Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 776808 (CVE-2021-20296, CVE-2021-3474, CVE-2021-3475, CVE-2021-3476, CVE-2021-3477, CVE-2021-3478, CVE-2021-3479) - <media-libs/openexr-2.5.6: multiple vulnerabilities
Summary: <media-libs/openexr-2.5.6: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-20296, CVE-2021-3474, CVE-2021-3475, CVE-2021-3476, CVE-2021-3477, CVE-2021-3478, CVE-2021-3479
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/AcademySoftwareFou...
Whiteboard: B2 [glsa+ cve]
Keywords: PullRequest
Depends on: 776805
Blocks: 770229
  Show dependency tree
 
Reported: 2021-03-17 06:35 UTC by Bernd
Modified: 2021-07-11 02:34 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/openexr-2.5.6 media-libs/ilmbase-2.5.6 dev-python/pyilmbase-2.5.6 amd64
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bernd 2021-03-17 06:35:12 UTC
Multiple fuzz-related vulnerabilities have been fixed in OpenEXR-3:

* OSS-fuzz [24573](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24573) Out-of-memory in openexr_exrenvmap_fuzzer
* OSS-fuzz [24857](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24857) Out-of-memory in openexr_exrheader_fuzzer
* OSS-fuzz [25002](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25002) Out-of-memory in openexr_deepscanlines_fuzzer
* OSS-fuzz [25648](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25648) Out-of-memory in openexr_scanlines_fuzzer
* OSS-fuzz [26641](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26641) Invalid-enum-value in readSingleImage
* OSS-fuzz [28051](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28051) Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
* OSS-fuzz [28155](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28155) Crash in Imf_2_5::PtrIStream::read
* OSS-fuzz [28419](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28419) Out-of-memory in openexr_exrcheck_fuzzer
* OSS-fuzz [29393](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29393) Timeout in openexr_exrcheck_fuzzer
* OSS-fuzz [29423](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29423) Integer-overflow in Imf_2_5::DwaCompressor::initializeBuffers
* OSS-fuzz [29653](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29653) Integer-overflow in Imf_2_5::DwaCompressor::initializeBuffers
* OSS-fuzz [29682](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29682) Out-of-memory in openexr_exrcheck_fuzzer
* OSS-fuzz [30115](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30115) Timeout in openexr_exrcheck_fuzzer
* OSS-fuzz [30249](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30249) Out-of-memory in openexr_exrcheck_fuzzer
* OSS-fuzz [30605](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30605) Out-of-memory in openexr_exrcheck_fuzzer
* OSS-fuzz [30616](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30616) Timeout in openexr_exrcheck_fuzzer
* OSS-fuzz [30969](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30969) Direct-leak in Imf_2_5::DwaCompressor::LossyDctDecoderBase::execute
* OSS-fuzz [31015](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31015) Direct-leak in Imf_2_5::TypedAttribute<Imf_2_5::CompressedIDManifest>::readValueFrom
* OSS-fuzz [31044](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31044) Timeout in openexr_exrcheck_fuzzer
* OSS-fuzz [31072](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31072) Out-of-memory in openexr_exrcheck_fuzzer
* OSS-fuzz [31221](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31221) Integer-overflow in bool Imf_2_5::readDeepTile<Imf_2_5::DeepTiledInputPart>
* OSS-fuzz [31228](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31228) Integer-overflow in bool Imf_2_5::readDeepTile<Imf_2_5::DeepTiledInputFile>
* OSS-fuzz [31291](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31291) Sanitizer CHECK failure in ""((0 && ""Address is not in memory and not in shadow?"")) != (0)"" (0x0, 0x0)
* OSS-fuzz [31293](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31293) Segv on unknown address in Imf_2_5::copyIntoFrameBuffer
* OSS-fuzz [31390](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31390) Out-of-memory in openexr_exrcheck_fuzzer
* OSS-fuzz [31539](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31539) Out-of-memory in openexr_exrcheck_fuzzer


