Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 801373 (CVE-2021-3598) - <media-libs/openexr-{2.5.7:0,3.0.5:3}: buffer overflow (CVE-2021-3598)
Summary: <media-libs/openexr-{2.5.7:0,3.0.5:3}: buffer overflow (CVE-2021-3598)
Status: IN_PROGRESS
Alias: CVE-2021-3598
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [stable]
Keywords: PullRequest
Depends on: CVE-2021-23169
Blocks:
  Show dependency tree
 
Reported: 2021-07-09 18:56 UTC by John Helmert III
Modified: 2021-07-29 18:09 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-07-09 18:56:09 UTC
CVE-2021-3598:

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.


So, the RedHat bug says this is a buffer overflow, the upstream issue [1]
says this is a buffer overflow, but RedHat's CVE says this is a buffer
overread. This is OpenEXR too so no doubt will be more fuzzer bugs once this
is released.

[1] https://github.com/AcademySoftwareFoundation/openexr/issues/1033
Comment 1 Bernd 2021-07-09 19:12:08 UTC
AFAICS this will also be fixed in post 2.5.7 release for <v3 releases, see https://github.com/AcademySoftwareFoundation/openexr/pull/1040.

For v3 releases, there's a PR I'm working on for implementing slots for openexr. I'll add this bug, next time I push.
Comment 2 Larry the Git Cow gentoo-dev 2021-07-21 21:57:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c92b3342d9a7cd0d2c90f81244a02f23b249db46

commit c92b3342d9a7cd0d2c90f81244a02f23b249db46
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-05-21 23:12:34 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-07-21 21:57:28 +0000

    media-libs/openexr: bump to 3.0.5
    
    Improves slotting, so that openexr-2 and openexr-3
    can be installed in parallel.
    Drop multilib support. Only multilib-aware consumer was
    media-libs/opencv. Using multilib would require it on
    dev-libs/imath as well which is not possible.
    
    Closes: https://bugs.gentoo.org/788286
    Bug: https://bugs.gentoo.org/788310
    Bug: https://bugs.gentoo.org/801373
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 media-libs/openexr/Manifest                        |   1 +
 ...5-0001-changes-needed-for-proper-slotting.patch | 119 +++++++++++
 ...0002-add-version-to-binaries-for-slotting.patch | 229 +++++++++++++++++++++
 media-libs/openexr/openexr-3.0.5.ebuild            |  77 +++++++
 4 files changed, 426 insertions(+)
Comment 3 Bernd 2021-07-24 17:04:17 UTC
According to https://github.com/AcademySoftwareFoundation/openexr/blob/v3.0.5/CHANGES.md#version-305-july-1-2021 the above issue has been closed by PR #1037, which is referenced for 3.0.5.

It should also be solved in 2.5.7, c.f. https://github.com/AcademySoftwareFoundation/openexr/blob/RB-2.5/CHANGES.md#version-257-june-16-2021
Comment 4 John Helmert III gentoo-dev Security 2021-07-24 17:18:49 UTC
(In reply to John Helmert III from comment #0)
> CVE-2021-3598:
> This is OpenEXR too so no doubt will be more fuzzer bugs once this
> is released.

Maybe I was wrong!

There are only two oss-fuzz issues in 2.5.7 changelog:

OSS-fuzz 28051 Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
OSS-fuzz 28155 Crash in Imf_2_5::PtrIStream::read

Then 3.0.5 only says

1036 detect buffer overflows in RleUncompress
Comment 5 Bernd 2021-07-24 17:47:12 UTC
3.0.5 and 2.5.7 both speak of

1037 verify data size in deepscanlines with NO_COMPRESSION

which is the PR that solves issue #1033, referenced in your description.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3598 only speaks of 3.0.5, but from the reference in CHANGES.md, I suppose, 2.5.7 has it solved as well.
Comment 6 John Helmert III gentoo-dev Security 2021-07-24 17:55:21 UTC
(In reply to Bernd from comment #5)
> 3.0.5 and 2.5.7 both speak of
> 
> 1037 verify data size in deepscanlines with NO_COMPRESSION
> 
> which is the PR that solves issue #1033, referenced in your description.
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3598 only speaks of
> 3.0.5, but from the reference in CHANGES.md, I suppose, 2.5.7 has it solved
> as well.

I agree. The CVE is wrong. I don't suppose RedHat cares.
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:21:07 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:29:16 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:37:12 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:45:16 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:53:18 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 18:01:14 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 18:09:34 UTC
Package list is empty or all packages have requested keywords.