Bug 20912 - openexr new security issues CVE-2017-911[0-6]
Summary: openexr new security issues CVE-2017-911[0-6]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK
Keywords: advisory, validated_update
: 22691 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-05-23 04:13 CEST by David Walser
Modified: 2018-05-04 07:07 CEST (History)
5 users (show)

See Also:
Source RPM: OpenEXR-2.2.0-4.mga5, openexr-2.2.0-9.mga6
CVE:
Status comment: Pending upstream PR should fix CVE-2017-911[026], others are apparently not relevant, patch needs to be applied with git


Attachments

Description David Walser 2017-05-23 04:13:51 CEST
CVEs have been assigned for security issues in OpenEXR:
http://seclists.org/oss-sec/2017/q2/308

I don't believe any fixes are available at this time.

Mageia 5 is also affected.
David Walser 2017-05-23 04:13:59 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-05-23 09:38:30 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 Rémi Verschelde 2017-06-30 12:41:02 CEST
There's a (yet unmerged) upstream PR that should address some of the CVEs (CVE-2017-911[026]).

For the CVE-2017-911[1345], the contributor states that [0]:

> These CVEs appear to be bugs in exr2aces and are not generally reproducible
> in the library itself, only with bad input to the library via a program such
> as exr2aces.

https://github.com/openexr/openexr/issues/232#issuecomment-307245652

So I guess that as long as we don't build exr2aces, we don't need to care about those and could ship an update for CVE-2017-911[026] - that is if we're to trust this contributor's analysis, but so far it hasn't been challenged.
Rémi Verschelde 2017-06-30 12:42:00 CEST

Status comment: (none) => Pending upstream PR should fix CVE-2017-911[026], others are apparently not relevant

Comment 3 Rémi Verschelde 2017-07-01 09:56:07 CEST
I've added the current pending patch to our Mageia 6 package in openexr-2.2.0-10.mga6:
- PR: https://github.com/openexr/openexr/pull/233
- Current commit: https://github.com/openexr/openexr/commit/749193265ac99956f01a2dd9b20f124f2f7859d0

If I read the author's analysis correctly in PR 233 and issue 232, it should fix CVE-2017-911[026] but not CVE-2017-911[1345], but as mentioned above those would be bugs in the exr2aces tool that we do not package.

So my call would be that it should be enough for us; on the other hand I haven't tested the patched package yet to see if the issues are properly fixed.

Source RPM: openexr-2.2.0-9.mga6.src.rpm => OpenEXR-2.2.0-4.mga5, openexr-2.2.0-9.mga6

David Walser 2017-07-09 01:00:46 CEST

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

David Walser 2017-07-09 01:08:30 CEST

Status comment: Pending upstream PR should fix CVE-2017-911[026], others are apparently not relevant => Pending upstream PR should fix CVE-2017-911[026], others are apparently not relevant, patch needs to be applied with git

Comment 4 David Walser 2017-12-29 02:55:08 CET
Advisory:
========================

Updated OpenEXR packages fix security vulnerabilities:

In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in
ImfHuf.cpp could cause the application to crash (CVE-2017-9110).

In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in
ImfHuf.cpp could cause the application to crash (CVE-2017-9112).

In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in
ImfZip.cpp could cause the application to crash (CVE-2017-9116).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9110
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9116
http://seclists.org/oss-sec/2017/q2/308
========================

Updated packages in core/updates_testing:
========================
OpenEXR-2.2.0-4.1.mga5
libOpenEXR22-2.2.0-4.1.mga5
libOpenEXR-devel-2.2.0-4.1.mga5

from OpenEXR-2.2.0-4.1.mga5.src.rpm

Assignee: shlomif => qa-bugs

Dave Hodgins 2017-12-31 12:40:40 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Herman Viaene 2018-01-02 16:30:20 CET
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
I don't know what to do with this.
at CLI:
$ exrheader 
usage: exrheader imagefile [imagefile ...]
I tried jpg, orf, tif,ppm but each time I get:
 File is not an image file.
Sites refer to EXR image files, but I have been hunting in vain. I get jpg samples  from these sites, which present the same problem.

CC: (none) => herman.viaene

Comment 6 Len Lawrence 2018-01-02 19:56:32 CET
@Herman re comment 5.
madb states that the package deals with:
A high dynamic-range (HDR) image file format 

I guess EXR images are colour images with a greater depth than normally found.  You see HDR mentioned in connection with the new 4K TV screens and having bought one recently I can attest to the greater colour depth, particularly in the "blacks".  No idea how to find examples of static images with this format but shall poke around and let you know if any are to be found.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2018-01-02 20:14:13 CET
@Herman re EXR images.  I found exactly what you did but there are hints on some sites about "images distributed with the release" so there might be some already in the system.  I shall experiment with locate and if that fails try downloading a package from some PhotoShop orientated site.
Comment 8 Len Lawrence 2018-01-02 20:35:54 CET
No luck so far.  Nothing with .EXR extension on the system. 
Found a set of POC files and at least one of them opens with exrheader.
$ exrheader id:000077,sig:11,src:002575,op:havoc,rep:4

file id:000077,sig:11,src:002575,op:havoc,rep:4:

file format version: 2, flags 0x0
channels (type chlist):
    BY, 16-bit floating-point, sampling 2 2, plinear
    RY, 16-bit floating-point, sampling 2 2, plinear
    o, 16-bit floating-point, sampling 1 1
compression (type compression): dwa, medium scanline blocks
dataWindow (type box2i): (0 0) - (609 405)
displayWindow (type box2i): (0 -8448) - (608 405)
lineOrder (type lineOrder): increasing y
owner (type string): "Co�yright 2006 Industrial Light & aagic"
pixelAspectRatio (type float): 1
pxelAspectRatio (type float): 1
screenWindowCenter (type v2f): (0 0)
screenWindowWidth (type float): 1
type (type string): "scanlineimage"

That means nothing though; there cannot be much of a payload because the file weighs only 786 bytes.
Comment 9 Len Lawrence 2018-01-02 20:56:22 CET
Success!  http://www.openexr.com/downloads.html
Look for OpenEXR sample images:
and download the .tar.gz bundle and unzip it.
e.g. $ tar xzf openexr-images-1.4.0.tar.gz

Over to you Herman.
Comment 10 Herman Viaene 2018-01-03 09:45:05 CET
Downloaded sample files - tx Len
Now I get:
$ exrheader t01.exr 

file t01.exr:

file format version: 2, flags 0x0
channels (type chlist):
    B, 16-bit floating-point, sampling 1 1
    G, 16-bit floating-point, sampling 1 1
    R, 16-bit floating-point, sampling 1 1
compression (type compression): piz
dataWindow (type box2i): (0 0) - (399 299)
displayWindow (type box2i): (0 0) - (399 299)
lineOrder (type lineOrder): increasing y
pixelAspectRatio (type float): 1
screenWindowCenter (type v2f): (0 0)
screenWindowWidth (type float): 1
type (type string): "scanlineimage"

The problem still left is that these files are not viewable by ristretto or GIMP. The sites and the README file refer to a command exrdisplay, but this one is not installed with the update packages and
# urpmf --verbose exrdisplay
using fast algorithm
getting lock on urpmi
using mirror http://mirror.netcologne.de/mageia/distrib/5/i586
getting information from /var/lib/urpmi/Core Release (distrib1)/files.xml.lzma
$MIRRORLIST media/core/updates media_info/MD5SUM opgehaald
    $MIRRORLIST: media/core/updates/media_info/20180102-160922-files.xml.lzma
$MIRRORLIST media/core/updates media_info/20180102-160922-files.xml.lzma opgehaald                     
getting information from /var/lib/urpmi/Core Updates (distrib3)/files.xml.lzma
getting information from /var/lib/urpmi/Core Updates Testing (distrib5)/files.xml.lzma
getting information from /var/lib/urpmi/Nonfree Release (distrib11)/files.xml.lzma
getting information from /var/lib/urpmi/Nonfree Updates (distrib13)/files.xml.lzma
getting information from /var/lib/urpmi/Tainted Release (distrib21)/files.xml.lzma
getting information from /var/lib/urpmi/Tainted Updates (distrib23)/files.xml.lzma
unlocking urpmi database
is not very helpfull either.
Comment 11 Len Lawrence 2018-01-03 10:37:45 CET
Re comment 10

It is possible that special plugins are needed for some display packages.  I think I saw somesuch mentioned with respect to ImageMagick (display).  Various plugins are mentioned on the web but most of these would apply to Windows, probably.
Comment 12 Dave Hodgins 2018-01-03 13:05:58 CET
Validating the update just based on the update installing cleanly.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2018-01-03 15:23:19 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0032.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 14 David Walser 2018-05-04 07:07:29 CEST
*** Bug 22691 has been marked as a duplicate of this bug. ***
Comment 15 David Walser 2018-05-04 07:07:50 CEST
This update also fixed CVE-2017-12596.

Note You need to log in before you can comment on or make changes to this bug.