Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 879255 (CVE-2022-36354, CVE-2022-38143, CVE-2022-41639, CVE-2022-41684, CVE-2022-41794, CVE-2022-41838, CVE-2022-41977, CVE-2022-4198, CVE-2022-41988, CVE-2022-41999, TALOS-2022-1626, TALOS-2022-1627, TALOS-2022-1628, TALOS-2022-1629, TALOS-2022-1630, TALOS-2022-1632, TALOS-2022-1633, TALOS-2022-1634, TALOS-2022-1635, TALOS-2022-1643) - <media-libs/openimageio-2.3.21.0: Multiple vulnerabilities
Summary: <media-libs/openimageio-2.3.21.0: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-36354, CVE-2022-38143, CVE-2022-41639, CVE-2022-41684, CVE-2022-41794, CVE-2022-41838, CVE-2022-41977, CVE-2022-4198, CVE-2022-41988, CVE-2022-41999, TALOS-2022-1626, TALOS-2022-1627, TALOS-2022-1628, TALOS-2022-1629, TALOS-2022-1630, TALOS-2022-1632, TALOS-2022-1633, TALOS-2022-1634, TALOS-2022-1635, TALOS-2022-1643
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
Depends on: 884081
Blocks:
  Show dependency tree
 
Reported: 2022-11-03 05:56 UTC by Sam James
Modified: 2023-05-30 03:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-11-03 05:56:30 UTC
From https://github.com/OpenImageIO/oiio/releases/tag/v2.3.21.0:

RLA: fix potential buffer overrun. (TALOS-2022-1629, CVE-2022-36354) #3624
TIFF: guard against corrupt files with buffer overflows. (TALOS-2022-1627,
CVE-2022-41977) #3628
TIFF: guard against buffer overflow for certain CMYK files.
(TALOS-2022-1633, CVE-2022-41639) (TALOS-2022-1643, CVE-2022-41988) #3632
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-11-03 05:59:10 UTC
More in 2.4.5.0 release notes (not stabled) at https://github.com/OpenImageIO/oiio/releases/tag/v2.4.5.0:

BMP: protect against corrupt pixel coordinates. (TALOS-2022-1630,
CVE-2022-38143) #3620
DDS: Fix crashes for cubemap files when a cube face was not present, and
check for invalid bits per pixel. (TALOS-2022-1634, CVE-2022-41838)
(TALOS-2022-1635, CVE-2022-41999) #3625
PSD: protect against corrupted embedded thumbnails. (TALOS-2022-1626,
CVE-2022-41794) #3629
RLA: fix potential buffer overrun. (TALOS-2022-1629, CVE-2022-36354) #3624
Targa: string overflow safety. (TALOS-2022-1628, CVE-2022-4198) #3622
TIFF/JPEG/PSD: Fix EXIF bugs where corrupted exif blocks could overrun
memory. (TALOS-2022-1626, CVE-2022-41794) (TALOS-2022-1632, CVE-2022-41684)
#3627
TIFF: guard against corrupt files with buffer overflows. (TALOS-2022-1627,
CVE-2022-41977) #3628
TIFF: guard against buffer overflow for certain CMYK files.
(TALOS-2022-1633, CVE-2022-41639) (TALOS-2022-1643, CVE-2022-41988) #3632
Comment 2 Larry the Git Cow gentoo-dev 2022-11-03 06:15:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=562288f90e0387b90f08154c3c97944f4926b5c5

commit 562288f90e0387b90f08154c3c97944f4926b5c5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-11-03 06:04:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-11-03 06:14:04 +0000

    media-libs/openimageio: add 2.4.5.0
    
    Bug: https://bugs.gentoo.org/879255
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openimageio/Manifest                   |   1 +
 media-libs/openimageio/openimageio-2.4.5.0.ebuild | 184 ++++++++++++++++++++++
 2 files changed, 185 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee9117ca3be6fc2121deb2961e31abc2a752c3c5

commit ee9117ca3be6fc2121deb2961e31abc2a752c3c5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-11-03 05:57:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-11-03 06:14:04 +0000

    media-libs/openimageio: add 2.3.21.0
    
    Bug: https://bugs.gentoo.org/879255
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openimageio/Manifest                    |   1 +
 media-libs/openimageio/openimageio-2.3.21.0.ebuild | 185 +++++++++++++++++++++
 2 files changed, 186 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 01:23:36 UTC
Please cleanup
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 04:19:41 UTC
GLSA request filed.
Comment 5 Larry the Git Cow gentoo-dev 2023-05-30 03:05:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=0778ce2129b0cfa807a5d5a2fab9ed1ccc9db6a9

commit 0778ce2129b0cfa807a5d5a2fab9ed1ccc9db6a9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 03:02:13 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 03:05:03 +0000

    [ GLSA 202305-33 ] OpenImageIO: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/879255
    Bug: https://bugs.gentoo.org/884085
    Bug: https://bugs.gentoo.org/888045
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-33.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 03:07:49 UTC
GLSA released, all done!