Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830384 (CVE-2021-45942) - <media-libs/openexr-3.1.4: heap buffer overflow
Summary: <media-libs/openexr-3.1.4: heap buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2021-45942
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.chromium.org/p/oss-fuzz/...
Whiteboard: B2 [glsa+]
Keywords: PullRequest
Depends on: 878149 832143 832726 877865 877901 878173 878243 878247
Blocks: 878213
  Show dependency tree
 
Reported: 2022-01-01 09:03 UTC by John Helmert III
Modified: 2023-01-29 20:17 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-01 09:03:58 UTC
CVE-2021-45942:

OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask).

Patch: https://github.com/AcademySoftwareFoundation/openexr/commit/db217f29dfb24f6b4b5100c24ac5e7490e1c57d0
Comment 1 Larry the Git Cow gentoo-dev 2022-01-28 07:53:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26df8d02bf9c189b08efb6712e9f6a8217a74658

commit 26df8d02bf9c189b08efb6712e9f6a8217a74658
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2022-01-27 18:59:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-28 07:53:21 +0000

    media-libs/openexr: bump to 3.1.4
    
    Bug: https://bugs.gentoo.org/830384
    Closes: https://bugs.gentoo.org/832143
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/23988
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openexr/Manifest             |  1 +
 media-libs/openexr/openexr-3.1.4.ebuild | 78 +++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
Comment 2 Bernd 2022-01-28 10:25:07 UTC
Thanks for merging @Sam. I'll give it a week or so to see, if any issues with the ebuild coming up, before stabilizing.
Comment 3 Larry the Git Cow gentoo-dev 2022-04-10 21:02:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a1d9ccaaa866fd0a831653dc92588fc59be0085

commit 5a1d9ccaaa866fd0a831653dc92588fc59be0085
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2022-03-14 06:01:38 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-04-10 21:01:49 +0000

    media-libs/openexr: drop 3.1.2, 3.1.3, 3.1.4
    
    Cleanup old and vulnerable slot 3 versions.
    
    Bug: https://bugs.gentoo.org/817431
    Bug: https://bugs.gentoo.org/820674
    Bug: https://bugs.gentoo.org/830384
    Closes: https://bugs.gentoo.org/833158
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/openexr/Manifest                        |   2 -
 ...1-0001-changes-needed-for-proper-slotting.patch | 119 ----------
 ...0002-add-version-to-binaries-for-slotting.patch | 252 ---------------------
 media-libs/openexr/openexr-3.1.2.ebuild            |  78 -------
 media-libs/openexr/openexr-3.1.3.ebuild            |  78 -------
 media-libs/openexr/openexr-3.1.4.ebuild            |  78 -------
 6 files changed, 607 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 01:29:36 UTC
GLSA request filed.
Comment 5 Bernd 2022-10-22 07:13:43 UTC
According to upstreams Security.md file, the bug is not present in the 2.5 branch: https://github.com/AcademySoftwareFoundation/openexr/blob/RB-2.5/SECURITY.md
Comment 6 Larry the Git Cow gentoo-dev 2022-10-31 01:42:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d4c4a128904601416fe6b2663ba5e3ef91394c37

commit d4c4a128904601416fe6b2663ba5e3ef91394c37
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:28:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:17 +0000

    [ GLSA 202210-31 ] OpenEXR: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/787452
    Bug: https://bugs.gentoo.org/801373
    Bug: https://bugs.gentoo.org/810541
    Bug: https://bugs.gentoo.org/817431
    Bug: https://bugs.gentoo.org/830384
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-31.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
Comment 7 Larry the Git Cow gentoo-dev 2023-01-28 11:26:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb815ca5634fd66f398d1e58cfd35a61688114cd

commit cb815ca5634fd66f398d1e58cfd35a61688114cd
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2023-01-28 10:24:52 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-01-28 11:26:42 +0000

    media-libs/openexr: drop 2.5.8
    
    Bug: https://bugs.gentoo.org/817431
    Bug: https://bugs.gentoo.org/830384
    Bug: https://bugs.gentoo.org/838079
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/29317
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/openexr/Manifest                        |  1 -
 ....2-0001-IlmImfTest-main.cpp-disable-tests.patch | 40 -------------
 ...xr-2.5.7-0002-increase-IlmImfTest-timeout.patch | 13 ----
 media-libs/openexr/openexr-2.5.8.ebuild            | 70 ----------------------
 4 files changed, 124 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-29 20:17:59 UTC
Thanks!