Reproducible: Always
Comment 1 John Helmert III gentoo-dev Security 2021-03-17 14:13:54 UTC
We don't put the version in the summary until a fixed version is in tree. It doesn't look like 3.0.0 is released upstream anyway, either.
Comment 2 Bernd 2021-03-17 16:46:53 UTC
The 3.0.0-beta has been released as a pre-release, see https://github.com/AcademySoftwareFoundation/openexr/releases
Comment 3 John Helmert III gentoo-dev Security 2021-03-17 21:24:37 UTC
(In reply to Bernd from comment #2)
> The 3.0.0-beta has been released as a pre-release, see
> https://github.com/AcademySoftwareFoundation/openexr/releases

Yeah, and if it was merged to ::gentoo right now then that still wouldn't be the 3.0.0 that was in the summary.
Comment 4 John Helmert III gentoo-dev Security 2021-04-05 01:24:27 UTC
3.0.1 is released, maybe a proper candidate for packaging?

Also seems a few CVEs have been assigned to some of this issues.
Comment 5 Bernd 2021-04-05 07:51:50 UTC
(In reply to John Helmert III from comment #4)
> 3.0.1 is released, maybe a proper candidate for packaging?

See PR #19964
Comment 6 Larry the Git Cow gentoo-dev 2021-05-04 22:02:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bbe14fe858980251f702b71491303041623014b

commit 1bbe14fe858980251f702b71491303041623014b
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-03-30 05:29:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-05-04 22:02:16 +0000

    media-libs/openexr: bump to 3.0.1
    
    Security fixes
    
    Bug: https://bugs.gentoo.org/776808
    Closes: https://bugs.gentoo.org/776805
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/19964
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest             |  1 +
 media-libs/openexr/metadata.xml         |  5 ++-
 media-libs/openexr/openexr-3.0.1.ebuild | 65 +++++++++++++++++++++++++++++++++
 3 files changed, 70 insertions(+), 1 deletion(-)
Comment 7 Sam James archtester gentoo-dev Security 2021-05-04 22:07:49 UTC
Thanks! Let us know when ready.
Comment 8 NATTkA bot gentoo-dev 2021-05-04 22:12:29 UTC Comment hidden (obsolete)
Comment 9 Bernd 2021-05-05 05:31:36 UTC
Thanks for merging Sam.
Do we have to look at the many revdeps before going stable? Or do we handle those individually and independently of stabilization, once build failures are coming up?
Comment 10 Joonas Niilola gentoo-dev 2021-05-05 06:14:33 UTC
(In reply to Bernd from comment #9)
> Thanks for merging Sam.
> Do we have to look at the many revdeps before going stable? Or do we handle
> those individually and independently of stabilization, once build failures
> are coming up?

The stabilization process includes testing few revdeps. 

https://qa-reports.gentoo.org/output/genrdeps/dindex/media-libs/openexr this isn't a huge list, I could maybe launch a test off right away.
Comment 11 Joonas Niilola gentoo-dev 2021-05-05 06:17:12 UTC
 # emerge -1av media-libs/openexr

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  N     ] dev-libs/imath-3.0.1:0/27::gentoo  USE="-doc -large-stack -python -static-libs -test" PYTHON_SINGLE_TARGET="python3_8 -python3_9" 516 KiB
[ebuild  N     ] media-libs/openexr-3.0.1:0/27::gentoo  USE="-doc -examples -large-stack -static-libs -test -threads -utils" ABI_X86="32 (64) (-x32)" CPU_FLAGS_X86="avx" 24473 KiB

Total: 2 packages (2 new), Size of downloads: 24988 KiB

Would you like to merge these packages? [Yes/No] y
>>> Verifying ebuild manifests
>>> Emerging (1 of 2) dev-libs/imath-3.0.1::gentoo
>>> Installing (1 of 2) dev-libs/imath-3.0.1::gentoo
>>> Emerging (2 of 2) media-libs/openexr-3.0.1::gentoo
>>> Failed to emerge media-libs/openexr-3.0.1, Log file:
>>>  '/var/tmp/portage/media-libs/openexr-3.0.1/temp/build.log'
>>> Jobs: 1 of 2 complete, 1 failed                 Load avg: 0.22, 0.05, 0.02
 * Package:    media-libs/openexr-3.0.1
 * Repository: gentoo
 * Maintainer: waebbl-gentoo@posteo.net proxy-maint@gentoo.org,media-video@gentoo.org
 * USE:        abi_x86_32 abi_x86_64 amd64 cpu_flags_x86_avx elibc_glibc kernel_linux userland_GNU
 * FEATURES:   network-sandbox preserve-libs sandbox userpriv usersandbox

>>> Unpacking source...
>>> Unpacking openexr-3.0.1.tar.gz to /var/tmp/portage/media-libs/openexr-3.0.1/work
>>> Source unpacked in /var/tmp/portage/media-libs/openexr-3.0.1/work
>>> Preparing source in /var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1 ...
 * Working in BUILD_DIR: "/var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1_build"
>>> Source prepared.
>>> Configuring source in /var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1 ...
 * abi_x86_32.x86: running multilib-minimal_abi_src_configure
 * Working in BUILD_DIR: "/var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1_build-abi_x86_32.x86"
cmake -C /var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1_build-abi_x86_32.x86/gentoo_common_config.cmake -G Ninja -DCMAKE_INSTALL_PREFIX=/usr -DBUILD_SHARED_LIBS=yes -DBUILD_TESTING=no -DOPENEXR_BUILD_UTILS=no -DOPENEXR_ENABLE_LARGE_STACK=no -DOPENEXR_ENABLE_THREADING=no -DOPENEXR_INSTALL_EXAMPLES=no -DOPENEXR_INSTALL_PKG_CONFIG=ON -DOPENEXR_INSTALL_TOOLS=no -DOPENEXR_USE_CLANG_TIDY=OFF -DCMAKE_BUILD_TYPE=Gentoo -DCMAKE_TOOLCHAIN_FILE=/var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1_build-abi_x86_32.x86/gentoo_toolchain.cmake  /var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1
loading initial cache file /var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1_build-abi_x86_32.x86/gentoo_common_config.cmake
-- Configure OpenEXR Version: 3.0.1 Lib API: 27.0.0
-- The C compiler identification is GNU 11.1.0
-- The CXX compiler identification is GNU 11.1.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/x86_64-pc-linux-gnu-gcc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/x86_64-pc-linux-gnu-g++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Imath was not found, installing from https://github.com/AcademySoftwareFoundation/Imath.git (v3.0.1)
[1/9] Creating directories for 'imath-populate'
[1/9] Performing download step (git clone) for 'imath-populate'
Cloning into 'imath-src'...
fatal: unable to access 'https://github.com/AcademySoftwareFoundation/Imath.git/': Could not resolve host: github.com
Cloning into 'imath-src'...
fatal: unable to access 'https://github.com/AcademySoftwareFoundation/Imath.git/': Could not resolve host: github.com
Cloning into 'imath-src'...
fatal: unable to access 'https://github.com/AcademySoftwareFoundation/Imath.git/': Could not resolve host: github.com
-- Had to git clone more than once:
          3 times.
CMake Error at imath-subbuild/imath-populate-prefix/tmp/imath-populate-gitclone.cmake:31 (message):
  Failed to clone repository:
  'https://github.com/AcademySoftwareFoundation/Imath.git'


FAILED: imath-populate-prefix/src/imath-populate-stamp/imath-populate-download 
cd /var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1_build-abi_x86_32.x86/_deps && /usr/bin/cmake -P /var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1_build-abi_x86_32.x86/_deps/imath-subbuild/imath-populate-prefix/tmp/imath-populate-gitclone.cmake && /usr/bin/cmake -E touch /var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1_build-abi_x86_32.x86/_deps/imath-subbuild/imath-populate-prefix/src/imath-populate-stamp/imath-populate-download
ninja: build stopped: subcommand failed.

CMake Error at /usr/share/cmake/Modules/FetchContent.cmake:1012 (message):
  Build step for imath failed: 1
Call Stack (most recent call first):
  /usr/share/cmake/Modules/FetchContent.cmake:1141:EVAL:2 (__FetchContent_directPopulate)
  /usr/share/cmake/Modules/FetchContent.cmake:1141 (cmake_language)
  cmake/OpenEXRSetup.cmake:276 (FetchContent_Populate)
  CMakeLists.txt:33 (include)


-- Configuring incomplete, errors occurred!
See also "/var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1_build-abi_x86_32.x86/CMakeFiles/CMakeOutput.log".
 * ERROR: media-libs/openexr-3.0.1::gentoo failed (configure phase):
 *   cmake failed
 * 
 * Call stack:
 *     ebuild.sh, line  125:  Called src_configure
 *   environment, line 2543:  Called cmake-multilib_src_configure
 *   environment, line  664:  Called multilib-minimal_src_configure
 *   environment, line 1886:  Called multilib_foreach_abi 'multilib-minimal_abi_src_configure'
 *   environment, line 2139:  Called multibuild_foreach_variant '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_configure'
 *   environment, line 1816:  Called _multibuild_run '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_configure'
 *   environment, line 1814:  Called _multilib_multibuild_wrapper 'multilib-minimal_abi_src_configure'
 *   environment, line  442:  Called multilib-minimal_abi_src_configure
 *   environment, line 1880:  Called multilib_src_configure
 *   environment, line 2356:  Called cmake_src_configure
 *   environment, line  919:  Called die
 * The specific snippet of code:
 *       "${CMAKE_BINARY}" "${cmakeargs[@]}" "${CMAKE_USE_DIR}" || die "cmake failed";
 * 
 * If you need support, post the output of `emerge --info '=media-libs/openexr-3.0.1::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=media-libs/openexr-3.0.1::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/media-libs/openexr-3.0.1/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/media-libs/openexr-3.0.1/temp/environment'.
 * Working directory: '/var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1_build-abi_x86_32.x86'
 * S: '/var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1'


 * Messages for package media-libs/openexr-3.0.1:

 * ERROR: media-libs/openexr-3.0.1::gentoo failed (configure phase):
 *   cmake failed
 * 
 * Call stack:
 *     ebuild.sh, line  125:  Called src_configure
 *   environment, line 2543:  Called cmake-multilib_src_configure
 *   environment, line  664:  Called multilib-minimal_src_configure
 *   environment, line 1886:  Called multilib_foreach_abi 'multilib-minimal_abi_src_configure'
 *   environment, line 2139:  Called multibuild_foreach_variant '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_configure'
 *   environment, line 1816:  Called _multibuild_run '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_configure'
 *   environment, line 1814:  Called _multilib_multibuild_wrapper 'multilib-minimal_abi_src_configure'
 *   environment, line  442:  Called multilib-minimal_abi_src_configure
 *   environment, line 1880:  Called multilib_src_configure
 *   environment, line 2356:  Called cmake_src_configure
 *   environment, line  919:  Called die
 * The specific snippet of code:
 *       "${CMAKE_BINARY}" "${cmakeargs[@]}" "${CMAKE_USE_DIR}" || die "cmake failed";
 * 
 * If you need support, post the output of `emerge --info '=media-libs/openexr-3.0.1::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=media-libs/openexr-3.0.1::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/media-libs/openexr-3.0.1/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/media-libs/openexr-3.0.1/temp/environment'.
 * Working directory: '/var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1_build-abi_x86_32.x86'
 * S: '/var/tmp/portage/media-libs/openexr-3.0.1/work/openexr-3.0.1'


