Ubuntu has issued an advisory on November 11: https://ubuntu.com/security/notices/USN-5144-1 The issue is fixed upstream in 3.1.2. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patch available from Ubuntu
Suggested advisory: ======================== The updated packages fix a security vulnerability: Integer-overflow in Imf_3_1::bytesPerDeepLineTable. (CVE-2021-3933) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3933 https://ubuntu.com/security/notices/USN-5144-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)ilmbase2_5_25-2.5.7-1.1.mga8 lib(64)ilmimf2_5_25-2.5.7-1.1.mga8 lib(64)openexr-devel-2.5.7-1.1.mga8 lib(64)ilmbase-devel-2.5.7-1.1.mga8 openexr-2.5.7-1.1.mga8 from SRPM: openexr-2.5.7-1.1.mga8.src.rpm
CC: (none) => nicolas.salgueroVersion: Cauldron => 8Status comment: Patch available from Ubuntu => (none)Assignee: bugsquad => qa-bugsWhiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDSource RPM: openexr-2.5.7-1.mga9.src.rpm => openexr-2.5.7-1.mga8.src.rpmCVE: (none) => CVE-2021-3933
mga8, x64 Installed any missing release packages then used qarepo for the updates-testing files. Tried the update but ran into this: Sorry, the following package cannot be selected: - openttd-12.1-1.mga8.x86_64 (due to unsatisfied openttd-openmsx[>= 0.4.2]) openttd seems to be a game of some sort. An accidental pickup. Used drakrpm and eliminated openttd. It was picked up as a scheduled update - had overlooked the fact that this system needed updating. After that the packages updated fine. Testing later.
CC: (none) => tarazed25
Ubuntu has issued an advisory on November 17: https://ubuntu.com/security/notices/USN-5150-1 It fixes an additional issue. Mageia 8 is also affected.
Status comment: (none) => Patch available from UbuntuVersion: 8 => CauldronSummary: openexr new security issue CVE-2021-3933 => openexr new security issues CVE-2021-3933 and CVE-2021-3941Whiteboard: (none) => MGA8TOOAssignee: qa-bugs => nicolas.salguero
Oops - mid-air collision. Just lost two hours work. Bear with me - have to start from the beginning again.
Following bug 29005 as a template. Using a copy of the exr tree from gitgub, downloaded some time ago. This includes advice on using the development environment to build C++ programs to read and write EXR images. $ cd openexr-images-master/ $ ls Beachball/ DisplayWindow/ MultiResolution/ ScanLines/ v2/ Chromaticities/ LICENSE MultiView/ TestImages/ COPYING LuminanceChroma/ README.md Tiles/ $ cd TestImages lcl@difda:TestImages $ ls AllHalfValues.exr GrayRampsDiagonal.exr SquaresSwirls.exr brightrings.exr GrayRampsHorizontal.exr widecolorgamut.exr BrightRings.exr README WideColorGamut.exr brightrings_nan.exr RgbRampsDiagonal.exr WideColorGamut.exr.xmp BrightRingsNanInf.exr RgbRampsDiagonal.exr.xmp WideFloatRange.exr GammaChart.exr squaresswirled.exr $ exrheader AllHalfValues.exr file AllHalfValues.exr: file format version: 2, flags 0x0 channels (type chlist): B, 16-bit floating-point, sampling 1 1 G, 16-bit floating-point, sampling 1 1 R, 16-bit floating-point, sampling 1 1 compression (type compression): piz dataWindow (type box2i): (0 0) - (255 255) displayWindow (type box2i): (0 0) - (255 255) lineOrder (type lineOrder): increasing y pixelAspectRatio (type float): 1 screenWindowCenter (type v2f): (0 0) screenWindowWidth (type float): 1 type (type string): "scanlineimage" $ pwd /home/lcl/qa/openexr/openexr-images-master/v2/Stereo $ exrmultipart -combine -i Trunks.exr Leaves.exr Ground.exr -o new.exr input: Trunks.exr Leaves.exr Ground.exr output: new.exr override:0 -combine multipart input part 0: deepscanlineimage part 1: deepscanlineimage part 2: deepscanlineimage part 3: deepscanlineimage part 4: deepscanlineimage part 5: deepscanlineimage Combine Success $ ls Balls.exr