Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830384 (CVE-2021-45942) - <media-libs/openexr-3.1.4: heap buffer overflow
Summary: <media-libs/openexr-3.1.4: heap buffer overflow
Status: CONFIRMED
Alias: CVE-2021-45942
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.chromium.org/p/oss-fuzz/...
Whiteboard: B2 [glsa? cleanup]
Keywords: PullRequest
Depends on: 832143 832726
Blocks:
  Show dependency tree
 
Reported: 2022-01-01 09:03 UTC by John Helmert III
Modified: 2022-04-10 21:02 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2022-01-01 09:03:58 UTC
CVE-2021-45942:

OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask).

Patch: https://github.com/AcademySoftwareFoundation/openexr/commit/db217f29dfb24f6b4b5100c24ac5e7490e1c57d0
Comment 1 Larry the Git Cow gentoo-dev 2022-01-28 07:53:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26df8d02bf9c189b08efb6712e9f6a8217a74658

commit 26df8d02bf9c189b08efb6712e9f6a8217a74658
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2022-01-27 18:59:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-28 07:53:21 +0000

    media-libs/openexr: bump to 3.1.4
    
    Bug: https://bugs.gentoo.org/830384
    Closes: https://bugs.gentoo.org/832143
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/23988
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest             |  1 +
 media-libs/openexr/openexr-3.1.4.ebuild | 78 +++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
Comment 2 Bernd 2022-01-28 10:25:07 UTC
Thanks for merging @Sam. I'll give it a week or so to see, if any issues with the ebuild coming up, before stabilizing.
Comment 3 Larry the Git Cow gentoo-dev 2022-04-10 21:02:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a1d9ccaaa866fd0a831653dc92588fc59be0085

commit 5a1d9ccaaa866fd0a831653dc92588fc59be0085
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2022-03-14 06:01:38 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-04-10 21:01:49 +0000

    media-libs/openexr: drop 3.1.2, 3.1.3, 3.1.4
    
    Cleanup old and vulnerable slot 3 versions.
    
    Bug: https://bugs.gentoo.org/817431
    Bug: https://bugs.gentoo.org/820674
    Bug: https://bugs.gentoo.org/830384
    Closes: https://bugs.gentoo.org/833158
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/openexr/Manifest                        |   2 -
 ...1-0001-changes-needed-for-proper-slotting.patch | 119 ----------
 ...0002-add-version-to-binaries-for-slotting.patch | 252 ---------------------
 media-libs/openexr/openexr-3.1.2.ebuild            |  78 -------
 media-libs/openexr/openexr-3.1.3.ebuild            |  78 -------
 media-libs/openexr/openexr-3.1.4.ebuild            |  78 -------
 6 files changed, 607 deletions(-)