# emerge --info media-libs/openexr
Portage 3.0.18 (python 3.9.5-final-0, default/linux/amd64/17.1, gcc-11.1.0, glibc-2.33, 5.11.0-pf8 x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-5.11.0-pf8-x86_64-AMD_Ryzen_7_3700X_8-Core_Processor-with-glibc2.33
KiB Mem:    32863252 total,  32717524 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Wed, 05 May 2021 01:50:11 +0000
Head commit of repository gentoo: cde9f4d4b551177f65e6ab7a679b8e2ba0070f73

sh bash 5.1_p8
ld GNU ld (Gentoo 2.36.1 p3) 2.36.1
app-shells/bash:          5.1_p8::gentoo
dev-lang/perl:            5.32.1::gentoo
dev-lang/python:          3.7.10_p3::gentoo, 3.8.10::gentoo, 3.9.5::gentoo
dev-lang/rust-bin:        1.51.0::gentoo
dev-util/cmake:           3.20.2::gentoo
sys-apps/baselayout:      2.7-r2::gentoo
sys-apps/openrc:          0.42.1-r1::gentoo
sys-apps/sandbox:         2.24::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.69-r5::gentoo
sys-devel/automake:       1.16.3-r1::gentoo
sys-devel/binutils:       2.36.1-r1::gentoo
sys-devel/gcc:            10.3.0::gentoo, 11.1.0::gentoo
sys-devel/gcc-config:     2.4::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.3::gentoo
sys-kernel/linux-headers: 5.12::gentoo (virtual/os-headers)
sys-libs/glibc:           2.33::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: git
    sync-uri: https://anongit.gentoo.org/git/repo/sync/gentoo.git
    priority: -1000

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/cache/distfiles"
EMERGE_DEFAULT_OPTS="--jobs=8 --usepkg --binpkg-respect-use=n --autounmask=y --autounmask-write --autounmask-continue --autounmask-use=y"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict strict-keepdir unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=native -O2 -pipe"
GENTOO_MIRRORS="https://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/"
LANG="C.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS=" en en_US en-US fi sv "
MAKEOPTS="-j16 -l10"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X acl amd64 berkdb bzip2 cli crypt dbus dri elogind fortran gdbm iconv ipv6 libglvnd libtirpc multilib ncurses nptl openmp openrc pam pcre readline seccomp split-usr ssl tcpd udev unicode xattr zlib" ABI_X86="64 32" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev joystick" KERNEL="linux" L10N="en en_US en-US fi sv" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LLVM_TARGETS="AMDGPU BPF" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3 php7-4" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_8" PYTHON_TARGETS="pypy3 python3_7 python3_8 python3_9" RUBY_TARGETS="ruby26" SANE_BACKENDS="pixma" USERLAND="GNU" VIDEO_CARDS="amdgpu radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RUSTFLAGS


Oh well.
Comment 12 Sam James archtester gentoo-dev Security 2021-05-05 06:19:05 UTC
I think you’ve hit that because imath isn’t multilib. Anyway, this belongs in a new bug.
Comment 13 Joonas Niilola gentoo-dev 2021-05-05 06:20:43 UTC
(And to confirm, it happens on stable amd64 too, I have multilib enabled for testing purposes there too)
Comment 14 Sam James archtester gentoo-dev Security 2021-05-05 06:22:07 UTC
(In reply to Bernd from comment #9)
> Thanks for merging Sam.

No problem, thanks for being patient!

> Do we have to look at the many revdeps before going stable? Or do we handle
> those individually and independently of stabilization, once build failures
> are coming up?

We will let it soak in ~arch for a while and mask if anything serious seems broken. Of course as juippis says, someone testing rdeps would be neat too.
Comment 15 Sam James archtester gentoo-dev Security 2021-05-05 06:34:30 UTC
(In reply to Sam James from comment #12)
> I think you’ve hit that because imath isn’t multilib. Anyway, this belongs
> in a new bug.

(As in, we need to shove multilib on imath then adjust the dep)
Comment 16 Bernd 2021-05-05 06:40:50 UTC
Yes this looks like a multilib issue. Do you open a new bug Joonas? Else I bring up one myself later this day after work.

I take a look into the multilib awareness of imath starting Friday and in the process look at some of the revdeps too.
Comment 17 NATTkA bot gentoo-dev 2021-05-05 14:08:28 UTC Comment hidden (obsolete)
Comment 18 Bernd 2021-05-12 16:06:50 UTC
Today I received the message from upstreams ML, that they want to backport fixes for above CVE's to a 2.5.6 release.
Because I'm not able, so far, to add multilib support to dev-libs/imath, I'm thinking about checking, whether both releases can be installed side by side and moving them to separate slots. In theory this should be possible, and would relax the multilib issue with release 3 a little and also the big effort of porting all revdeps to release 3.

The message says:
A regression was recently discovered in OpenEXR 2.4.2, a bug in Imath::succf() and Imath::predf().  Also, several CVE's have been filed for issues that are addressed in 3.0.1 but still present in 2.4 and 2.5, so I'm going to patch those releases:

    v2.4.3:[...]
    v2.5.6:
        fix for the Imath::succf()/Imath::predf() regression
        fixes for CVE-2021-3474, CVE-2021-34745, CVE-2021-3476, CVE-2021-3477, CVE-2021-3478, CVE-2021-34789, CVE-2021-20296

See https://lists.aswf.io/g/openexr-dev/message/4859?p=,,,20,0,0,0::created,0,,1,2,0,4859
Comment 19 Bernd 2021-05-12 19:16:17 UTC
After mailing with one of the upstream devs, the CVE's have actually been fixed with 2.5.4 already[1]. So I think, there's no need to stabilize this quickly. Instead we need to merge this with bug #770229.

I will continue checking the possibility of make slotted installations of both release 2 and release 3 versions.

[1]https://github.com/AcademySoftwareFoundation/openexr/blob/master/SECURITY.md
Comment 20 Sam James archtester gentoo-dev Security 2021-05-13 12:14:00 UTC
(In reply to Bernd from comment #19)
> After mailing with one of the upstream devs, the CVE's have actually been
> fixed with 2.5.4 already[1]. So I think, there's no need to stabilize this
> quickly. Instead we need to merge this with bug #770229.
> 
> I will continue checking the possibility of make slotted installations of
> both release 2 and release 3 versions.
> 
> [1]https://github.com/AcademySoftwareFoundation/openexr/blob/master/SECURITY.
> md

Thank you!
Comment 21 Larry the Git Cow gentoo-dev 2021-06-01 00:28:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e719b19ac0d518305ec3ca9cef56cb8741742b1

commit 0e719b19ac0d518305ec3ca9cef56cb8741742b1
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-05-19 21:41:38 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-01 00:27:50 +0000

    media-libs/openexr: bump to 2.5.6
    
    Bug: https://bugs.gentoo.org/791136
    Bug: https://bugs.gentoo.org/776808
    Bug: https://bugs.gentoo.org/770229
    Bug: https://bugs.gentoo.org/656680
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest             |  1 +
 media-libs/openexr/openexr-2.5.6.ebuild | 61 +++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
Comment 22 John Helmert III gentoo-dev Security 2021-06-01 16:11:47 UTC
Is 2.5.6 a better stable target than 3.0.1?
Comment 23 Bernd 2021-06-01 17:08:17 UTC
Short-term I would say yes. Only a few consumers are already supporting imath/openexr-3 from what I've seen so far.
Comment 24 John Helmert III gentoo-dev Security 2021-06-02 02:25:19 UTC
Let's use that then, I guess. Let us know when it's ready to stable.
Comment 25 NATTkA bot gentoo-dev 2021-06-02 02:28:37 UTC Comment hidden (obsolete)
Comment 26 Bernd 2021-06-02 05:15:33 UTC
We should pyilmbase to this too, as it's part of the release for versions <3. I think, the suffix on ilmbase in the package list should be * instead of ^ or am I wrong?

