Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717474 (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764, CVE-2020-11765, CVE-2020-15304, CVE-2020-15305, CVE-2020-15306) - <media-libs/openexr-2.5.2: Multiple vulnerabilities (CVE-2020-{11758,11759,11760,11761,11762,11763,11764,17765,15304,15305,15306})
Summary: <media-libs/openexr-2.5.2: Multiple vulnerabilities (CVE-2020-{11758,11759,11...
Status: IN_PROGRESS
Alias: CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764, CVE-2020-11765, CVE-2020-15304, CVE-2020-15305, CVE-2020-15306
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [stable cve]
Keywords: CC-ARCHES
Depends on: 733858
Blocks:
  Show dependency tree
 
Reported: 2020-04-15 00:03 UTC by Sam James
Modified: 2020-10-07 18:17 UTC (History)
9 users (show)

See Also:
Package list:
media-libs/openexr-2.5.2-r1 media-libs/ilmbase-2.5.2
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-15 00:03:36 UTC
1) CVE-2020-11758

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h."

2) CVE-2020-11759

Description:
"An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer."

3) CVE-2020-11760

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp."

4) CVE-2020-11761

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp."

5) CVE-2020-11762

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case."

6) CVE-2020-11763

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp."

7) CVE-2020-11764

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp."

8) CVE-2020-11765

Description:
"An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read."

--
All reported in this bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987

All fixed in 2.4.1: https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020

PR (merged): https://github.com/AcademySoftwareFoundation/openexr/pull/659
Comment 1 Sam James archtester gentoo-dev Security 2020-04-15 00:04:59 UTC
From the disclosure (Google):
"Generally, most of the issues appear to be out-of-bounds reads and/or writes and could be exploitable (for information disclosure or remote code execution) depending on the usage scenario of the OpenEXR library."
Comment 2 Sam James archtester gentoo-dev Security 2020-04-15 00:05:12 UTC
@maintainer(s), please create an appropriate ebuild
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-04-15 21:12:34 UTC
CVE-2020-11765 (https://nvd.nist.gov/vuln/detail/CVE-2020-11765):
  An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one
  error in use of the ImfXdr.h read function by
  DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read.

CVE-2020-11764 (https://nvd.nist.gov/vuln/detail/CVE-2020-11764):
  An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds
  write in copyIntoFrameBuffer in ImfMisc.cpp.

CVE-2020-11763 (https://nvd.nist.gov/vuln/detail/CVE-2020-11763):
  An issue was discovered in OpenEXR before 2.4.1. There is an std::vector
  out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp.

CVE-2020-11762 (https://nvd.nist.gov/vuln/detail/CVE-2020-11762):
  An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds
  read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when
  handling the UNKNOWN compression case.

CVE-2020-11761 (https://nvd.nist.gov/vuln/detail/CVE-2020-11761):
  An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds
  read during Huffman uncompression, as demonstrated by FastHufDecoder::refill
  in ImfFastHuf.cpp.

CVE-2020-11760 (https://nvd.nist.gov/vuln/detail/CVE-2020-11760):
  An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds
  read during RLE uncompression in rleUncompress in ImfRle.cpp.

CVE-2020-11759 (https://nvd.nist.gov/vuln/detail/CVE-2020-11759):
  An issue was discovered in OpenEXR before 2.4.1. Because of integer
  overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and
  readSampleCountForLineBlock, an attacker can write to an out-of-bounds
  pointer.

CVE-2020-11758 (https://nvd.nist.gov/vuln/detail/CVE-2020-11758):
  An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds
  read in ImfOptimizedPixelReading.h.
Comment 4 John Helmert III (ajak) 2020-06-26 05:41:56 UTC
CVE-2020-15304:

An issue was discovered in OpenEXR before 2.5.2. An invalid tiled input file could cause invalid memory access in TiledInputFile::TiledInputFile() in IlmImf/ImfTiledInputFile.cpp, as demonstrated by a NULL pointer dereference.

CVE-2020-15305:

An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp.

CVE-2020-15306:

An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp.

All appear to be fixed in 2.5.2 according to the changelog:

https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-252-june-15-2020
Comment 5 Larry the Git Cow gentoo-dev 2020-07-21 18:58:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dffcb2e509541795dae8dc842d07fe44525fa277

commit dffcb2e509541795dae8dc842d07fe44525fa277
Author:     Bernd Waibel <waebbl@gmail.com>
AuthorDate: 2020-03-03 22:46:55 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-07-21 18:58:25 +0000

    media-libs/openexr: bump to 2.5.2
    
    Move from an autotools based ebuild to a cmake based one.
    
    Solves CVE issues from bug #717474
    
    Bug: https://bugs.gentoo.org/711456
    Bug: https://bugs.gentoo.org/717474
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Bernd Waibel <waebbl@gmail.com>
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/openexr/Manifest                        |  1 +
 ....2-0001-IlmImfTest-main.cpp-disable-tests.patch | 40 ++++++++++++++
 media-libs/openexr/metadata.xml                    |  7 ++-
 media-libs/openexr/openexr-2.5.2.ebuild            | 63 ++++++++++++++++++++++
 4 files changed, 110 insertions(+), 1 deletion(-)
Comment 6 Sam James archtester gentoo-dev Security 2020-07-21 19:04:23 UTC
We'll give it a few days because quite a lot changed.
Comment 7 Andreas Sturmlechner gentoo-dev 2020-07-21 19:13:15 UTC
OpenEXR is one part of a bigger upstream package, all three of them need to be stabilised in sync.
Comment 8 Sam James archtester gentoo-dev Security 2020-08-01 04:48:59 UTC
(In reply to Andreas Sturmlechner from comment #7)
> OpenEXR is one part of a bigger upstream package, all three of them need to
> be stabilised in sync.

Thanks. How are we looking?
Comment 9 NATTkA bot gentoo-dev 2020-08-02 10:44:50 UTC
Unable to check for sanity:

> no match for package: dev-python/pyilmbase-2.5.2
Comment 10 NATTkA bot gentoo-dev 2020-08-02 10:48:52 UTC
All sanity-check issues have been resolved
Comment 11 Sam James archtester gentoo-dev Security 2020-08-05 18:14:39 UTC
(In reply to Sam James from comment #8)
> (In reply to Andreas Sturmlechner from comment #7)
> > OpenEXR is one part of a bigger upstream package, all three of them need to
> > be stabilised in sync.
> 
> Thanks. How are we looking?

Any reason not to proceed? I'll CC-ARCHES if not..?
Comment 12 Bernd 2020-08-05 18:42:54 UTC
No reason not to continue from my point of view.
Comment 13 Sam James archtester gentoo-dev Security 2020-08-05 18:44:55 UTC
(In reply to Bernd from comment #12)
> No reason not to continue from my point of view.

Thanks!
Comment 14 Sam James archtester gentoo-dev Security 2020-08-06 02:09:24 UTC
arm64 done
Comment 15 Agostino Sarubbo gentoo-dev 2020-08-07 11:44:48 UTC
amd64 stable
Comment 16 Sergei Trofimovich gentoo-dev 2020-08-12 19:05:40 UTC
sparc stable
Comment 17 NATTkA bot gentoo-dev 2020-09-13 10:49:51 UTC
Sanity check failed:

> dev-python/pyilmbase-2.5.2-r1
>   depend x86 exp profile prefix/linux/x86 (2 total)
>     dev-lang/python:3.6
>   rdepend x86 exp profile prefix/linux/x86 (2 total)
>     dev-lang/python:3.6
Comment 18 NATTkA bot gentoo-dev 2020-09-13 13:39:08 UTC
All sanity-check issues have been resolved
Comment 19 Rolf Eike Beer 2020-09-14 17:23:48 UTC
hppa stable
Comment 20 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-16 14:05:59 UTC
can we ignore the pyilmbase failure or drop it to ~arch, plz?
Comment 21 Thomas Deutschmann gentoo-dev Security 2020-09-20 16:28:57 UTC
x86 stable
Comment 22 NATTkA bot gentoo-dev 2020-10-07 18:13:02 UTC
Unable to check for sanity:

> no match for package: media-libs/openexr-2.5.2