Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 917679 (CVE-2023-36183, CVE-2023-42295, CVE-2023-42299) - <media-libs/openimageio-2.5.4.0: multiple vulnerabilities
Summary: <media-libs/openimageio-2.5.4.0: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2023-36183, CVE-2023-42295, CVE-2023-42299
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [stable?]
Keywords:
Depends on: 917680
Blocks:
  Show dependency tree
 
Reported: 2023-11-21 17:50 UTC by John Helmert III
Modified: 2023-11-21 18:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-21 17:50:33 UTC 
CVE-2023-42299 (https://github.com/OpenImageIO/oiio/issues/3840):

Buffer Overflow vulnerability in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_subimage_data function.

Patch (in 2.5.4.0): https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/e5733a0607e7ea9f728f94181aa0689dc693189c

CVE-2023-42295 (https://github.com/OpenImageIO/oiio/issues/3947):

An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_rle_image function of file bifs/unquantize.c

Patch (in 2.5.4.0): https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/15750af31a5d130ea63ac133453eb5448cefa636

CVE-2023-36183 (https://github.com/OpenImageIO/oiio/issues/3871):

Buffer Overflow vulnerability in OpenImageIO v.2.4.12.0 and before allows a remote to execute arbitrary code and obtain sensitive information via a crafted file to the readimg function.

Patch (in 2.5.4.0): https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/aad99bad9a4f6b965f99a291f9c67458c8c982e8

Please stabilize 2.5.4.0.