Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 762862 - <media-libs/openexr-2.5.4: multiple vulnerabilites
Summary: <media-libs/openexr-2.5.4: multiple vulnerabilites
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords: PullRequest
Depends on: 762901 770229
Blocks: 746794
  Show dependency tree
 
Reported: 2021-01-01 00:15 UTC by John Helmert III
Modified: 2021-07-11 02:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-01-01 00:15:26 UTC
Numerous vulnerabilities said to be fixed in 2.5.4, please bump:

* OSS-fuzz [#24854](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24854) Segv on unknown address in Imf_2_5::hufUncompress
* OSS-fuzz [#24831](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24831) Undefined-shift in Imf_2_5::FastHufDecoder::FastHufDecoder
* OSS-fuzz [#24969](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24969) Invalid-enum-value in Imf_2_5::TypedAttribute<Imf_2_5::Envmap>::writeValueTo
* OSS-fuzz [#25297](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25297) Integer-overflow in Imf_2_5::calculateNumTiles
* OSS-fuzz [#24787](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787) Undefined-shift in Imf_2_5::unpack14
* OSS-fuzz [#25326](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25326) Out-of-memory in openexr_scanlines_fuzzer
* OSS-fuzz [#25399](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25399) Heap-buffer-overflow in Imf_2_5::FastHufDecoder::FastHufDecoder
* OSS-fuzz [#25415](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25415) Abrt in __cxxabiv1::failed_throw
* OSS-fuzz [#25370](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370) Out-of-memory in openexr_exrenvmap_fuzzer
* OSS-fuzz [#25501](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25501) Out-of-memory in openexr_scanlines_fuzzer
* OSS-fuzz [#25505](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25505) Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
* OSS-fuzz [#25562](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25562) Integer-overflow in Imf_2_5::hufUncompress
* OSS-fuzz [#25740](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25740) Null-dereference READ in Imf_2_5::Header::operator
* OSS-fuzz [#25743](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25743) Null-dereference in Imf_2_5::MultiPartInputFile::header
* OSS-fuzz [#25913](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913) Out-of-memory in openexr_exrenvmap_fuzzer
* OSS-fuzz [#26229](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26229) Undefined-shift in Imf_2_5::hufDecode
* OSS-fuzz [#26658](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26658) Out-of-memory in openexr_scanlines_fuzzer
* OSS-fuzz [#26956](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26956) Heap-buffer-overflow in Imf_2_5::DeepTiledInputFile::readPixelSampleCounts
* OSS-fuzz [#27409](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409) Out-of-memory in openexr_exrcheck_fuzzer
* OSS-fuzz [#25892](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25892) Divide-by-zero in Imf_2_5::calculateNumTiles
* OSS-fuzz [#25894](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25894) Floating-point-exception in Imf_2_5::precalculateTileInfot
Comment 1 Larry the Git Cow gentoo-dev 2021-01-24 01:48:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f49c50e51da2ea663ee68a683c07ae97f682f20

commit 0f49c50e51da2ea663ee68a683c07ae97f682f20
Author:     Bernd Waibel <waebbl@gmail.com>
AuthorDate: 2021-01-03 09:50:25 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-24 01:48:05 +0000

    media-libs/openexr: bump to 2.5.4
    
    Bug: https://bugs.gentoo.org/656680
    Bug: https://bugs.gentoo.org/762862
    Bug: https://bugs.gentoo.org/746794
    Closes: https://bugs.gentoo.org/762901
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest             |  1 +
 media-libs/openexr/openexr-2.5.4.ebuild | 62 +++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3879f7d07fd0e99b3dc26e63f1134ac202a6dd1a

commit 3879f7d07fd0e99b3dc26e63f1134ac202a6dd1a
Author:     Bernd Waibel <waebbl@gmail.com>
AuthorDate: 2021-01-02 22:26:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-24 01:48:04 +0000

    media-libs/ilmbase: bump to 2.5.4
    
    Bug: https://bugs.gentoo.org/746794
    Bug: https://bugs.gentoo.org/762862
    Bug: https://bugs.gentoo.org/762901
    
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/ilmbase/Manifest                        |  1 +
 ...2.5.4-0001-disable-failing-test-on-x86_32.patch | 24 +++++++++++++
 media-libs/ilmbase/ilmbase-2.5.4.ebuild            | 42 ++++++++++++++++++++++
 3 files changed, 67 insertions(+)
Comment 2 Bernd 2021-01-24 07:58:59 UTC
Thanks for merging. I give it a week to see whether any issues pop up, before opening a stablereq.
Comment 3 Sam James archtester gentoo-dev Security 2021-02-05 09:13:02 UTC
(In reply to Bernd from comment #2)
> Thanks for merging. I give it a week to see whether any issues pop up,
> before opening a stablereq.

Ready? Let’s stabilise in this bug
Comment 4 Bernd 2021-02-05 09:44:18 UTC
(In reply to Sam James from comment #3)
> (In reply to Bernd from comment #2)
> > Thanks for merging. I give it a week to see whether any issues pop up,
> > before opening a stablereq.
> 
> Ready? Let’s stabilise in this bug

Yes, perfect timing. I had it on my todo for this weekend.
Comment 5 John Helmert III gentoo-dev Security 2021-02-05 14:49:59 UTC
(In reply to Bernd from comment #4)
> (In reply to Sam James from comment #3)
> > (In reply to Bernd from comment #2)
> > > Thanks for merging. I give it a week to see whether any issues pop up,
> > > before opening a stablereq.
> > 
> > Ready? Let’s stabilise in this bug
> 
> Yes, perfect timing. I had it on my todo for this weekend.

Awesome! Any chance you can offer input on the impact of these vulnerabilities? DoS, RCE, etc?
Comment 6 Bernd 2021-02-05 18:51:37 UTC
could you please also add dev-python/pyilmbase? It's part of the suite.

(In reply to John Helmert III (ajak) from comment #5)
> Awesome! Any chance you can offer input on the impact of these
> vulnerabilities? DoS, RCE, etc?

Only what's available in their release notes. Please see https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md and search for Security. All versions from 2.3.0 up are relevant.
Comment 7 Rolf Eike Beer archtester 2021-02-09 14:16:07 UTC
hppa/sparc stable
Comment 8 NATTkA bot gentoo-dev 2021-02-18 22:04:58 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 9 Larry the Git Cow gentoo-dev 2021-02-27 16:38:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00ce4f7721d0c886ba613dbe3d5c67f7361f1934

commit 00ce4f7721d0c886ba613dbe3d5c67f7361f1934
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-02-27 14:25:14 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-27 16:37:15 +0000

    media-libs/openexr: drop 2.5.4
    
    Security cleanup.
    
    Bug: https://bugs.gentoo.org/770229
    Bug: https://bugs.gentoo.org/762862
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest             |  1 -
 media-libs/openexr/openexr-2.5.4.ebuild | 62 ---------------------------------
 2 files changed, 63 deletions(-)
Comment 10 Bernd 2021-03-26 17:03:42 UTC
This PR should finish the cleanup.
Comment 11 Larry the Git Cow gentoo-dev 2021-03-31 06:31:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58d2ffc5446d020cde8d473c32485ad5f2e4c6f1

commit 58d2ffc5446d020cde8d473c32485ad5f2e4c6f1
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-03-26 16:46:35 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-31 06:29:14 +0000

    media-libs/openexr: drop 2.3.0
    
    Security cleanup
    
    Bug: https://bugs.gentoo.org/770229
    Bug: https://bugs.gentoo.org/762862
    Bug: https://bugs.gentoo.org/746794
    Bug: https://bugs.gentoo.org/717474
    Bug: https://bugs.gentoo.org/656680
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-libs/openexr/Manifest                        |   1 -
 ...penexr-2.2.0-Install-missing-header-files.patch |  60 -----------
 .../openexr-2.2.0-fix-config.h-collision.patch     |  43 --------
 .../openexr-2.2.0-fix-cpuid-on-abi_x86_32.patch    |  75 -------------
 .../openexr/files/openexr-2.3.0-bigendian.patch    |  71 -------------
 .../openexr/files/openexr-2.3.0-bigendian2.patch   |  17 ---
 .../openexr/files/openexr-2.3.0-fix-bashisms.patch | 117 ---------------------
 .../files/openexr-2.3.0-fix-build-system.patch     |  68 ------------
 .../files/openexr-2.3.0-skip-bogus-tests.patch     |  31 ------
 .../files/openexr-2.3.0-tests-32bits-2.patch       |  17 ---
 .../openexr/files/openexr-2.3.0-tests-32bits.patch |  36 -------
 media-libs/openexr/openexr-2.3.0.ebuild            |  79 --------------
 12 files changed, 615 deletions(-)
Comment 12 John Helmert III gentoo-dev Security 2021-07-11 02:00:43 UTC
GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2021-07-11 02:34:24 UTC
This issue was resolved and addressed in
 GLSA 202107-27 at https://security.gentoo.org/glsa/202107-27
by GLSA coordinator John Helmert III (ajak).