From ${URL} : Attached is a zip file of EXR images that cause segmentation faults in the OpenEXR library (tested against 2.2.0). http://www.openexr.com/downloads.html <http://www.openexr.com/downloads.html> These were reported to ehanway@....com <mailto:ehanway@....com> on January 12, 2017, but no updates or information has been reported back. I have attempted to see what the status is, but no responses from ILM. Since this has surpassed the general 90-day mark as is standard for many disclosures, these are being disclosed. It’s actually been 120 days exactly. You can see the last update to the OpenEXR codebase was on January 9. https://github.com/openexr/openexr <https://github.com/openexr/openexr> Of note is that Adobe Photoshop actually ships with a version of OpenEXR for reading EXR images, so some of these images also crash Photoshop. ImageMagick also can support EXR image by using the OpenEXR library. https://github.com/ImageMagick/exr/tree/master/openexr <https://github.com/ImageMagick/exr/tree/master/openexr> As of this writing, these issues are unfixed. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Please add the following CVE numbers to Alias. CVE-2017-9110, CVE-2017-9111, CVE-2017-9112, CVE-2017-9113, CVE-2017-9114, CVE-2017-9115, CVE-2017-9116 CVE-2017-9110 OpenEXR: Out-of-bounds read in the hufDecode function In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash. References: https://bugzilla.redhat.com/show_bug.cgi?id=1455526 CVE-2017-9111 OpenEXR: Out-of-bounds write in the storeSSE function In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code. References: https://bugzilla.redhat.com/show_bug.cgi?id=1455528 CVE-2017-9112 OpenEXR: Out-of-bounds read in the getBits function In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash. References: https://bugzilla.redhat.com/show_bug.cgi?id=1455530 CVE-2017-9113 OpenEXR: Out-of-bounds write in the bufferedReadPixels function In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash. References: https://bugzilla.redhat.com/show_bug.cgi?id=1455533 CVE-2017-9114 OpenEXR: Out-of-bounds read in the refill function In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash. References: https://bugzilla.redhat.com/show_bug.cgi?id=1455535 CVE-2017-9115 OpenEXR: Out-of-bounds write in the = operator function In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash. References: https://bugzilla.redhat.com/show_bug.cgi?id=1455537 CVE-2017-9116 OpenEXR: Out-of-bounds read in the uncompress In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash. References: https://bugzilla.redhat.com/show_bug.cgi?id=1455540
CVE-2017-9116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9116): In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash. CVE-2017-9115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9115): In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code. CVE-2017-9114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9114): In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash. CVE-2017-9113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9113): In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code. CVE-2017-9112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9112): In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash. CVE-2017-9111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9111): In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code. CVE-2017-9110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9110): In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd4ad81b5d8ba426b3d2d75b27f9993119f73e30 commit dd4ad81b5d8ba426b3d2d75b27f9993119f73e30 Author: Jonathan Scruggs <j.scruggs@gmail.com> AuthorDate: 2017-09-23 13:04:39 +0000 Commit: Alexis Ballier <aballier@gentoo.org> CommitDate: 2017-09-28 12:45:07 +0000 media-libs/openexr: Revision bump to 2.2.0-r2 * Added patch to fix a typo in the C bindings * Added patch to install the missing header files * Added patch to fix security issues: CVE-2017-9110, CVE-2017-9111, CVE-2017-9112, CVE-2017-9113, CVE-2017-9114, CVE-2017-9115, CVE-2017-9116 * Fixed build system patch * Added tabs in the metadata.xml file Closes: https://bugs.gentoo.org/616996 Closes: https://bugs.gentoo.org/631382 Closes: https://bugs.gentoo.org/620324 ....2.0-CVE-2017-9110-to-9116-security-fixes.patch | 98 ++++++++++++++++++++++ .../openexr-2.2.0-Fix-typo-in-C-bindings.patch | 26 ++++++ ...penexr-2.2.0-Install-missing-header-files.patch | 60 +++++++++++++ .../files/openexr-2.2.0-fix-build-system.patch | 4 +- media-libs/openexr/metadata.xml | 9 +- media-libs/openexr/openexr-2.2.0-r2.ebuild | 64 ++++++++++++++ 6 files changed, 256 insertions(+), 5 deletions(-)
(In reply to Larry the Git Cow from comment #3) > The bug has been closed via the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=dd4ad81b5d8ba426b3d2d75b27f9993119f73e30 > > commit dd4ad81b5d8ba426b3d2d75b27f9993119f73e30 > Author: Jonathan Scruggs <j.scruggs@gmail.com> > AuthorDate: 2017-09-23 13:04:39 +0000 > Commit: Alexis Ballier <aballier@gentoo.org> > CommitDate: 2017-09-28 12:45:07 +0000 > > media-libs/openexr: Revision bump to 2.2.0-r2 > > * Added patch to fix a typo in the C bindings > * Added patch to install the missing header files > * Added patch to fix security issues: > CVE-2017-9110, CVE-2017-9111, CVE-2017-9112, CVE-2017-9113, > CVE-2017-9114, CVE-2017-9115, CVE-2017-9116 > * Fixed build system patch > * Added tabs in the metadata.xml file > > Closes: https://bugs.gentoo.org/616996 > Closes: https://bugs.gentoo.org/631382 > Closes: https://bugs.gentoo.org/620324 > > ....2.0-CVE-2017-9110-to-9116-security-fixes.patch | 98 > ++++++++++++++++++++++ > .../openexr-2.2.0-Fix-typo-in-C-bindings.patch | 26 ++++++ > ...penexr-2.2.0-Install-missing-header-files.patch | 60 +++++++++++++ > .../files/openexr-2.2.0-fix-build-system.patch | 4 +- > media-libs/openexr/metadata.xml | 9 +- > media-libs/openexr/openexr-2.2.0-r2.ebuild | 64 ++++++++++++++ > 6 files changed, 256 insertions(+), 5 deletions(-) Must be kidding me.
Maybe I should have used Resolves: bug.... instead of Closes so this wouldn't have autoclosed? I wanted to link to this bug report. Anyways, there's a test that can be done to prove that this bug is fixed, but it includes the bad images (one for each CVE), so I'm not sure how to post it as it would have ways to corrupt non-updated systems. Can I email the security team somehow?
Added a Pull Request to add 2.2.1 which has these CVE fixes. Instead of stabilizing 2.2.0-r2, I think we should focus on this version.
@maintainer(s), please drop the vulnerable versions from the tree.
(In reply to Jonathan Scruggs from comment #6) > Added a Pull Request to add 2.2.1 which has these CVE fixes. Instead of > stabilizing 2.2.0-r2, I think we should focus on this version. I do not see 2.2.1 in tree, what I do see is 2.3.0 We either need to finish stabilization of 2.2.0-r2 (so that we can remove previous versions or stabilize 2.3.0). Media-video team, please decide which one you would like to do. Thank you
@arches, please stabilize.
An automated check of this bug failed - repoman reported dependency errors (117 lines truncated): > dependency.bad media-libs/openexr/openexr-2.3.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=media-libs/ilmbase-2.3.0:=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]'] > dependency.bad media-libs/openexr/openexr-2.3.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=media-libs/ilmbase-2.3.0:=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]'] > dependency.bad media-libs/openexr/openexr-2.3.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=media-libs/ilmbase-2.3.0:=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
There's already a stabilization bug for years, bug 639804 but x86 cannot stabilize due to bug 656680.
amd64 stable
*** Bug 639804 has been marked as a duplicate of this bug. ***
sparc stable
x86 stable
ia64 stable
ppc stable
ppc64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96cd1a4085fc42499ed26cf2e4fc98c5bed3f577 commit 96cd1a4085fc42499ed26cf2e4fc98c5bed3f577 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2019-06-04 02:50:51 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2019-06-04 02:50:51 +0000 media-libs/openexr: Drop vulnerable versions, bug 620324 Bug: https://bugs.gentoo.org/620324 Package-Manager: Portage-2.3.67, Repoman-2.3.13 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> media-libs/openexr/Manifest | 2 - ....2.0-CVE-2017-9110-to-9116-security-fixes.patch | 98 ---- .../openexr-2.2.0-Fix-typo-in-C-bindings.patch | 26 - .../files/openexr-2.2.0-fix-build-system.patch | 620 --------------------- ...openexr-2.2.0-use-ull-for-64-bit-literals.patch | 60 -- media-libs/openexr/openexr-2.1.0.ebuild | 46 -- media-libs/openexr/openexr-2.2.0-r2.ebuild | 67 --- 7 files changed, 919 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc1ce929dcdaa63179c68c5c83e74fdb5a6e227a commit fc1ce929dcdaa63179c68c5c83e74fdb5a6e227a Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2019-06-04 02:48:24 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2019-06-04 02:48:24 +0000 media-libs/ilmbase: Drop vulnerable versions, bug 620324 Bug: https://bugs.gentoo.org/620324 Package-Manager: Portage-2.3.67, Repoman-2.3.13 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> media-libs/ilmbase/Manifest | 4 -- .../ilmbase/files/ilmbase-1.0.0-asneeded.patch | 11 --- media-libs/ilmbase/files/ilmbase-1.0.2-gcc43.patch | 11 --- .../ilmbase-2.2.0-Remove-register-keyword.patch | 79 ---------------------- media-libs/ilmbase/ilmbase-1.0.2.ebuild | 37 ---------- media-libs/ilmbase/ilmbase-2.0.1-r1.ebuild | 17 ----- media-libs/ilmbase/ilmbase-2.1.0.ebuild | 26 ------- media-libs/ilmbase/ilmbase-2.2.0-r1.ebuild | 33 --------- media-libs/ilmbase/ilmbase-2.2.0.ebuild | 26 ------- 9 files changed, 244 deletions(-)
hppa stable
