Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 879255 (CVE-2022-36354, CVE-2022-38143, CVE-2022-41639, CVE-2022-41684, CVE-2022-41794, CVE-2022-41838, CVE-2022-41977, CVE-2022-4198, CVE-2022-41988, CVE-2022-41999, TALOS-2022-1626, TALOS-2022-1627, TALOS-2022-1628, TALOS-2022-1629, TALOS-2022-1630, TALOS-2022-1632, TALOS-2022-1633, TALOS-2022-1634, TALOS-2022-1635, TALOS-2022-1643) - <media-libs/openimageio-2.3.21.0: Multiple vulnerabilities
Summary: <media-libs/openimageio-2.3.21.0: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-36354, CVE-2022-38143, CVE-2022-41639, CVE-2022-41684, CVE-2022-41794, CVE-2022-41838, CVE-2022-41977, CVE-2022-4198, CVE-2022-41988, CVE-2022-41999, TALOS-2022-1626, TALOS-2022-1627, TALOS-2022-1628, TALOS-2022-1629, TALOS-2022-1630, TALOS-2022-1632, TALOS-2022-1633, TALOS-2022-1634, TALOS-2022-1635, TALOS-2022-1643
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
Depends on: 884081
Blocks:
  Show dependency tree
 
Reported: 2022-11-03 05:56 UTC by Sam James
Modified: 2023-05-30 03:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-11-03 05:56:30 UTC 
From https://github.com/OpenImageIO/oiio/releases/tag/v2.3.21.0:

RLA: fix potential buffer overrun. (TALOS-2022-1629, CVE-2022-36354) #3624
TIFF: guard against corrupt files with buffer overflows. (TALOS-2022-1627,
CVE-2022-41977) #3628
TIFF: guard against buffer overflow for certain CMYK files.
(TALOS-2022-1633, CVE-2022-41639) (TALOS-2022-1643, CVE-2022-41988) #3632
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-11-03 05:59:10 UTC 
More in 2.4.5.0 release notes (not stabled) at https://github.com/OpenImageIO/oiio/releases/tag/v2.4.5.0:

BMP: protect against corrupt pixel coordinates. (TALOS-2022-1630,
CVE-2022-38143) #3620
DDS: Fix crashes for cubemap files when a cube face was not present, and
check for invalid bits per pixel. (TALOS-2022-1634, CVE-2022-41838)
(TALOS-2022-1635, CVE-2022-41999) #3625
PSD: protect against corrupted embedded thumbnails. (TALOS-2022-1626,
CVE-2022-41794) #3629
RLA: fix potential buffer overrun. (TALOS-2022-1629, CVE-2022-36354) #3624
Targa: string overflow safety. (TALOS-2022-1628, CVE-2022-4198) #3622
TIFF/JPEG/PSD: Fix EXIF bugs where corrupted exif blocks could overrun
memory. (TALOS-2022-1626, CVE-2022-41794) (TALOS-2022-1632, CVE-2022-41684)
#3627
TIFF: guard against corrupt files with buffer overflows. (TALOS-2022-1627,
CVE-2022-41977) #3628
TIFF: guard against buffer overflow for certain CMYK files.
(TALOS-2022-1633, CVE-2022-41639) (TALOS-2022-1643, CVE-2022-41988) #3632
Comment 2 Larry the Git Cow gentoo-dev 2022-11-03 06:15:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=562288f90e0387b90f08154c3c97944f4926b5c5

commit 562288f90e0387b90f08154c3c97944f4926b5c5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-11-03 06:04:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-11-03 06:14:04 +0000

    media-libs/openimageio: add 2.4.5.0
    
    Bug: https://bugs.gentoo.org/879255
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openimageio/Manifest                   |   1 +
 media-libs/openimageio/openimageio-2.4.5.0.ebuild | 184 ++++++++++++++++++++++
 2 files changed, 185 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee9117ca3be6fc2121deb2961e31abc2a752c3c5

commit ee9117ca3be6fc2121deb2961e31abc2a752c3c5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-11-03 05:57:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-11-03 06:14:04 +0000

    media-libs/openimageio: add 2.3.21.0
    
    Bug: https://bugs.gentoo.org/879255
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openimageio/Manifest                    |   1 +
 media-libs/openimageio/openimageio-2.3.21.0.ebuild | 185 +++++++++++++++++++++
 2 files changed, 186 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 01:23:36 UTC 
Please cleanup
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 04:19:41 UTC 
GLSA request filed.
Comment 5 Larry the Git Cow gentoo-dev 2023-05-30 03:05:31 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=0778ce2129b0cfa807a5d5a2fab9ed1ccc9db6a9

commit 0778ce2129b0cfa807a5d5a2fab9ed1ccc9db6a9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 03:02:13 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 03:05:03 +0000

    [ GLSA 202305-33 ] OpenImageIO: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/879255
    Bug: https://bugs.gentoo.org/884085
    Bug: https://bugs.gentoo.org/888045
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-33.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 03:07:49 UTC 
GLSA released, all done!