Bug 29657 - openexr new security issues CVE-2021-3933 and CVE-2021-3941
Summary: openexr new security issues CVE-2021-3933 and CVE-2021-3941
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-11-12 21:44 CET by David Walser
Modified: 2021-11-25 14:07 CET (History)
5 users (show)

See Also:
Source RPM: openexr-2.5.7-1.mga8.src.rpm
CVE: CVE-2021-3933, CVE-2021-3941
Status comment:


Attachments

Description David Walser 2021-11-12 21:44:10 CET
Ubuntu has issued an advisory on November 11:
https://ubuntu.com/security/notices/USN-5144-1

The issue is fixed upstream in 3.1.2.

Mageia 8 is also affected.
David Walser 2021-11-12 21:44:22 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Ubuntu

Comment 1 Nicolas Salguero 2021-11-15 09:53:47 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Integer-overflow in Imf_3_1::bytesPerDeepLineTable. (CVE-2021-3933)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3933
https://ubuntu.com/security/notices/USN-5144-1
========================

Updated packages in core/updates_testing:
========================
lib(64)ilmbase2_5_25-2.5.7-1.1.mga8
lib(64)ilmimf2_5_25-2.5.7-1.1.mga8
lib(64)openexr-devel-2.5.7-1.1.mga8
lib(64)ilmbase-devel-2.5.7-1.1.mga8
openexr-2.5.7-1.1.mga8

from SRPM:
openexr-2.5.7-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Version: Cauldron => 8
Status comment: Patch available from Ubuntu => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Source RPM: openexr-2.5.7-1.mga9.src.rpm => openexr-2.5.7-1.mga8.src.rpm
CVE: (none) => CVE-2021-3933

Comment 2 Len Lawrence 2021-11-19 13:27:59 CET
mga8, x64
Installed any missing release packages then used qarepo for the updates-testing files.
Tried the update but ran into this:
Sorry, the following package cannot be selected:

- openttd-12.1-1.mga8.x86_64 (due to unsatisfied openttd-openmsx[>= 0.4.2])

openttd seems to be a game of some sort.
An accidental pickup.
Used drakrpm and eliminated openttd.  It was picked up as a scheduled update - had overlooked the fact that this system needed updating.
After that the packages updated fine.  Testing later.

CC: (none) => tarazed25

Comment 3 David Walser 2021-11-19 18:59:14 CET
Ubuntu has issued an advisory on November 17:
https://ubuntu.com/security/notices/USN-5150-1

It fixes an additional issue.

Mageia 8 is also affected.

Status comment: (none) => Patch available from Ubuntu
Version: 8 => Cauldron
Summary: openexr new security issue CVE-2021-3933 => openexr new security issues CVE-2021-3933 and CVE-2021-3941
Whiteboard: (none) => MGA8TOO
Assignee: qa-bugs => nicolas.salguero

Comment 4 Len Lawrence 2021-11-19 19:34:26 CET
Oops - mid-air collision.  Just lost two hours work.  Bear with me - have to start from the beginning again.
Comment 5 Len Lawrence 2021-11-19 21:00:56 CET
Following bug 29005 as a template.
Using a copy of the exr tree from gitgub, downloaded some time ago.  This includes advice on using the development environment to build C++ programs to read and write EXR images.

$ cd openexr-images-master/
$ ls
Beachball/       DisplayWindow/    MultiResolution/  ScanLines/   v2/
Chromaticities/  LICENSE           MultiView/        TestImages/
COPYING          LuminanceChroma/  README.md         Tiles/
$ cd TestImages
lcl@difda:TestImages $ ls
AllHalfValues.exr      GrayRampsDiagonal.exr     SquaresSwirls.exr
brightrings.exr        GrayRampsHorizontal.exr   widecolorgamut.exr
BrightRings.exr        README                    WideColorGamut.exr
brightrings_nan.exr    RgbRampsDiagonal.exr      WideColorGamut.exr.xmp
BrightRingsNanInf.exr  RgbRampsDiagonal.exr.xmp  WideFloatRange.exr
GammaChart.exr         squaresswirled.exr

$ exrheader AllHalfValues.exr
file AllHalfValues.exr:
file format version: 2, flags 0x0
channels (type chlist):
    B, 16-bit floating-point, sampling 1 1
    G, 16-bit floating-point, sampling 1 1
    R, 16-bit floating-point, sampling 1 1
compression (type compression): piz
dataWindow (type box2i): (0 0) - (255 255)
displayWindow (type box2i): (0 0) - (255 255)
lineOrder (type lineOrder): increasing y
pixelAspectRatio (type float): 1
screenWindowCenter (type v2f): (0 0)
screenWindowWidth (type float): 1
type (type string): "scanlineimage"

$ pwd
/home/lcl/qa/openexr/openexr-images-master/v2/Stereo
$ exrmultipart -combine -i Trunks.exr Leaves.exr Ground.exr -o new.exr
input:
      Trunks.exr
      Leaves.exr
      Ground.exr
output:
      new.exr
override:0

-combine multipart input 
part 0: deepscanlineimage
part 1: deepscanlineimage
part 2: deepscanlineimage
part 3: deepscanlineimage
part 4: deepscanlineimage
part 5: deepscanlineimage

Combine Success
$ ls
Balls.exr       Ground.exr   Leaves.exr  stereo.exr
composited.exr  leaves.expr  new.exr     Trunks.exr
$ file new.exr
new.exr: OpenEXR image data, version 2, storage: scanline, compression: zips, dataWindow: (0 266)-(1919 1079), displayWindow: (0 0)-(1919 1079), lineOrder: increasing y

Ubuntu has its own exr viewer.  There is a hint on the web that gwenview can open exr images with a suitable plugin and krita is mentioned.  Installed krita and pointed it at one of the test images and sure enough that works.  krita looks quite like the GIMP, with exr plugins.

lib64ilmbase2_5_25 is required by too many packages to mention, including blender, gimp, hugin and darktable.
$ urpmq --requires-recursive krita | egrep "ilmbase|ilmimf|openexr"
lib64ilmbase2_5_25
lib64ilmimf2_5_25

$ strace -o krita.trace krita new.exr
That showed only the Trunks layer.
$ cat krita.trace | grep -v qa | egrep "imlimf|imlbase|openexr|devel"
statx(AT_FDCWD, "/usr/share/kdevelop/sip", AT_STATX_SYNC_AS_STAT, STATX_ALL, 0x7ffe9fc21c00) = -1 ENOENT (No such file or directory)

No hits on the exr packages.

Using krita, viewed an old image which contains all the layers, Trunks, Leaves, etc and that displayed correctly. Sheared the image and saved it.  The trace failed to show that exr packages were involved.  Failed also after importing a layer to an existing image and exporting the combination, in krita.

So, the utilities work and exr images can be viewed but it is difficult to demonstrate the involvement of the updated packages in the chosen viewer even though some are listed as requirements by urpmq.

Passing this on the basis of a clean install and functional utilities.  No regressions observed.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 6 David Walser 2021-11-19 21:02:14 CET
It's pending another CVE fix now.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO

Comment 7 Nicolas Salguero 2021-11-20 11:24:15 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Integer-overflow in Imf_3_1::bytesPerDeepLineTable. (CVE-2021-3933)

Divide-by-zero in Imf_3_1::RGBtoXYZ. (CVE-2021-3941)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3933
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3941
https://ubuntu.com/security/notices/USN-5144-1
https://ubuntu.com/security/notices/USN-5150-1
========================

Updated packages in core/updates_testing:
========================
lib(64)ilmbase2_5_25-2.5.7-1.2.mga8
lib(64)ilmimf2_5_25-2.5.7-1.2.mga8
lib(64)openexr-devel-2.5.7-1.2.mga8
lib(64)ilmbase-devel-2.5.7-1.2.mga8
openexr-2.5.7-1.2.mga8

from SRPM:
openexr-2.5.7-1.2.mga8.src.rpm

Status comment: Patch available from Ubuntu => (none)
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CVE: CVE-2021-3933 => CVE-2021-3933, CVE-2021-3941
Assignee: nicolas.salguero => qa-bugs

Comment 8 Len Lawrence 2021-11-21 17:41:46 CET
mga8, x64

Updated the packages using qarepo and MageiaUpdate.
Ran the same utility tests as before.  Both OK.
Tried the Gimp and Krita on a stero composite gitHub image.  Those worked fine as well.  darktable was able to show the same image.

Ran strace on gimp - modified an exr image and exported it as EXR and read that successfully in krita.
$ cat gimp.trace | grep -v qa | grep exr
access("/usr/lib64/gimp/2.0/plug-ins/file-exr/file-exr", X_OK) = 0
openat(AT_FDCWD, "/usr/lib64/gimp/2.0/plug-ins/file-exr/file-exr", O_RDONLY) = 15
write(14, "\0\0\0\5\0\0\0\16file-exr-load\0\0\0\0\3\0\0\0\0\0\0"..., 193) = 193
read(10, "file-exr-load\0", 14)         = 14
write(14, "\0\0\0\5\0\0\0\16file-exr-save\0\0\0\0\5\0\0\0\0\0\0"..., 199) = 199
read(10, "file-exr-save\0", 14)         = 14

Again no close connection with the openexr library so maybe strace is not the best tool to use.
Anyway, leaving it at that.  There seems no good reason to release the packages.
Len Lawrence 2021-11-21 17:42:02 CET

Whiteboard: (none) => MGA8-64-OK

Comment 9 Len Lawrence 2021-11-21 17:53:34 CET
Typo in comment 8.  s/release/with-hold/ | s/to release/not to release/
Comment 10 Thomas Andrews 2021-11-22 00:19:59 CET
Validating. Advisory in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-11-22 00:45:05 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 11 Mageia Robot 2021-11-25 14:07:31 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0524.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.