Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 770229 - <media-libs/openexr-2.5.5: multiple vulnerabilities
Summary: <media-libs/openexr-2.5.5: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/AcademySoftwareFou...
Whiteboard: B2 [glsa+ cve]
Keywords: PullRequest
: 772515 (view as bug list)
Depends on: CVE-2021-20296, CVE-2021-3474, CVE-2021-3475, CVE-2021-3476, CVE-2021-3477, CVE-2021-3478, CVE-2021-3479
Blocks: 762862
  Show dependency tree
 
Reported: 2021-02-12 17:18 UTC by Bernd
Modified: 2021-08-19 17:47 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bernd 2021-02-12 17:18:13 UTC
There's been a new release 2.5.5 with fixes to the following vulnerabilities:

    OSS-fuzz #30291 Timeout in openexr_exrcheck_fuzzer
    OSS-fuzz #29106 Heap-buffer-overflow in Imf_2_5::FastHufDecoder::decode
    OSS-fuzz #28971 Undefined-shift in Imf_2_5::cachePadding
    OSS-fuzz #29829 Integer-overflow in Imf_2_5::DwaCompressor::initializeBuffers
    OSS-fuzz #30121 Out-of-memory in openexr_exrcheck_fuzzer


Reproducible: Always




I'm gonna prepare updated ebuilds.
Comment 1 Larry the Git Cow gentoo-dev 2021-02-16 19:19:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42498dcff76d3e714a374ca102e93fa1974ebc6a

commit 42498dcff76d3e714a374ca102e93fa1974ebc6a
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-02-14 20:06:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-16 19:19:52 +0000

    dev-python/pyilmbase: bump to 2.5.5
    
    Bug: https://bugs.gentoo.org/770229
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/19470
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-python/pyilmbase/Manifest               |  1 +
 dev-python/pyilmbase/pyilmbase-2.5.5.ebuild | 62 +++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a24be9405212a46b1bf14c5a3a4b57e090ef10c5

commit a24be9405212a46b1bf14c5a3a4b57e090ef10c5
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-02-14 14:44:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-16 19:19:52 +0000

    media-libs/openexr: bump to 2.5.5
    
    Mostly security related fuzzer fixes.
    
    Bug: https://bugs.gentoo.org/770229
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest             |  1 +
 media-libs/openexr/openexr-2.5.5.ebuild | 62 +++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77796280d796d69b8cfe8e31bf60813bf2a86bf4

commit 77796280d796d69b8cfe8e31bf60813bf2a86bf4
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-02-14 10:01:14 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-16 19:19:52 +0000

    media-libs/ilmbase: bump to 2.5.5
    
    Bug: https://bugs.gentoo.org/770229
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/ilmbase/Manifest             |  1 +
 media-libs/ilmbase/ilmbase-2.5.5.ebuild | 42 +++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-02-16 19:34:57 UTC
Please let us know when ready to stable.
Comment 3 Bernd 2021-02-16 19:44:14 UTC
I think we should give it a few days, to verify revdeps are building successfully. The packages have almost exclusively security fixes and the stabilization process for 2.5.4 was already ongoing.
Comment 4 John Helmert III gentoo-dev Security 2021-02-16 19:58:23 UTC
(In reply to Bernd from comment #3)
> I think we should give it a few days, to verify revdeps are building
> successfully. The packages have almost exclusively security fixes and the
> stabilization process for 2.5.4 was already ongoing.

Ok, but just FYI stabilization here isn't blocked by 2.5.4 stabilization.
Comment 5 Bernd 2021-02-16 21:04:32 UTC
(In reply to John Helmert III (ajak) from comment #4)
> Ok, but just FYI stabilization here isn't blocked by 2.5.4 stabilization.

Although I didn't know this, I wasn't thinking about this being the case.

My thinking was, because stabilization for 2.5.4 is already going and there are no major code changes, a few days to test revdeps should be enough. No need to wait 2 weeks or more.
Comment 6 Bernd 2021-02-24 21:01:46 UTC
Please stabilize.
Comment 7 Sam James archtester gentoo-dev Security 2021-02-25 09:54:21 UTC
*** Bug 772515 has been marked as a duplicate of this bug. ***
Comment 8 Sam James archtester gentoo-dev Security 2021-02-25 11:30:48 UTC
sparc done
Comment 9 Sam James archtester gentoo-dev Security 2021-02-25 14:02:42 UTC
ppc done
Comment 10 Sam James archtester gentoo-dev Security 2021-02-25 17:57:16 UTC
ppc64 done
Comment 11 Sam James archtester gentoo-dev Security 2021-02-25 18:59:37 UTC
arm64 done
Comment 12 Agostino Sarubbo gentoo-dev 2021-02-26 08:11:28 UTC
x86 stable
Comment 13 Sam James archtester gentoo-dev Security 2021-02-26 15:18:24 UTC
amd64 done
Comment 14 Rolf Eike Beer archtester 2021-02-26 20:31:38 UTC
hppa stable
Comment 15 John Helmert III gentoo-dev Security 2021-02-27 00:38:48 UTC
Please cleanup.
Comment 16 Bernd 2021-02-27 10:33:11 UTC
2.3.0 will have to wait a bit. There has been an open last-rite PR since around end of december to mask openexr_viewers, in preparation for this cleanup, which hasn't been merged yet. See https://github.com/gentoo/gentoo/pull/18796