Ground.exr Leaves.exr stereo.exr composited.exr leaves.expr new.exr Trunks.exr $ file new.exr new.exr: OpenEXR image data, version 2, storage: scanline, compression: zips, dataWindow: (0 266)-(1919 1079), displayWindow: (0 0)-(1919 1079), lineOrder: increasing y Ubuntu has its own exr viewer. There is a hint on the web that gwenview can open exr images with a suitable plugin and krita is mentioned. Installed krita and pointed it at one of the test images and sure enough that works. krita looks quite like the GIMP, with exr plugins. lib64ilmbase2_5_25 is required by too many packages to mention, including blender, gimp, hugin and darktable. $ urpmq --requires-recursive krita | egrep "ilmbase|ilmimf|openexr" lib64ilmbase2_5_25 lib64ilmimf2_5_25 $ strace -o krita.trace krita new.exr That showed only the Trunks layer. $ cat krita.trace | grep -v qa | egrep "imlimf|imlbase|openexr|devel" statx(AT_FDCWD, "/usr/share/kdevelop/sip", AT_STATX_SYNC_AS_STAT, STATX_ALL, 0x7ffe9fc21c00) = -1 ENOENT (No such file or directory) No hits on the exr packages. Using krita, viewed an old image which contains all the layers, Trunks, Leaves, etc and that displayed correctly. Sheared the image and saved it. The trace failed to show that exr packages were involved. Failed also after importing a layer to an existing image and exporting the combination, in krita. So, the utilities work and exr images can be viewed but it is difficult to demonstrate the involvement of the updated packages in the chosen viewer even though some are listed as requirements by urpmq. Passing this on the basis of a clean install and functional utilities. No regressions observed.
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
It's pending another CVE fix now.
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Integer-overflow in Imf_3_1::bytesPerDeepLineTable. (CVE-2021-3933) Divide-by-zero in Imf_3_1::RGBtoXYZ. (CVE-2021-3941) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3933 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3941 https://ubuntu.com/security/notices/USN-5144-1 https://ubuntu.com/security/notices/USN-5150-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)ilmbase2_5_25-2.5.7-1.2.mga8 lib(64)ilmimf2_5_25-2.5.7-1.2.mga8 lib(64)openexr-devel-2.5.7-1.2.mga8 lib(64)ilmbase-devel-2.5.7-1.2.mga8 openexr-2.5.7-1.2.mga8 from SRPM: openexr-2.5.7-1.2.mga8.src.rpm
Status comment: Patch available from Ubuntu => (none)Version: Cauldron => 8Whiteboard: MGA8TOO => (none)CVE: CVE-2021-3933 => CVE-2021-3933, CVE-2021-3941Assignee: nicolas.salguero => qa-bugs
mga8, x64 Updated the packages using qarepo and MageiaUpdate. Ran the same utility tests as before. Both OK. Tried the Gimp and Krita on a stero composite gitHub image. Those worked fine as well. darktable was able to show the same image. Ran strace on gimp - modified an exr image and exported it as EXR and read that successfully in krita. $ cat gimp.trace | grep -v qa | grep exr access("/usr/lib64/gimp/2.0/plug-ins/file-exr/file-exr", X_OK) = 0 openat(AT_FDCWD, "/usr/lib64/gimp/2.0/plug-ins/file-exr/file-exr", O_RDONLY) = 15 write(14, "\0\0\0\5\0\0\0\16file-exr-load\0\0\0\0\3\0\0\0\0\0\0"..., 193) = 193 read(10, "file-exr-load\0", 14) = 14 write(14, "\0\0\0\5\0\0\0\16file-exr-save\0\0\0\0\5\0\0\0\0\0\0"..., 199) = 199 read(10, "file-exr-save\0", 14) = 14 Again no close connection with the openexr library so maybe strace is not the best tool to use. Anyway, leaving it at that. There seems no good reason to release the packages.
Whiteboard: (none) => MGA8-64-OK
Typo in comment 8. s/release/with-hold/ | s/to release/not to release/
Validating. Advisory in Comment 7.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0524.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED