Ubuntu has issued an advisory on July 6: https://ubuntu.com/security/notices/USN-4418-1 The issues are fixed upstream in 2.5.2. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
This SRPM has been maintained by different packagers, so assigning the bug globally.
Assignee: bugsquad => pkg-bugs
There's also CVE-2020-15304: https://github.com/AcademySoftwareFoundation/openexr/blob/master/SECURITY.md Fedora has issued an advisory for this on July 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LKDRVXORM2VLNHRLFKS3JHRABSHZ5W5M/ It's also fixed in 2.5.2.
Summary: openexr new security issues CVE-2020-1530[56] => openexr new security issues CVE-2020-1530[4-6]
Fedora advisory with all three CVEs: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SHYAKRAUEMYVCV7U5WLDRE2YFGSV5PIT/
Debian has issued an advisory for two of the CVEs on August 29: https://www.debian.org/security/2020/dsa-4755
Guillaume has uploaded openexr-2.5.3-1.mga8 for Cauldron.
Whiteboard: MGA7TOO => (none)CC: (none) => guillomovitchVersion: Cauldron => 7
Debian-LTS has issued an advisory on December 13: https://www.debian.org/lts/security/2020/dla-2491 The two additional issues were fixed upstream in 2.4.0 beta 1.
Summary: openexr new security issues CVE-2020-1530[4-6] => openexr new security issues CVE-2020-1530[4-6] and CVE-2020-1658[89]
(In reply to David Walser from comment #6) > Debian-LTS has issued an advisory on December 13: > https://www.debian.org/lts/security/2020/dla-2491 > > The two additional issues were fixed upstream in 2.4.0 beta 1. SUSE has issued an advisory for this on December 23: https://lists.suse.com/pipermail/sle-security-updates/2020-December/008119.html There was one additional CVE.
Summary: openexr new security issues CVE-2020-1530[4-6] and CVE-2020-1658[89] => openexr new security issues CVE-2020-1530[4-6] and CVE-2020-1658[7-9]
openSUSE has issued an advisory for this today (December 28): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ESEVYLX65LTFDH2ZVMY2Y4AN2MUHW5M5/
Status comment: (none) => Patches available from Fedora and openSUSE
Ubuntu has issued an advisory for this today (January 5): https://ubuntu.com/security/notices/USN-4676-1
Patched package uploaded by Guillaume for Mageia 7. Advisory: ======================== Updated openexr packages fix security vulnerabilities: An issue was discovered in OpenEXR before 2.5.2. An invalid tiled input file could cause invalid memory access in TiledInputFile::TiledInputFile() in IlmImf/ImfTiledInputFile.cpp, as demonstrated by a NULL pointer dereference (CVE-2020-15304). An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp (CVE-2020-15305). An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp (CVE-2020-15306). A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file (CVE-2020-16587). A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service via a crafted EXR file (CVE-2020-16588). A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of service via a crafted EXR file (CVE-2020-16589). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15304 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15306 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16587 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16588 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16589 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LKDRVXORM2VLNHRLFKS3JHRABSHZ5W5M/ https://ubuntu.com/security/notices/USN-4418-1 https://ubuntu.com/security/notices/USN-4676-1 ======================== Updated packages in core/updates_testing: ======================== openexr-2.3.0-2.3.mga7 libilmimf2_3_24-2.3.0-2.3.mga7 libopenexr-devel-2.3.0-2.3.mga7 from openexr-2.3.0-2.3.mga7.src.rpm
Status comment: Patches available from Fedora and openSUSE => (none)Assignee: pkg-bugs => qa-bugs
mga7, x86_64 No PoC for CVE-2020-1530{4,5,6} CVE-2020-16587 https://github.com/AcademySoftwareFoundation/openexr/issues/491 $ exrheader PoC_hbo_chunkOffsetReconstruction Segmentation fault (core dumped) CVE-2020-16588 https://github.com/AcademySoftwareFoundation/openexr/issues/493 $ exrmakepreview -v PoC_npd_generatePreview /dev/null generating preview image Bus error (core dumped) <Upstream finds "SEGV on unknown address" under asan> CVE-2020-16589 https://github.com/AcademySoftwareFoundation/openexr/issues/494 $ exrmakepreview -v PoC_hbo_writeTileData /dev/null <The first time this was run the system stopped responding and the report was lost. Had to go to system rescue to get back, after reboot failed> Updated the packages. CVE-2020-16587 $ exrheader PoC_hbo_chunkOffsetReconstruction file PoC_hbo_chunkOffsetReconstruction (incomplete): file format version: 2, flags 0x1000 channels (type chlist): FLOAT, 32-bit floating-point, sampling 1 1 compression (type compression): zip, multi-scanline blocks dataWindow (type box2i): (0 0) - (63 63) displayWindow (type box2i): (0 0) - (196 262) lineOrder (type lineOrder): increasing y name (type string): "0" pixelAspectRatio (type float): 1 screenWindowCenter (type v2f): (0 0) screenWindowWidth (type float): 1 tataWindow (type box2a) type (type string): "scanlineimage" <Good result> CVE-2020-16588 $ exrmakepreview -v PoC_npd_generatePreview /dev/null generating preview image copying PoC_npd_generatePreview to /dev/null done. <Good result> CVE-2020-16589 $ exrmakepreview -v PoC_hbo_writeTileData /dev/null generating preview image copying PoC_hbo_writeTileData to /dev/null Error reading pixel data from image file "PoC_hbo_writeTileData". File contains an invalid tile <Good result?> Still running. Ran the utilities against images from the original project on GIThub. A composited image is supplied which can be viewed with IM display. /bin now contains: /bin/exrenvmap* /bin/exrmakepreview* /bin/exrmultipart* /bin/exrstdattr* /bin/exrheader* /bin/exrmaketiled* /bin/exrmultiview* Use -h for help $ exrheader AllHalfValues.exr file AllHalfValues.exr: cd file format version: 2, flags 0x0 channels (type chlist): B, 16-bit floating-point, sampling 1 1 G, 16-bit floating-point, sampling 1 1 R, 16-bit floating-point, sampling 1 1 compression (type compression): piz dataWindow (type box2i): (0 0) - (255 255) displayWindow (type box2i): (0 0) - (255 255) lineOrder (type lineOrder): increasing y pixelAspectRatio (type float): 1 screenWindowCenter (type v2f): (0 0) screenWindowWidth (type float): 1 type (type string): "scanlineimage" $ exrmultipart -combine -i Trunks.exr Leaves.exr Ground.exr -o new.exr input: Trunks.exr Leaves.exr Ground.exr output: new.exr override:0 part 0: deepscanlineimage part 1: deepscanlineimage part 2: deepscanlineimage part 3: deepscanlineimage part 4: deepscanlineimage part 5: deepscanlineimage Combine Success $ ll Trunks.exr Leaves.exr Ground.exr new.exr -rw-r--r-- 1 lcl 32009045 Apr 23 2014 Ground.exr -rw-r--r-- 1 lcl 16503998 Apr 23 2014 Leaves.exr -rw-r--r-- 1 lcl 52371793 Jan 9 18:44 new.exr -rw-r--r-- 1 lcl 3858752 Apr 23 2014 Trunks.exr $ exrheader new.exr file new.exr: file format version: 2, flags 0x1800 part 0: channels (type chlist): A, 16-bit floating-point, sampling 1 1 B, 16-bit floating-point, sampling 1 1 [...] part 5: channels (type chlist): A, 16-bit floating-point, sampling 1 1 B, 16-bit floating-point, sampling 1 1 G, 16-bit floating-point, sampling 1 1 R, 16-bit floating-point, sampling 1 1 Z, 32-bit floating-point, sampling 1 1 chunkCount (type int): 741 ..... That provided a lot of information, agreeing with a former test. For that test no working viewer was found. $ exrmakepreview -v new.exr stereo.exr generating preview image copying new.exr to stereo.exr Error reading pixel data from image file "new.exr". Tried to read a raw scanline from a deep image. <Wrong input probably> In the absence of an obvious way to view EXR images shall close this report. No regressions observed between this version and the older one and the PoC all look good so this can be sent on.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 10.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory pushed to SVN.
CC: (none) => ouaurelienCVE: (none) => CVE-2020-1530[4-6], CVE-2020-1658[7-9Source RPM: openexr-2.3.0-5.mga8.src.rpm => openexr-2.3.0-2.mga7.src.rpmKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0015.html
Status: NEW => RESOLVEDResolution: (none) => FIXED