The changes from 2.5.5 to 2.5.6 is only one fix (see the updated URL) and 2.5.5 is in the tree for some time, so I think we can start stabilization immediately.
Comment 27 Bernd 2021-06-02 05:21:20 UTC
Oh one more point. Stabilization on sparc will probably fail due to a failing test, c.f. https://bugs.gentoo.org/656680#c19

I'm looking to add a patch for this.
Comment 28 Sam James archtester gentoo-dev Security 2021-06-02 12:34:43 UTC
(In reply to Bernd from comment #26)
> We should pyilmbase to this too, as it's part of the release for versions
> <3. I think, the suffix on ilmbase in the package list should be * instead
> of ^ or am I wrong?
> 

Sounds right to me!

> The changes from 2.5.5 to 2.5.6 is only one fix (see the updated URL) and
> 2.5.5 is in the tree for some time, so I think we can start stabilization
> immediately.

Let's go. sparc isn't a regression so I don't think we need to wait.
Comment 29 Sam James archtester gentoo-dev Security 2021-06-02 19:01:23 UTC
x86 done
Comment 30 Sam James archtester gentoo-dev Security 2021-06-02 19:01:33 UTC
amd64 done
Comment 31 Sam James archtester gentoo-dev Security 2021-06-03 16:25:33 UTC
arm64 done
Comment 32 Rolf Eike Beer archtester 2021-06-05 11:50:08 UTC
sparc stable
Comment 33 Sergei Trofimovich (RETIRED) gentoo-dev 2021-06-19 18:49:41 UTC
commit 20f7cae0a56ba36a0562ddc7e14410e0eeed02b9
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Thu Jun 17 17:01:17 2021 +0200

    media-libs/openexr: stable 2.5.6 for hppa, bug #776808
Comment 34 Larry the Git Cow gentoo-dev 2021-06-22 18:35:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=075636aa0f50bf863c6185af87942ee1eca5e044

commit 075636aa0f50bf863c6185af87942ee1eca5e044
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-06-21 22:38:44 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-22 18:35:06 +0000

    media-libs/openexr: bump to 2.5.7
    
    Closes: https://bugs.gentoo.org/656680
    Bug: https://bugs.gentoo.org/776808
    Bug: https://bugs.gentoo.org/787452
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest                        |  1 +
 ...nexr-2.5.7-0001-disable-testRgba-on-sparc.patch | 31 ++++++++++
 media-libs/openexr/openexr-2.5.7.ebuild            | 68 ++++++++++++++++++++++
 3 files changed, 100 insertions(+)
Comment 35 Sam James archtester gentoo-dev Security 2021-07-10 00:46:25 UTC
ppc done
Comment 36 Sam James archtester gentoo-dev Security 2021-07-10 00:46:27 UTC
ppc64 done

all arches done
Comment 37 Larry the Git Cow gentoo-dev 2021-07-10 12:37:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5995fad1ec2cb2ac11e9c471be1778e6e0464426

commit 5995fad1ec2cb2ac11e9c471be1778e6e0464426
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-07-10 09:13:52 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-07-10 12:37:09 +0000

    media-libs/openexr: drop 2.5.5
    
    Security cleanup
    
    Bug: https://bugs.gentoo.org/776808
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-libs/openexr/Manifest             |  1 -
 media-libs/openexr/openexr-2.5.5.ebuild | 62 ---------------------------------
 2 files changed, 63 deletions(-)
Comment 38 John Helmert III gentoo-dev Security 2021-07-11 02:00:44 UTC
GLSA request filed.
Comment 39 GLSAMaker/CVETool Bot gentoo-dev 2021-07-11 02:34:33 UTC
This issue was resolved and addressed in
 GLSA 202107-27 at https://security.gentoo.org/glsa/202107-27
by GLSA coordinator John Helmert III (ajak).