SUSE has issued an advisory on January 12: https://lists.suse.com/pipermail/sle-security-updates/2022-January/009997.html Mageia 8 is also affected.
openSUSE has issued an advisory for this on January 12: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QYJBECOXKL6LM6PP3ZL5EKF4GRPTFTD5/
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patches available from upstream and openSUSE
No consistent maintainer, but NicolasS (assignee) & DavidG (CC) looks most promising.
CC: (none) => geiger.david68210Assignee: bugsquad => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). (CVE-2021-45942) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45942 https://lists.suse.com/pipermail/sle-security-updates/2022-January/009997.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QYJBECOXKL6LM6PP3ZL5EKF4GRPTFTD5/ ======================== Updated packages in core/updates_testing: ======================== lib(64)ilmbase2_5_25-2.5.7-1.3.mga8 lib(64)ilmbase-devel-2.5.7-1.3.mga8 lib(64)openexr-devel-2.5.7-1.3.mga8 openexr-2.5.7-1.3.mga8 lib(64)ilmimf2_5_25-2.5.7-1.3.mga8 from SRPM: openexr-2.5.7-1.3.mga8.src.rpm
Status comment: Patches available from upstream and openSUSE => (none)CC: (none) => nicolas.salgueroSource RPM: openexr-3.1.3-1.mga9.src.rpm => openexr-2.5.7-1.2.mga8.src.rpmWhiteboard: MGA8TOO => (none)Assignee: nicolas.salguero => qa-bugsVersion: Cauldron => 8Status: NEW => ASSIGNED
mga8, x64 Installed all the packages from core release and krita. Used krita to display various EXR format test images. Not going to repeat the strace tests reported on bug 29657 which showed that exr related libraries are used. Updated all five packages from testing. Ran the same tests as before in the local TestImages directory. $ exrheader AllHalfValues.exr file AllHalfValues.exr: file format version: 2, flags 0x0 channels (type chlist): B, 16-bit floating-point, sampling 1 1 G, 16-bit floating-point, sampling 1 1 R, 16-bit floating-point, sampling 1 1 compression (type compression): piz dataWindow (type box2i): (0 0) - (255 255) displayWindow (type box2i): (0 0) - (255 255) lineOrder (type lineOrder): increasing y pixelAspectRatio (type float): 1 screenWindowCenter (type v2f): (0 0) screenWindowWidth (type float): 1 type (type string): "scanlineimage" Reloaded krita to look at some of the EXR image files. Moved to another directory: $ pwd /home/lcl/qa/openexr/openexr-images-master/v2/Stereo $ exrmultipart -combine -i Trunks.exr Leaves.exr Ground.exr -o new.exr input: Trunks.exr Leaves.exr Ground.exr output: new.exr override:0 -combine multipart input part 0: deepscanlineimage part 1: deepscanlineimage part 2: deepscanlineimage part 3: deepscanlineimage part 4: deepscanlineimage part 5: deepscanlineimage Combine Success Sort of - new.exr showed only the Trunks, as in previous tests. This may only expose the user's lack of understanding of how to handle EXR images. And, as before krita showed balls, trees, trunks and ground in the composited.exr image. This is all developer territory really, so there is very little that QA can say about the new packages except there are no obvious regressions. Giving this an OK.
CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0020.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED