787452 – (CVE-2021-23169) <media-libs/openexr-2.5.7: multiple vulnerabilities (CVE-2021-23169)

Bug 787452 (CVE-2021-23169) - <media-libs/openexr-2.5.7: multiple vulnerabilities (CVE-2021-23169)

Summary: <media-libs/openexr-2.5.7: multiple vulnerabilities (CVE-2021-23169)

Status:	RESOLVED FIXED

Alias:	CVE-2021-23169

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+ cve]
Keywords:	PullRequest

Depends on:
Blocks:	CVE-2021-3598 CVE-2021-3605
	Show dependency tree

Reported:	2021-05-01 15:59 UTC by GLSAMaker/CVETool Bot
Modified:	2022-10-31 02:20 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/19964 https://github.com/gentoo/gentoo/pull/21373 https://github.com/gentoo/gentoo/pull/22940
Package list:	media-libs/openexr-2.5.7 media-libs/ilmbase-2.5.7 dev-python/pyilmbase-2.5.7 amd64
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2021-05-01 15:59:52 UTC

CVE-2021-23169 (https://nvd.nist.gov/vuln/detail/CVE-2021-23169):
  Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer


https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28051
https://github.com/AcademySoftwareFoundation/openexr/commit/ae6d203892cc9311917a7f4f05354ef792b3e58e

Not yet backported to v2.5.x.

Comment 1 Bernd 2021-05-01 17:14:24 UTC

There's already a PR for 3.0.1 available which should fix this.

Comment 2 John Helmert III archtester

2021-06-17 21:37:54 UTC

This is fixed in 2.5.7 alongside another oss-fuzz issue:

OSS-fuzz [28155](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28155) Crash in Imf_2_5::PtrIStream::read

Please bump.

Comment 3 Larry the Git Cow gentoo-dev

2021-06-22 18:35:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=075636aa0f50bf863c6185af87942ee1eca5e044

commit 075636aa0f50bf863c6185af87942ee1eca5e044
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-06-21 22:38:44 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-22 18:35:06 +0000

    media-libs/openexr: bump to 2.5.7
    
    Closes: https://bugs.gentoo.org/656680
    Bug: https://bugs.gentoo.org/776808
    Bug: https://bugs.gentoo.org/787452
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest                        |  1 +
 ...nexr-2.5.7-0001-disable-testRgba-on-sparc.patch | 31 ++++++++++
 media-libs/openexr/openexr-2.5.7.ebuild            | 68 ++++++++++++++++++++++
 3 files changed, 100 insertions(+)

Comment 4 NATTkA bot gentoo-dev

2021-06-22 18:44:31 UTC Comment hidden (obsolete)

Sanity check failed:

> media-libs/openexr-2.5.7
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     ~media-libs/ilmbase-2.5.7:=[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-),static-libs]
>   depend amd64 stable profile default/linux/amd64/17.1 (12 total)
>     ~media-libs/ilmbase-2.5.7:=[abi_x86_32(-),abi_x86_64(-),static-libs]
>   depend amd64 stable profile default/linux/amd64/17.1/no-multilib (3 total)
>     ~media-libs/ilmbase-2.5.7:=[abi_x86_64(-),static-libs]
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     ~media-libs/ilmbase-2.5.7:=[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-),static-libs]
>   rdepend amd64 stable profile default/linux/amd64/17.1 (12 total)
>     ~media-libs/ilmbase-2.5.7:=[abi_x86_32(-),abi_x86_64(-),static-libs]
>   rdepend amd64 stable profile default/linux/amd64/17.1/no-multilib (3 total)
>     ~media-libs/ilmbase-2.5.7:=[abi_x86_64(-),static-libs]
>   depend arm64 stable profile default/linux/arm64/17.0 (39 total)
>     ~media-libs/ilmbase-2.5.7:=[static-libs]
>   rdepend arm64 stable profile default/linux/arm64/17.0 (39 total)
>     ~media-libs/ilmbase-2.5.7:=[static-libs]
>   depend ppc64 dev profile default/linux/ppc64le/17.0/desktop/gnome (4 total)
>     ~media-libs/ilmbase-2.5.7:=[static-libs]
>   rdepend ppc64 dev profile default/linux/ppc64le/17.0/desktop/gnome (4 total)
>     ~media-libs/ilmbase-2.5.7:=[static-libs]
>   depend x86 stable profile default/linux/x86/17.0 (11 total)
>     ~media-libs/ilmbase-2.5.7:=[abi_x86_32(-),static-libs]
>   rdepend x86 stable profile default/linux/x86/17.0 (11 total)
>     ~media-libs/ilmbase-2.5.7:=[abi_x86_32(-),static-libs]

Comment 5 NATTkA bot gentoo-dev

2021-06-22 18:56:26 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: media-libs/pyilmbase-2.5.7

Comment 6 NATTkA bot gentoo-dev

2021-06-22 19:40:46 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 7 John Helmert III archtester

2021-07-09 18:41:36 UTC

Ping.

Comment 8 Agostino Sarubbo gentoo-dev

2021-07-10 10:44:00 UTC

amd64 stable

Comment 9 Sam James archtester

2021-07-10 15:40:53 UTC

arm64 done

Comment 10 Sam James archtester

2021-07-11 20:52:00 UTC

x86 done

Comment 11 Rolf Eike Beer archtester

2021-07-22 15:03:26 UTC

sparc stable

Comment 12 Rolf Eike Beer archtester

2021-08-05 12:45:44 UTC

hppa done

Comment 13 Bernd 2021-10-13 05:29:20 UTC

Can we continue with the stabilization, so 2.5.6 can be dropped? Thank you.

Comment 14 NATTkA bot gentoo-dev

2021-10-16 09:16:55 UTC Comment hidden (obsolete)

Unable to check for sanity:

> package masked: media-libs/openexr-2.5.7, by keywords: -ppc

Comment 15 John Helmert III archtester

2021-11-11 15:56:15 UTC

Ping ppc

Comment 16 Larry the Git Cow gentoo-dev

2021-11-14 04:42:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c1fdfbd693349f06ad3f03472a544a97c2963e3

commit 3c1fdfbd693349f06ad3f03472a544a97c2963e3
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-11-14 04:22:06 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-14 04:42:46 +0000

    media-libs/ctl: destabilize for ppc64
    
    [Same as for openexr:
    
    We already had to mask this on ppc64be and mark it -ppc
    entirely and I don't usually do testing on ppc64le.
    
    Let's see if we can drop the stable keyword
    entirely here to make life easier.]
    
    Bug: https://bugs.gentoo.org/787452
    Signed-off-by: Sam James <sam@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/22940
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/ctl/ctl-1.5.2-r1.ebuild | 2 +-
 media-libs/ctl/ctl-1.5.2-r2.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=152f206623d2848e2220bad786cc413b90b79653

commit 152f206623d2848e2220bad786cc413b90b79653
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-11-14 04:04:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-14 04:42:45 +0000

    profiles/arch/powerpc/ppc64: stable-mask USE=openexr
    
    Bug: https://bugs.gentoo.org/787452
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/arch/powerpc/ppc64/64le/use.stable.mask | 5 +++++
 profiles/arch/powerpc/ppc64/use.stable.mask      | 5 +++++
 2 files changed, 10 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ffcf0f8824fe88f79bb0cb9f7695b30b36acd083

commit ffcf0f8824fe88f79bb0cb9f7695b30b36acd083
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-11-14 03:35:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-14 04:42:41 +0000

    media-libs/openexr: destabilize 2.5.6 for ~ppc64
    
    We already had to mask this on ppc64be and mark it -ppc
    entirely and I don't usually do testing on ppc64le.
    
    Let's see if we can drop the stable keyword
    entirely here to make life easier.
    
    Bug: https://bugs.gentoo.org/787452
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/openexr-2.5.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 17 Sam James archtester

2021-11-14 04:43:12 UTC

ppc64 dropped to ~arch.

Comment 18 NATTkA bot gentoo-dev

2021-11-14 04:48:46 UTC Comment hidden (obsolete)

Keywords are not fully specified and arches are not CC-ed for the following packages:

- =media-libs/ilmbase-2.5.7

Comment 19 Larry the Git Cow gentoo-dev

2022-01-09 15:48:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7683cc9603063d01488cfc83b79ca58f6cc1c207

commit 7683cc9603063d01488cfc83b79ca58f6cc1c207
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-01-09 15:04:56 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-01-09 15:47:59 +0000

    media-libs/ilmbase: Drop 2.5.6
    
    Drops ppc/ppc64 to ~arch.
    
    IUSE openexr has been stable-masked on ppc64 with commit 152f2066
    and remains in use.mask on ppc32 anyway.
    
    Bug: https://bugs.gentoo.org/787452
    Bug: https://bugs.gentoo.org/801373
    Bug: https://bugs.gentoo.org/810541
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/ilmbase/Manifest             |  1 -
 media-libs/ilmbase/ilmbase-2.5.6.ebuild | 41 ---------------------------------
 2 files changed, 42 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35787c9f4ca8dd500938349db43ecfee3fe44805

commit 35787c9f4ca8dd500938349db43ecfee3fe44805
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-01-09 14:55:16 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-01-09 15:47:58 +0000

    media-libs/openexr: Cleanup vulnerable 2.5.6
    
    Bug: https://bugs.gentoo.org/787452
    Bug: https://bugs.gentoo.org/801373
    Bug: https://bugs.gentoo.org/810541
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/openexr/Manifest             |  1 -
 media-libs/openexr/openexr-2.5.6.ebuild | 62 ---------------------------------
 2 files changed, 63 deletions(-)

Comment 20 NATTkA bot gentoo-dev

2022-02-15 19:52:52 UTC

Unable to check for sanity:

> no match for package: media-libs/ilmbase-2.5.7

Comment 21 John Helmert III archtester

2022-10-22 01:29:12 UTC

GLSA request filed.

Comment 22 Larry the Git Cow gentoo-dev

2022-10-31 01:41:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d4c4a128904601416fe6b2663ba5e3ef91394c37

commit d4c4a128904601416fe6b2663ba5e3ef91394c37
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:28:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:17 +0000

    [ GLSA 202210-31 ] OpenEXR: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/787452
    Bug: https://bugs.gentoo.org/801373
    Bug: https://bugs.gentoo.org/810541
    Bug: https://bugs.gentoo.org/817431
    Bug: https://bugs.gentoo.org/830384
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-31.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

Comment 23 John Helmert III archtester

2022-10-31 02:20:54 UTC

GLSA released, all done!