Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620324 (CVE-2017-9110, CVE-2017-9111, CVE-2017-9112, CVE-2017-9113, CVE-2017-9114, CVE-2017-9115, CVE-2017-9116) - <media-libs/openexr-2.2.0-r2: multiple vulnerabilities (CVE-2017-{9110,9111,9112,9113,9114,9115,9116})
Summary: <media-libs/openexr-2.2.0-r2: multiple vulnerabilities (CVE-2017-{9110,9111,9...
Status: RESOLVED FIXED
Alias: CVE-2017-9110, CVE-2017-9111, CVE-2017-9112, CVE-2017-9113, CVE-2017-9114, CVE-2017-9115, CVE-2017-9116
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
: 639804 (view as bug list)
Depends on: 682860
Blocks: 606406 CVE-2017-12596 642270 642278 642288 678642 681082
  Show dependency tree
 
Reported: 2017-06-01 08:22 UTC by Agostino Sarubbo
Modified: 2019-08-02 00:16 UTC (History)
3 users (show)

See Also:
Package list:
=media-libs/openexr-2.3.0 =media-libs/ilmbase-2.3.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-06-01 08:22:38 UTC
From ${URL} :

Attached is a zip file of EXR images that cause segmentation faults in the OpenEXR library (tested against 2.2.0). http://www.openexr.com/downloads.html <http://www.openexr.com/downloads.html>

These were reported to ehanway@....com <mailto:ehanway@....com> on January 12, 2017, but no updates or information has been reported back. I have attempted to see what the status is, but no responses 
from ILM. Since this has surpassed the general 90-day mark as is standard for many disclosures, these are being disclosed. It’s actually been 120 days exactly.

You can see the last update to the OpenEXR codebase was on January 9. https://github.com/openexr/openexr <https://github.com/openexr/openexr>

Of note is that Adobe Photoshop actually ships with a version of OpenEXR for reading EXR images, so some of these images also crash Photoshop. ImageMagick also can support EXR image by using the OpenEXR 
library. https://github.com/ImageMagick/exr/tree/master/openexr <https://github.com/ImageMagick/exr/tree/master/openexr>

As of this writing, these issues are unfixed.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Volkan 2017-06-05 14:35:40 UTC
Please add the following CVE numbers to Alias. 

CVE-2017-9110, CVE-2017-9111, CVE-2017-9112, CVE-2017-9113, CVE-2017-9114, CVE-2017-9115, CVE-2017-9116

CVE-2017-9110 OpenEXR: Out-of-bounds read in the hufDecode function
In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in
ImfHuf.cpp could cause the application to crash.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1455526

CVE-2017-9111 OpenEXR: Out-of-bounds write in the storeSSE function
In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in
ImfOptimizedPixelReading.h could cause the application to crash or execute
arbitrary code.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1455528

CVE-2017-9112 OpenEXR: Out-of-bounds read in the getBits function
In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in
ImfHuf.cpp could cause the application to crash.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1455530

CVE-2017-9113 OpenEXR: Out-of-bounds write in the bufferedReadPixels function
In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function
in ImfInputFile.cpp could cause the application to crash.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1455533

CVE-2017-9114 OpenEXR: Out-of-bounds read in the refill function
In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in
ImfFastHuf.cpp could cause the application to crash.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1455535

CVE-2017-9115 OpenEXR: Out-of-bounds write in the = operator function
In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in
half.h could cause the application to crash.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1455537

CVE-2017-9116 OpenEXR: Out-of-bounds read in the uncompress 
In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in
ImfZip.cpp could cause the application to crash.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1455540
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-06-05 14:50:06 UTC
CVE-2017-9116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9116):
  In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in
  ImfZip.cpp could cause the application to crash.

CVE-2017-9115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9115):
  In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in
  half.h could cause the application to crash or execute arbitrary code.

CVE-2017-9114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9114):
  In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in
  ImfFastHuf.cpp could cause the application to crash.

CVE-2017-9113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9113):
  In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels
  function in ImfInputFile.cpp could cause the application to crash or execute
  arbitrary code.

CVE-2017-9112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9112):
  In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in
  ImfHuf.cpp could cause the application to crash.

CVE-2017-9111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9111):
  In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in
  ImfOptimizedPixelReading.h could cause the application to crash or execute
  arbitrary code.

CVE-2017-9110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9110):
  In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in
  ImfHuf.cpp could cause the application to crash.
Comment 3 Larry the Git Cow gentoo-dev 2017-09-28 12:50:14 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd4ad81b5d8ba426b3d2d75b27f9993119f73e30

commit dd4ad81b5d8ba426b3d2d75b27f9993119f73e30
Author:     Jonathan Scruggs <j.scruggs@gmail.com>
AuthorDate: 2017-09-23 13:04:39 +0000
Commit:     Alexis Ballier <aballier@gentoo.org>
CommitDate: 2017-09-28 12:45:07 +0000

    media-libs/openexr: Revision bump to 2.2.0-r2
    
    * Added patch to fix a typo in the C bindings
    * Added patch to install the missing header files
    * Added patch to fix security issues:
      CVE-2017-9110, CVE-2017-9111, CVE-2017-9112, CVE-2017-9113,
      CVE-2017-9114, CVE-2017-9115, CVE-2017-9116
    * Fixed build system patch
    * Added tabs in the metadata.xml file
    
    Closes: https://bugs.gentoo.org/616996
    Closes: https://bugs.gentoo.org/631382
    Closes: https://bugs.gentoo.org/620324

 ....2.0-CVE-2017-9110-to-9116-security-fixes.patch | 98 ++++++++++++++++++++++
 .../openexr-2.2.0-Fix-typo-in-C-bindings.patch     | 26 ++++++
 ...penexr-2.2.0-Install-missing-header-files.patch | 60 +++++++++++++
 .../files/openexr-2.2.0-fix-build-system.patch     |  4 +-
 media-libs/openexr/metadata.xml                    |  9 +-
 media-libs/openexr/openexr-2.2.0-r2.ebuild         | 64 ++++++++++++++
 6 files changed, 256 insertions(+), 5 deletions(-)
Comment 4 Alexis Ballier gentoo-dev 2017-09-28 12:53:53 UTC
(In reply to Larry the Git Cow from comment #3)
> The bug has been closed via the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=dd4ad81b5d8ba426b3d2d75b27f9993119f73e30
> 
> commit dd4ad81b5d8ba426b3d2d75b27f9993119f73e30
> Author:     Jonathan Scruggs <j.scruggs@gmail.com>
> AuthorDate: 2017-09-23 13:04:39 +0000
> Commit:     Alexis Ballier <aballier@gentoo.org>
> CommitDate: 2017-09-28 12:45:07 +0000
> 
>     media-libs/openexr: Revision bump to 2.2.0-r2
>     
>     * Added patch to fix a typo in the C bindings
>     * Added patch to install the missing header files
>     * Added patch to fix security issues:
>       CVE-2017-9110, CVE-2017-9111, CVE-2017-9112, CVE-2017-9113,
>       CVE-2017-9114, CVE-2017-9115, CVE-2017-9116
>     * Fixed build system patch
>     * Added tabs in the metadata.xml file
>     
>     Closes: https://bugs.gentoo.org/616996
>     Closes: https://bugs.gentoo.org/631382
>     Closes: https://bugs.gentoo.org/620324
> 
>  ....2.0-CVE-2017-9110-to-9116-security-fixes.patch | 98
> ++++++++++++++++++++++
>  .../openexr-2.2.0-Fix-typo-in-C-bindings.patch     | 26 ++++++
>  ...penexr-2.2.0-Install-missing-header-files.patch | 60 +++++++++++++
>  .../files/openexr-2.2.0-fix-build-system.patch     |  4 +-
>  media-libs/openexr/metadata.xml                    |  9 +-
>  media-libs/openexr/openexr-2.2.0-r2.ebuild         | 64 ++++++++++++++
>  6 files changed, 256 insertions(+), 5 deletions(-)

Must be kidding me.
Comment 5 Jonathan Scruggs (RETIRED) gentoo-dev 2017-09-30 09:16:12 UTC
Maybe I should have used Resolves: bug.... instead of Closes so this wouldn't have autoclosed? I wanted to link to this bug report.

Anyways, there's a test that can be done to prove that this bug is fixed, but it includes the bad images (one for each CVE), so I'm not sure how to post it as it would have ways to corrupt non-updated systems. Can I email the security team somehow?
Comment 6 Jonathan Scruggs (RETIRED) gentoo-dev 2018-01-13 17:27:01 UTC
Added a Pull Request to add 2.2.1 which has these CVE fixes. Instead of stabilizing 2.2.0-r2, I think we should focus on this version.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2018-12-05 01:58:31 UTC
@maintainer(s), please drop the vulnerable versions from the tree.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2019-03-09 18:53:41 UTC
(In reply to Jonathan Scruggs from comment #6)
> Added a Pull Request to add 2.2.1 which has these CVE fixes. Instead of
> stabilizing 2.2.0-r2, I think we should focus on this version.

I do not see 2.2.1 in tree, what I do see is 2.3.0 We either need to finish stabilization of 2.2.0-r2 (so that we can remove previous versions or stabilize 2.3.0).

Media-video team, please decide which one you would like to do.
Thank you
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2019-03-26 22:30:08 UTC
@arches, please stabilize.
Comment 10 Stabilization helper bot gentoo-dev 2019-03-26 23:00:52 UTC
An automated check of this bug failed - repoman reported dependency errors (117 lines truncated): 

> dependency.bad media-libs/openexr/openexr-2.3.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=media-libs/ilmbase-2.3.0:=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/openexr/openexr-2.3.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=media-libs/ilmbase-2.3.0:=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/openexr/openexr-2.3.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=media-libs/ilmbase-2.3.0:=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 11:30:08 UTC
There's already a stabilization bug for years, bug 639804 but x86 cannot stabilize due to bug 656680.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2019-04-07 22:10:47 UTC
amd64 stable
Comment 13 Pacho Ramos gentoo-dev 2019-04-20 09:05:49 UTC
*** Bug 639804 has been marked as a duplicate of this bug. ***
Comment 14 Rolf Eike Beer archtester 2019-04-20 20:54:36 UTC
sparc stable
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2019-04-24 21:34:49 UTC
x86 stable
Comment 16 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-27 16:32:05 UTC
ia64 stable
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-28 07:45:12 UTC
ppc stable
Comment 18 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-28 13:10:03 UTC
ppc64 stable
Comment 19 Larry the Git Cow gentoo-dev 2019-06-04 02:51:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96cd1a4085fc42499ed26cf2e4fc98c5bed3f577

commit 96cd1a4085fc42499ed26cf2e4fc98c5bed3f577
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-06-04 02:50:51 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-06-04 02:50:51 +0000

    media-libs/openexr: Drop vulnerable versions, bug 620324
    
    Bug: https://bugs.gentoo.org/620324
    Package-Manager: Portage-2.3.67, Repoman-2.3.13
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 media-libs/openexr/Manifest                        |   2 -
 ....2.0-CVE-2017-9110-to-9116-security-fixes.patch |  98 ----
 .../openexr-2.2.0-Fix-typo-in-C-bindings.patch     |  26 -
 .../files/openexr-2.2.0-fix-build-system.patch     | 620 ---------------------
 ...openexr-2.2.0-use-ull-for-64-bit-literals.patch |  60 --
 media-libs/openexr/openexr-2.1.0.ebuild            |  46 --
 media-libs/openexr/openexr-2.2.0-r2.ebuild         |  67 ---
 7 files changed, 919 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc1ce929dcdaa63179c68c5c83e74fdb5a6e227a

commit fc1ce929dcdaa63179c68c5c83e74fdb5a6e227a
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-06-04 02:48:24 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-06-04 02:48:24 +0000

    media-libs/ilmbase: Drop vulnerable versions, bug 620324
    
    Bug: https://bugs.gentoo.org/620324
    Package-Manager: Portage-2.3.67, Repoman-2.3.13
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 media-libs/ilmbase/Manifest                        |  4 --
 .../ilmbase/files/ilmbase-1.0.0-asneeded.patch     | 11 ---
 media-libs/ilmbase/files/ilmbase-1.0.2-gcc43.patch | 11 ---
 .../ilmbase-2.2.0-Remove-register-keyword.patch    | 79 ----------------------
 media-libs/ilmbase/ilmbase-1.0.2.ebuild            | 37 ----------
 media-libs/ilmbase/ilmbase-2.0.1-r1.ebuild         | 17 -----
 media-libs/ilmbase/ilmbase-2.1.0.ebuild            | 26 -------
 media-libs/ilmbase/ilmbase-2.2.0-r1.ebuild         | 33 ---------
 media-libs/ilmbase/ilmbase-2.2.0.ebuild            | 26 -------
 9 files changed, 244 deletions(-)
Comment 20 Rolf Eike Beer archtester 2019-06-15 21:38:50 UTC
hppa stable