Bug 25966

Summary: ilmbase new security issue CVE-2018-18443
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, nicolas.salguero, shlomif, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: ilmbase-2.3.0-1.mga7.src.rpm CVE: CVE-2018-18443
Status comment:

Description David Walser 2019-12-27 03:33:35 CET 
Fedora has issued an advisory on November 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IZN7WUH3SR6DSRODRB4SLFTBKP74FVC5/

Mageia 7 is also affected.
David Walser 2019-12-27 03:33:51 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-27 10:29:44 CET 
Assigning globally, CC Shlomi as last maintainer.

CC: (none) => shlomif
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-01-14 18:15:40 CET 
Fedora backported the patch to fix it in this commit:
https://src.fedoraproject.org/rpms/mingw-ilmbase/c/905f2935dff088314a956b6decde908f07aa2f23?branch=f31

I believe it's also fixed in 2.4.0.

Status comment: (none) => Patch available from Fedora

Comment 3 Nicolas Salguero 2020-03-04 14:08:11 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

OpenEXR 2.3.0 has a memory leak in ThreadPool in IlmBase/IlmThread/IlmThreadPool.cpp, as demonstrated by exrmultiview. (CVE-2018-18443)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18443
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IZN7WUH3SR6DSRODRB4SLFTBKP74FVC5/
========================

Updated packages in core/updates_testing:
========================
lib(64)ilmbase24-2.3.0-1.1.mga7
lib(64)ilmbase-devel-2.3.0-1.1.mga7

from SRPMS:
ilmbase-2.3.0-1.1.mga7.src.rpm

Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
Status comment: Patch available from Fedora => (none)
Status: NEW => ASSIGNED
Whiteboard: MGA7TOO => (none)
CVE: (none) => CVE-2018-18443
CC: (none) => nicolas.salguero

Comment 4 Herman Viaene 2020-03-05 14:53:20 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
At CLI:
# urpmq --whatrequires lib64ilmbase24
blender
blender2.8
calligra-core
darktable
darktable
gimp
gimp
and a lot more.
used strace for gimp and opened metadata in gimp of a jpg file
trace shows a.o.
openat(AT_FDCWD, "/lib64/libIlmThread-2_3.so.24", O_RDONLY|O_CLOEXEC) = 4
which isone of the components of this package.
Worked OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2020-03-05 17:39:24 CET 
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-03-06 15:57:40 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-03-06 17:15:33 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0114.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED