Ubuntu has issued an advisory on April 1: https://ubuntu.com/security/notices/USN-4900-1 The issues are fixed upstream in 3.0.0-beta. Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Patches available from UbuntuCC: (none) => geiger.david68210, guillomovitchWhiteboard: (none) => MGA8TOO, MGA7TOO
Fedora has issued advisories on May 10: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4KYNJSMVA6YJY5NMKDZ5SAISKZG2KCKC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BXFLD4ZAXKAIWO6ZPBCQEEDZB5IG676K/ The issues are fixed upstream in 3.0.1. Mageia 7 and Mageia 8 are also affected.
Summary: openexr new security issues CVE-2021-347[4-9] => openexr new security issues CVE-2021-347[4-9], CVE-2021-23169, CVE-2021-23215, CVE-2021-26260Status comment: Patches available from Ubuntu => Patches available from Ubuntu and Fedora
openSUSE has issued advisories for this on April 11 and May 5: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3OEPCGI23GJK5SW2WMNMPUTRJTU2STGG/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XRXYHURHLDTSCIDOVAICJNNLPZTJP6NQ/ The second one has a new CVE that's also fixed upstream in 3.0.0-beta.
Summary: openexr new security issues CVE-2021-347[4-9], CVE-2021-23169, CVE-2021-23215, CVE-2021-26260 => openexr new security issues CVE-2021-347[4-9], CVE-2021-20296, CVE-2021-23169, CVE-2021-23215, CVE-2021-26260
No registered maintainer, various committers, so assigning this globally; but likely packagers are already CC'd.
Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory on June 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O2GOMRCHU5R7NOJAD3ARM7OCTLDNIMSK/ The issues are fixed upstream in 3.0.3. Mageia 7 and Mageia 8 are also affected.
Summary: openexr new security issues CVE-2021-347[4-9], CVE-2021-20296, CVE-2021-23169, CVE-2021-23215, CVE-2021-26260 => openexr new security issues CVE-2021-347[4-9], CVE-2021-3598, CVE-2021-3605, CVE-2021-20296, CVE-2021-23169, CVE-2021-23215, CVE-2021-26260
(In reply to David Walser from comment #4) > Fedora has issued an advisory on June 20: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/O2GOMRCHU5R7NOJAD3ARM7OCTLDNIMSK/ > > The issues are fixed upstream in 3.0.3. > > Mageia 7 and Mageia 8 are also affected. These issues were also patched in ilmbase: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EMXAL63RAX34CJGXT6X7ISXW2E2ADUFH/
Ubuntu has issued an advisory for this today (June 22): https://ubuntu.com/security/notices/USN-4996-1
openSUSE has issued an advisory for two of these issues today (June 25): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HXJ54NGEKD6JFKYVYG6R2JQZI2N5GDOX/
The newest 2.5.x upstream in 2.5.7, and looking at Ubuntu and Fedora's patches, it looks like everything except CVE-2021-3478 is fixed in 2.5.7. Ubuntu's patches for CVE-2021-3478 apply to it. Marking as fixed in openexr-2.5.7-1.mga9.
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8
Rediffed patches from Ubuntu to fix Mageia 7. Affected code is not in ilmbase package in Mageia 7. ilmbase is integrated into openexr package in Mageia 8. Updated packages in core/updates_testing: ======================== openexr-2.3.0-2.4.mga7 libilmimf2_3_24-2.3.0-2.4.mga7 libopenexr-devel-2.3.0-2.4.mga7 openexr-2.5.7-1.mga8 libilmimf2_5_25-2.5.7-1.mga8 libilmbase2_5_25-2.5.7-1.mga8 libopenexr-devel-2.5.7-1.mga8 libilmbase-devel-2.5.7-1.mga8 from SRPMS: openexr-2.3.0-2.4.mga7.src.rpm openexr-2.5.7-1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsStatus comment: Patches available from Ubuntu and Fedora => (none)Source RPM: openexr-2.5.5-1.mga9.src.rpm => openexr-2.5.3-8.mga8.src.rpm
Advisory: ======================== Updated openexr packages fix security vulnerabilities: It was discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code (CVE-2021-3474, CVE-2021-3475, CVE-2021-3476, CVE-2021-3477, CVE-2021-3478, CVE-2021-3479, CVE-2021-3598, CVE-2021-3605, CVE-2021-20296, CVE-2021-23169, CVE-2021-23215, CVE-2021-26260). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3474 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3475 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3476 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3478 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3479 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3598 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3605 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20296 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23169 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23215 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26260 https://www.openexr.com/ https://ubuntu.com/security/notices/USN-4900-1 https://ubuntu.com/security/notices/USN-4996-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4KYNJSMVA6YJY5NMKDZ5SAISKZG2KCKC/
mga7, x64 All of the CVEs lead to pages which deal with reproducing the various bugs using a specialized testing framework; nothing there to help QA. Went ahead with the updates. openexr was tested in bug 26914 and the collection of downloaded test images was still available. Ran the same tests as on that bug but don't really know what it all means. The individual EXR images can be viewed using display but multipart images show only the first image. There do not appear to be any EXR viewers. The transcript is dull reading - adding it as an attachment. As far as these tests go there are no obvious regressions.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OKCC: (none) => tarazed25
Created attachment 12824 [details] Rudimentary tests carried out on EXR images
OpenEXR features as an output target for synfig which is "a vector based 2D animation package". It comes up in the listing for what requires lib64ilmimf2_3_24. See /usr/share/doc/synfig/README. Not something I would care to tackle. Others are yafaray, povray, krita, k3d, imagemagick, hugin, gimp, darktable, blender. display (imagemagick) was used to display exr images in the earlier tests. $ grep exr exr.trace | grep lib lstat("/usr/lib64/ImageMagick-7.0.10/modules-Q16HDRI/coders/exr.so", {st_mode=S_IFREG|0755, st_size=23832, ...}) = 0 $ grep ilmimf exr.trace $ Installing k3d pulled in yafaray. Failed to open an exr image in the k3d interface and the example images available from the gui do not seem to have any connection with exr. Nothing useful here.
mga8, x64 Ensured that all the packages were installed, tested exrmultipart successfully then updated via qarepo/MageiaUpdate. Tried the tests used on mga7 (comment 11) after removing earlier generated images. The multipart test succeeded in generating a three-part image but display could only see the Trunks component, as before. It is difficult to find any openexr viewers. Those supported by ArchLinux and LinuxMint may be obsolete. The git tarball supplies the images tested here and contains a folder covering the building of an EXR viewer - cmake worked but make failed on missing GL/Glut.h so what is needed is an equivalent to pkgconfig and a pc file. Developer country. Tried out blender under strace but failed to find evidence of libopenexr or libilm... being used. Internally blender uses its own collection of EXR images. $ strace -o darktable.trace darktable new.exr[exiv2 dt_exif_read] /home/lcl/qa/openexr/images/new.exr: /home/lcl/qa/openexr/images/new.exr: The file contains data of an unknown image type [exiv2 dt_exif_get_thumbnail] /home/lcl/qa/openexr/images/new.exr: /home/lcl/qa/openexr/images/new.exr: The file contains data of an unknown image type [exiv2 dt_exif_get_thumbnail] /home/lcl/qa/openexr/images/new.exr: /home/lcl/qa/openexr/images/new.exr: The file contains data of an unknown image type In spite of the warnings the Trunks layer is displayed perfectly. $ grep exr darktable.trace | grep -v "lcl/qa" openat(AT_FDCWD, "/usr/lib64/darktable/plugins/imageio/format/libexr.so", O_RDONLY|O_CLOEXEC) = 31 Using darktable on some of the original test images (unprocessed) raises the same warnings about unknown image data types - they can be ignored I think. They are all displayed without trouble. $ exrheader new.exr This finds 6 parts in the file, which contains three multipart images. The general impression is that these packages are OK.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Thank you for all the work, Len. Validating. Advisory in Comment 10.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0326.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE-2021-2029[89] and CVE-2021-2030[0234] also fixed in this update: https://lists.suse.com/pipermail/sle-security-updates/2021-August/009313.html
(In reply to David Walser from comment #17) > CVE-2021-2029[89] and CVE-2021-2030[0234] also fixed in this update: > https://lists.suse.com/pipermail/sle-security-updates/2021-August/009313.html openSUSE advisory for the same: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I6OVSOAQ3PQXBTM46SMNT6H3XP45CC7L/