| Summary: | openexr new security issue CVE-2017-14988 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, herman.viaene, nicolas.salguero, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | openexr-2.3.0-2.mga7.src.rpm | CVE: | CVE-2017-14988 |
| Status comment: | |||
|
Description
David Walser
2019-11-26 18:12:46 CET
David Walser
2019-11-26 18:12:55 CET
Whiteboard:
(none) =>
MGA7TOO Assigning this globally as the package has no registered maintainer. Assignee:
bugsquad =>
pkg-bugs Done for both mga7 and Cauldron! CC:
(none) =>
geiger.david68210 Suggested advisory: ======================== The updated packages fix a security vulnerability: Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. (CVE-2017-14988) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14988 https://lists.opensuse.org/opensuse-updates/2019-08/msg00141.html ======================== Updated packages in core/updates_testing: ======================== openexr-2.3.0-2.1.mga7 lib(64)ilmimf2_3_24-2.3.0-2.1.mga7 lib(64)openexr-devel-2.3.0-2.1.mga7 from SRPMS: openexr-2.3.0-2.1.mga7.src.rpm Version:
Cauldron =>
7 MGA7-64 Plasma on Lenovo B50 No installation issues. Ref to bug 20192 Comment 9 for test files and bug 24759 for a few commands. Some progress as I now find out that the files can be viewed in okular and gwenview. So from LuminanceChroma folder: $ exrheader MtTamNorth.exr file MtTamNorth.exr: file format version: 2, flags 0x0 channels (type chlist): BY, 16-bit floating-point, sampling 2 2 RY, 16-bit floating-point, sampling 2 2 Y, 16-bit floating-point, sampling 1 1 compression (type compression): piz dataWindow (type box2i): (0 0) - (1197 795) displayWindow (type box2i): (0 0) - (1197 795) lineOrder (type lineOrder): increasing y owner (type string): "Copyright 2004 Industrial Light & Magic" pixelAspectRatio (type float): 1 preview (type preview): 100 by 66 pixels screenWindowCenter (type v2f): (0 0) screenWindowWidth (type float): 1 type (type string): "scanlineimage" and $ exrmakepreview MtTamNorth.exr test.exr the file test.exr displays same as original file in okular and gwenview and $ exrheader test.exr file test.exr: file format version: 2, flags 0x0 channels (type chlist): BY, 16-bit floating-point, sampling 2 2 RY, 16-bit floating-point, sampling 2 2 Y, 16-bit floating-point, sampling 1 1 compression (type compression): piz dataWindow (type box2i): (0 0) - (1197 795) displayWindow (type box2i): (0 0) - (1197 795) lineOrder (type lineOrder): increasing y owner (type string): "Copyright 2004 Industrial Light & Magic" pixelAspectRatio (type float): 1 preview (type preview): 100 by 66 pixels screenWindowCenter (type v2f): (0 0) screenWindowWidth (type float): 1 type (type string): "scanlineimage" which is also the same, and that could be expected as $ exrmakepreview -h usage: exrmakepreview [options] infile outfile Reads an OpenEXR image from infile, generates a preview image, adds it to the image's header, and saves the result in outfile. Infile and outfile must not refer to the same file (the program cannot edit an image file "in place"). Good enough for me. Whiteboard:
(none) =>
MGA7-64-OK
Thomas Backlund
2019-12-08 18:49:11 CET
Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0373.html Resolution:
(none) =>
FIXED |