanLineSize),
  _numScanLines (numScanLines),
  _tmpBuffer (0),
  _outBuffer (0),
  _channels (hdr.channels())
  int maxInBytes = maxScanLineSize * numScanLines;

  _tmpBuffer = new unsigned char [maxInBytes];
  _outBuffer = new char [int (ceil (maxInBytes * 1.01)) + 100];

maxScanLineSize and numScanLines come from the file.  If the  
multiplication wraps around, the buffer would be allocated  
unexpectedly small, leading to memory corruption later.

Bug 3)
Freeing uninitialized pointers in Imf::hufUncompress

hufUncompress (const char compressed[],
               int nCompressed,
               unsigned short raw[],
               int nRaw)
  AutoArray <Int64, HUF_ENCSIZE> freq;
  AutoArray <HufDec, HUF_DECSIZE> hdec;

  hufUnpackEncTable (&ptr, nCompressed - (ptr - compressed), im, iM,  

        if (nBits > 8 * (nCompressed - (ptr - compressed)))

        hufBuildDecTable (freq, im, iM, hdec);
        hufDecode (freq, hdec, ptr, nBits, iM, nRaw, raw);
  catch (...)
        hufFreeDecTable (hdec);

  hufFreeDecTable (hdec);

hufFreeDecTable (HufDec *hdecod)        // io: Decoding table
  for (int i = 0; i < HUF_DECSIZE; i++)
        if (hdecod[i].p)
            delete [] hdecod[i].p;
            hdecod[i].p = 0;

The problem is that the catch block will call hufFreeDecTable to free  
every pointer in the table, even if part of the table is uninitialized.

Bug 4)
Buffer overflow in ImfPizCompressor.cpp
This was fixed a while ago in version 1.6.1, but never got a CVE.

October 22, 2007 - New versions of OpenEXR and CTL are now available.  
This release fixes a buffer overrun in OpenEXR and a Windows build  
problem in CTL, and it removes a few unnecessary files from  
the .tar.gz packages.OpenEXR 1.6.1, OpenEXR_Viewers 1.0.1 and IlmBase  
1.0.1 can be downloaded from the downloads section of  
CTL 1.4.1 and OpenEXR_CTL 1.0.1 can be downloaded from 
Relevant patches for this bug:
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-07-29 00:24:28 UTC
now public
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 20:24:15 UTC
craig: CVE-2009-1722 was fixed in 2007 in gentoo and is not relevant anymore
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 22:24:33 UTC
Created attachment 200439 [details, diff]

patch in CVS HEAD.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 22:24:59 UTC
Created attachment 200441 [details, diff]

trivial backport to 1.6.1

please bump!
Comment 5 Alexis Ballier gentoo-dev 2009-08-07 06:50:07 UTC
(In reply to comment #4)
> Created an attachment (id=200441) [edit]
> openexr-1.6.1-CVE-2009-1720+CVE-2009-1721.patch
> trivial backport to 1.6.1
> please bump!

Problem is, this breaks ABI, use 
nm -D --defined-only /usr/lib/  | awk '{print $3}' | c++filt
to obtain it.
Then, diffing the output gives me:

-Imf::B44Compressor::B44Compressor(Imf::Header const&, int, int, bool)
-Imf::B44Compressor::B44Compressor(Imf::Header const&, int, int, bool)
+Imf::B44Compressor::B44Compressor(Imf::Header const&, unsigned long, unsigned long, bool)
+Imf::B44Compressor::B44Compressor(Imf::Header const&, unsigned long, unsigned long, bool)

Defined in /usr/include/OpenEXR/ImfB44Compressor.h, hence available for library consumers.
Other changes are not defined in public headers thus may be considered safe.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-08-07 08:42:47 UTC
Oh, I did not notice. I checked, the CVS HEAD has the same LIBTOOL_CURRENT as the last release (6). We could either contact Florian Kainz about increasing it so their next release is ok and then amend the patch, or use the original patches by Drew Yao which should be ABI compatible.

Since I prefer going with the upstream approach, I'd mail him if you have not done so yet.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-07 00:24:08 UTC
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2010-11-24 14:43:52 UTC
Test & stabilize:

=media-libs/ilmbase-1.0.2  "alpha amd64 hppa ia64 ppc ppc64 s390 sh sparc x86"
=media-libs/openexr-1.7.0  "alpha amd64 hppa ia64 ppc ppc64 s390 sh sparc x86"
=media-gfx/openexr_viewers-1.0.2   "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 9 Samuli Suominen (RETIRED) gentoo-dev 2010-11-24 14:44:16 UTC
*** Bug 346657 has been marked as a duplicate of this bug. ***
Comment 10 Agostino Sarubbo gentoo-dev 2010-11-24 16:10:46 UTC
amd64 ok
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-25 13:24:29 UTC
Stable for HPPA.
Comment 12 Alex Buell 2010-11-26 07:55:35 UTC
Tested on SPARC: ilmbase-1.0.2, passed all tests, openexr-1.7.0 built OK but failed on one of the tests which aborted the testing process as it threw an assert, openexr_viewers-1.0.2 built OK, but has no tests to run through. I think that. It's up to you whether you can stabilise or not on SPARC, but personally I'd investigate the test failure and why it aborted. 
Comment 13 Markos Chandras (RETIRED) gentoo-dev 2010-11-26 08:35:57 UTC
amd64 done. Thanks Agostino
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2010-11-26 22:12:37 UTC
x86 stable
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2010-12-04 19:21:44 UTC
alpha/ia64/sparc stable, s390/sh keywords dropped
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2010-12-08 16:52:12 UTC
Stable for PPC.
Comment 17 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-06 17:31:41 UTC
ppc64 done.

@security: last arch done, into you hands
Comment 18 Samuli Suominen (RETIRED) gentoo-dev 2011-01-06 17:36:14 UTC
and vulnerable versions removed from tree as well, add media-video@ back if you need something, thanks!
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2011-01-06 17:41:41 UTC
GLSA request filed.
Comment 20 Francesco Riosa 2013-07-29 17:27:18 UTC
hum, may it's time to close?
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2013-12-09 06:24:37 UTC
This issue was resolved and addressed in
 GLSA 201312-07 at
by GLSA coordinator Chris Reffett (creffett).