What's the shortest time for a last-rite?
Comment 17 Larry the Git Cow gentoo-dev 2021-02-27 10:51:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dee93092207d54d88c00d3e68de87899c7f9600f

commit dee93092207d54d88c00d3e68de87899c7f9600f
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-02-07 17:14:53 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-27 10:51:44 +0000

    profiles/package.mask: last rite media-gfx/openexr_viewers
    
    Bug: https://bugs.gentoo.org/770229
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/18796
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 18 Sam James archtester gentoo-dev Security 2021-02-27 10:53:25 UTC
(In reply to Bernd from comment #16)
> 2.3.0 will have to wait a bit. There has been an open last-rite PR since
> around end of december to mask openexr_viewers, in preparation for this
> cleanup, which hasn't been merged yet. See
> https://github.com/gentoo/gentoo/pull/18796
> 
> What's the shortest time for a last-rite?

We can wait the 30 days, it's not a big problem. Plus, we could mask the older versions with it
Comment 19 Larry the Git Cow gentoo-dev 2021-02-27 16:38:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00ce4f7721d0c886ba613dbe3d5c67f7361f1934

commit 00ce4f7721d0c886ba613dbe3d5c67f7361f1934
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-02-27 14:25:14 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-27 16:37:15 +0000

    media-libs/openexr: drop 2.5.4
    
    Security cleanup.
    
    Bug: https://bugs.gentoo.org/770229
    Bug: https://bugs.gentoo.org/762862
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest             |  1 -
 media-libs/openexr/openexr-2.5.4.ebuild | 62 ---------------------------------
 2 files changed, 63 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=846308f2111948a93e71caf312b2fea8dec2f121

commit 846308f2111948a93e71caf312b2fea8dec2f121
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-02-27 14:13:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-27 16:37:13 +0000

    media-libs/openexr: drop 2.5.2
    
    Security cleanup.
    
    Bug: https://bugs.gentoo.org/770229
    Bug: https://bugs.gentoo.org/746794
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest                |  1 -
 media-libs/openexr/openexr-2.5.2-r1.ebuild | 63 ------------------------------
 2 files changed, 64 deletions(-)
Comment 20 Bernd 2021-03-26 17:05:02 UTC
This PR should finish the cleanup.
Comment 21 Bernd 2021-03-26 17:05:22 UTC
This PR should finish the cleanup.
Comment 22 Bernd 2021-03-26 17:06:09 UTC
Sorry double post :/
Comment 23 Larry the Git Cow gentoo-dev 2021-03-31 06:31:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58d2ffc5446d020cde8d473c32485ad5f2e4c6f1

commit 58d2ffc5446d020cde8d473c32485ad5f2e4c6f1
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-03-26 16:46:35 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-31 06:29:14 +0000

    media-libs/openexr: drop 2.3.0
    
    Security cleanup
    
    Bug: https://bugs.gentoo.org/770229
    Bug: https://bugs.gentoo.org/762862
    Bug: https://bugs.gentoo.org/746794
    Bug: https://bugs.gentoo.org/717474
    Bug: https://bugs.gentoo.org/656680
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-libs/openexr/Manifest                        |   1 -
 ...penexr-2.2.0-Install-missing-header-files.patch |  60 -----------
 .../openexr-2.2.0-fix-config.h-collision.patch     |  43 --------
 .../openexr-2.2.0-fix-cpuid-on-abi_x86_32.patch    |  75 -------------
 .../openexr/files/openexr-2.3.0-bigendian.patch    |  71 -------------
 .../openexr/files/openexr-2.3.0-bigendian2.patch   |  17 ---
 .../openexr/files/openexr-2.3.0-fix-bashisms.patch | 117 ---------------------
 .../files/openexr-2.3.0-fix-build-system.patch     |  68 ------------
 .../files/openexr-2.3.0-skip-bogus-tests.patch     |  31 ------
 .../files/openexr-2.3.0-tests-32bits-2.patch       |  17 ---
 .../openexr/files/openexr-2.3.0-tests-32bits.patch |  36 -------
 media-libs/openexr/openexr-2.3.0.ebuild            |  79 --------------
 12 files changed, 615 deletions(-)
Comment 24 Larry the Git Cow gentoo-dev 2021-06-01 00:28:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e719b19ac0d518305ec3ca9cef56cb8741742b1

commit 0e719b19ac0d518305ec3ca9cef56cb8741742b1
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-05-19 21:41:38 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-01 00:27:50 +0000

    media-libs/openexr: bump to 2.5.6
    
    Bug: https://bugs.gentoo.org/791136
    Bug: https://bugs.gentoo.org/776808
    Bug: https://bugs.gentoo.org/770229
    Bug: https://bugs.gentoo.org/656680
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest             |  1 +
 media-libs/openexr/openexr-2.5.6.ebuild | 61 +++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
Comment 25 John Helmert III gentoo-dev Security 2021-07-11 02:00:44 UTC
GLSA request filed.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2021-07-11 02:34:28 UTC
This issue was resolved and addressed in
 GLSA 202107-27 at https://security.gentoo.org/glsa/202107-27
by GLSA coordinator John Helmert III (ajak).