Bug 24759 - openexr new security issue CVE-2018-18444
Summary: openexr new security issue CVE-2018-18444
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2019-05-03 20:51 CEST by David Walser
Modified: 2019-05-12 11:37 CEST (History)
11 users (show)

See Also:
Source RPM: openexr-2.3.0-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-05-03 20:51:41 CEST
openSUSE has issued an advisory on April 24:
https://lists.opensuse.org/opensuse-updates/2019-04/msg00178.html

Mageia 6 is also affected.
David Walser 2019-05-03 20:51:46 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-05-03 21:30:56 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => cjw, geiger.david68210, lists.jjorge, mageia, marja11, rverschelde

Comment 2 Mike Rambo 2019-05-08 21:29:27 CEST
Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated openexr package fixes security vulnerabilities:

It was discovered that makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possibly unspecified other impact (CVE-2018-18444).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18444
https://lists.opensuse.org/opensuse-updates/2019-04/msg00178.html
https://bugzilla.suse.com/show_bug.cgi?id=1113455
========================

Updated packages in core/updates_testing:
========================
lib64ilmimf2_2_22-2.2.0-10.1.mga6
lib64openexr-devel-2.2.0-10.1.mga6
openexr-2.2.0-10.1.mga6

from openexr-2.2.0-10.1.mga6.src.rpm

Testing hints: https://bugs.mageia.org/show_bug.cgi?id=20912#c10

Assignee: pkg-bugs => qa-bugs
Keywords: (none) => has_procedure
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
CC: (none) => mrambo

Comment 3 Len Lawrence 2019-05-09 10:22:04 CEST
mga6, x86_64

http://www.openexr.com/downloads.html
That site has source downloads for openexr_viewers.  Checked it locally and found
directories for exrdisplay and playexr.  No idea how to configure and make safely.
As regards viewers, exrdisplay and playexr do not exist in Mageia AFAICS.  Suse lists a
package libIlmImfUtil-2_2-23 and I wondered if that might contain the viewer(s).
The sample images tarfile seems to have disappeared but GitHub has a collection at
https://github.com/openexr/openexr-images
Downloaded that and unzipped it into a local directory.  It contains several folders
including TestImages which has exr images containing "defects".


CVE-2018-18444
https://github.com/openexr/openexr/issues/351
$ exrmultiview left 'id^%000001,sig^%06,src^%000522,op^%ext_AO,pos^%109' right
AllHalfValues.exr
The shell did not like that command, so over to mc. Renamed the ugly file to left.exr.
$ exrmultiview left left.exr right AllHalfValues.exr output.exr
Segmentation fault (core dumped)

exr utilities in /usr/bin are:
exrenvmap
exrheader
exrmakepreview
exrmaketiled
exrmultipart
exrmultiview
exrstdattr

Working in TestImages directory:
$ exrmakepreview BrightRings.exr brightrings.exr
$ ll brightrings.exr
-rw-r--r-- 1 lcl lcl 191096 May  9 08:52 brightrings.exr
$ ll BrightRings.exr
-rw-r--r-- 1 lcl lcl 151068 Apr 23  2014 BrightRings.exr

Without the viewers we cannot compare them.
$ file brightrings.exr
brightrings.exr: OpenEXR image data, version 2, storage: scanline, compression: zip, dataWindow: (0 0)-(799 799), displayWindow: (0 0)-(799 799), lineOrder: increasing y

This image contains some unusual pixels at its centre.
$ exrmakepreview BrightRingsNanInf.exr brightrings_nan.exr
$ file brightrings_nan.exr
brightrings_nan.exr: OpenEXR image data, version 2, storage: scanline, compression: zip, dataWindow: (0 0)-(799 799), displayWindow: (0 0)-(799 799), lineOrder: increasing y

Seems to cope.
-----------------------------------------------------------------------------

Updating the packages.

Ran the poc.
$ exrmultiview left left.exr right AllHalfValues.exr output.exr
Error reading pixel data from image file "left.exr". Unexpected data block y coordinate.

Good result.

$ cd openexr-images-master/TestImages
$ exrmakepreview WideColorGamut.exr widecolorgamut.exr
$ exrmaketiled -t  32 32 -z rle SquaresSwirls.exr squaresswirled.exr

$ exrheader widecolorgamut.exr
[...]
file format version: 2, flags 0x0
channels (type chlist):
    B, 16-bit floating-point, sampling 1 1
    G, 16-bit floating-point, sampling 1 1
    R, 16-bit floating-point, sampling 1 1
chromaticities (type chromaticities):
    red   (0.64 0.33)
    green (0.3 0.6)
    blue  (0.15 0.06)
    white (0.3127 0.329)
compression (type compression): zip, multi-scanline blocks
[...]

$ exrheader squaresswirled.exr
[...]
chunkCount (type int): 1024
compression (type compression): run-length encoding
dataWindow (type box2i): (0 0) - (999 999)
displayWindow (type box2i): (0 0) - (999 999)
lineOrder (type lineOrder): increasing y
pixelAspectRatio (type float): 1
screenWindowCenter (type v2f): (0 0)
screenWindowWidth (type float): 1
tiles (type tiledesc):
    single level
    tile size 32 by 32 pixels
type (type string): "tiledimage"

Without an HDR image viewer the results cannot be seen.  It all looks OK.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2019-05-10 15:35:47 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-05-12 10:08:38 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2019-05-12 11:37:17 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0166.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.