openSUSE has issued an advisory on April 24: https://lists.opensuse.org/opensuse-updates/2019-04/msg00178.html Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
Assignee: bugsquad => pkg-bugsCC: (none) => cjw, geiger.david68210, lists.jjorge, mageia, marja11, rverschelde
Patched package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated openexr package fixes security vulnerabilities: It was discovered that makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possibly unspecified other impact (CVE-2018-18444). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18444 https://lists.opensuse.org/opensuse-updates/2019-04/msg00178.html https://bugzilla.suse.com/show_bug.cgi?id=1113455 ======================== Updated packages in core/updates_testing: ======================== lib64ilmimf2_2_22-2.2.0-10.1.mga6 lib64openexr-devel-2.2.0-10.1.mga6 openexr-2.2.0-10.1.mga6 from openexr-2.2.0-10.1.mga6.src.rpm Testing hints: https://bugs.mageia.org/show_bug.cgi?id=20912#c10
Assignee: pkg-bugs => qa-bugsKeywords: (none) => has_procedureWhiteboard: MGA6TOO => (none)Version: Cauldron => 6CC: (none) => mrambo
mga6, x86_64 http://www.openexr.com/downloads.html That site has source downloads for openexr_viewers. Checked it locally and found directories for exrdisplay and playexr. No idea how to configure and make safely. As regards viewers, exrdisplay and playexr do not exist in Mageia AFAICS. Suse lists a package libIlmImfUtil-2_2-23 and I wondered if that might contain the viewer(s). The sample images tarfile seems to have disappeared but GitHub has a collection at https://github.com/openexr/openexr-images Downloaded that and unzipped it into a local directory. It contains several folders including TestImages which has exr images containing "defects". CVE-2018-18444 https://github.com/openexr/openexr/issues/351 $ exrmultiview left 'id^%000001,sig^%06,src^%000522,op^%ext_AO,pos^%109' right AllHalfValues.exr The shell did not like that command, so over to mc. Renamed the ugly file to left.exr. $ exrmultiview left left.exr right AllHalfValues.exr output.exr Segmentation fault (core dumped) exr utilities in /usr/bin are: exrenvmap exrheader exrmakepreview exrmaketiled exrmultipart exrmultiview exrstdattr Working in TestImages directory: $ exrmakepreview BrightRings.exr brightrings.exr $ ll brightrings.exr -rw-r--r-- 1 lcl lcl 191096 May 9 08:52 brightrings.exr $ ll BrightRings.exr -rw-r--r-- 1 lcl lcl 151068 Apr 23 2014 BrightRings.exr Without the viewers we cannot compare them. $ file brightrings.exr brightrings.exr: OpenEXR image data, version 2, storage: scanline, compression: zip, dataWindow: (0 0)-(799 799), displayWindow: (0 0)-(799 799), lineOrder: increasing y This image contains some unusual pixels at its centre. $ exrmakepreview BrightRingsNanInf.exr brightrings_nan.exr $ file brightrings_nan.exr brightrings_nan.exr: OpenEXR image data, version 2, storage: scanline, compression: zip, dataWindow: (0 0)-(799 799), displayWindow: (0 0)-(799 799), lineOrder: increasing y Seems to cope. ----------------------------------------------------------------------------- Updating the packages. Ran the poc. $ exrmultiview left left.exr right AllHalfValues.exr output.exr Error reading pixel data from image file "left.exr". Unexpected data block y coordinate. Good result. $ cd openexr-images-master/TestImages $ exrmakepreview WideColorGamut.exr widecolorgamut.exr $ exrmaketiled -t 32 32 -z rle SquaresSwirls.exr squaresswirled.exr $ exrheader widecolorgamut.exr [...] file format version: 2, flags 0x0 channels (type chlist): B, 16-bit floating-point, sampling 1 1 G, 16-bit floating-point, sampling 1 1 R, 16-bit floating-point, sampling 1 1 chromaticities (type chromaticities): red (0.64 0.33) green (0.3 0.6) blue (0.15 0.06) white (0.3127 0.329) compression (type compression): zip, multi-scanline blocks [...] $ exrheader squaresswirled.exr [...] chunkCount (type int): 1024 compression (type compression): run-length encoding dataWindow (type box2i): (0 0) - (999 999) displayWindow (type box2i): (0 0) - (999 999) lineOrder (type lineOrder): increasing y pixelAspectRatio (type float): 1 screenWindowCenter (type v2f): (0 0) screenWindowWidth (type float): 1 tiles (type tiledesc): single level tile size 32 by 32 pixels type (type string): "tiledimage" Without an HDR image viewer the results cannot be seen. It all looks OK.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0166.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED