31364 – openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-4198[18] CVE-2022-41999 CVE-2022-4359[2-9] CVE-2022-4360[0-3] CVE-2023-22845 CVE-2023-2447[23]

Bug 31364 - openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-4198[18] CVE-2022-41999 CVE-2022-4359[2-9] CVE-2022-4360[0-3] CVE-2023-22845 CVE-2023-2447[23]

Summary: openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-01-03 20:50 CET by David Walser
Modified:	2023-04-24 02:21 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	openimageio-2.2.10.0-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-01-03 20:50:36 CET

Fedora has issued an advisory on December 31:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/T3LET4MEPBSBJZK4EMLEBY4FUXKU5BMN/

The issues are fixed upstream in 2.3.21.0.

David Walser 2023-01-03 20:50:49 CET

Status comment: (none) => Fixed upstream in 2.3.21.0

Comment 1 David Walser 2023-01-03 20:57:16 CET

Fedora has issued an advisory on January 1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MLUXEL7AB2S5ACSDCHG67GEZHUYZBR5O/

It fixes an additional issue which may affect Cauldron.

Summary: openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-4198 CVE-2022-41988 CVE-2022-41999 => openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43603

Comment 2 Lewis Smith 2023-01-03 21:56:58 CET

We have v2.4.6.1 in Cauldron. Leaving it to luigi whether this bug gets to include Cauldron in the light of the remark above. M8 for now.

Many packagers have dealt with this SRPM lately, so assigning this update globally.

Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2023-02-22 15:50:46 CET

Fedora has issued an advisory today (February 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LK6TY36VQ3FQXMZ2VXHZGQ43VDLD67GG/

The issues are fixed upstream in 2.4.8.1.

Mageia 8 is also affected.

Status comment: Fixed upstream in 2.3.21.0 => Fixed upstream in 2.4.8.1
Source RPM: openimageio-2.2.10.0-1.mga8.src.rpm => openimageio-2.2.10.0-1.mga8.src.rpm, openimageio-2.4.6.1-6.mga9.src.rpm
Version: 8 => Cauldron
Whiteboard: (none) => MGA8TOO
Summary: openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43603 => openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43603 CVE-2023-22845 CVE-2023-2447[23]

Comment 4 David Walser 2023-04-10 22:10:50 CEST

Debian has issued an advisory on April 5:
https://www.debian.org/lts/security/2023/dla-3382

It fixes some of these issues plus others not previously listed.

Summary: openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43603 CVE-2023-22845 CVE-2023-2447[23] => openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-4198[18] CVE-2022-41999 CVE-2022-4395[2-9] CVE-2022-4360[0-3] CVE-2023-22845 CVE-2023-2447[23]

Comment 5 Nicolas Salguero 2023-04-11 14:21:42 CEST

Hi,

For Cauldron, a freeze move was requested for openimageio-2.4.10.0-1.mga9.

For Mga8, Debian has issued an advisory on April 10:
https://www.debian.org/security/2023/dsa-5384
but I could not find the source for 2.2.10.1+dfsg-1+deb11u1.

Best regards,

CC: (none) => nicolas.salguero

Nicolas Salguero 2023-04-12 09:45:58 CEST

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Nicolas Salguero 2023-04-13 15:29:00 CEST

Summary: openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-4198[18] CVE-2022-41999 CVE-2022-4395[2-9] CVE-2022-4360[0-3] CVE-2023-22845 CVE-2023-2447[23] => openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-4198[18] CVE-2022-41999 CVE-2022-4359[2-9] CVE-2022-4360[0-3] CVE-2023-22845 CVE-2023-2447[23]

Comment 6 Nicolas Salguero 2023-04-13 15:35:45 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. (CVE-2022-36354)

A heap out-of-bounds write vulnerability exists in the way OpenImageIO v2.3.19.0 processes RLE encoded BMP images. A specially-crafted bmp file can write to arbitrary out of bounds memory, which can lead to arbitrary code execution. (CVE-2022-38143)

A heap based buffer overflow vulnerability exists in tile decoding code of TIFF image parser in OpenImageIO master-branch-9aeece7a and v2.3.19.0. A specially-crafted TIFF file can lead to an out of bounds memory corruption, which can result in arbitrary code execution. (CVE-2022-41639)

A heap out of bounds read vulnerability exists in the OpenImageIO master-branch-9aeece7a when parsing the image file directory part of a PSD image file. A specially-crafted .psd file can cause a read of arbitrary memory address which can lead to denial of service. (CVE-2022-41684)

A heap based buffer overflow vulnerability exists in the PSD thumbnail resource parsing code of OpenImageIO 2.3.19.0. A specially-crafted PSD file can lead to arbitrary code execution. (CVE-2022-41794)

A code execution vulnerability exists in the DDS scanline parsing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially-crafted .dds can lead to a heap buffer overflow. (CVE-2022-41838)

An out of bounds read vulnerability exists in the way OpenImageIO version v2.3.19.0 processes string fields in TIFF image files. A specially-crafted TIFF file can lead to information disclosure. (CVE-2022-41977)

A stack-based buffer overflow vulnerability exists in the TGA file format parser of OpenImageIO v2.3.19.0. A specially-crafted targa file can lead to out of bounds read and write on the process stack, which can lead to arbitrary code execution. (CVE-2022-41981)

An information disclosure vulnerability exists in the OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to a disclosure of sensitive information. (CVE-2022-41988)

A denial of service vulnerability exists in the DDS native tile reading functionality of OpenImageIO Project OpenImageIO v2.3.19.0 and v2.4.4.2. A specially-crafted .dds can lead to denial of service. (CVE-2022-41999)

An information disclosure vulnerability exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. (CVE-2022-43592)

A denial of service vulnerability exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to null pointer dereference. (CVE-2022-43593)

Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. This vulnerability applies to writing .bmp files. (CVE-2022-43594)

Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. This vulnerability applies to writing .fits files. (CVE-2022-43595)

An information disclosure vulnerability exists in the IFFOutput channel interleaving functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. (CVE-2022-43596)

Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary code execution. This vulnerability arises when the `m_spec.format` is `TypeDesc::UINT8`. (CVE-2022-43597)

Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary code execution. This vulnerability arises when the `m_spec.format` is `TypeDesc::UINT16`. (CVE-2022-43598)

Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. This vulnerability arises when the `xmax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8`. (CVE-2022-43599)

Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. This vulnerability arises when the `xmax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT16`. (CVE-2022-43600)

Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. This vulnerability arises when the `ymax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT16`. (CVE-2022-43601)

Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. This vulnerability arises when the `ymax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8`. (CVE-2022-43602)

A denial of service vulnerability exists in the ZfileOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to denial of service. (CVE-2022-43603)

An out-of-bounds read vulnerability exists in the TGAInput::decode_pixel() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to information disclosure. (CVE-2023-22845)

A denial of service vulnerability exists in the FitsOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted ImageOutput Object can lead to denial of service. (CVE-2023-24472)

An information disclosure vulnerability exists in the TGAInput::read_tga2_header functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to a disclosure of sensitive information. (CVE-2023-24473)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36354
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38143
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41639
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41684
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41977
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41999
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43592
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43593
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43594
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43595
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43596
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43597
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43600
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43602
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43603
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22845
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24472
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24473
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/T3LET4MEPBSBJZK4EMLEBY4FUXKU5BMN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MLUXEL7AB2S5ACSDCHG67GEZHUYZBR5O/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LK6TY36VQ3FQXMZ2VXHZGQ43VDLD67GG/
https://www.debian.org/lts/security/2023/dla-3382
https://www.debian.org/security/2023/dsa-5384
========================

Updated packages in core/updates_testing:
========================
lib(64)openimageio2.2-2.2.10.0-1.1.mga8
lib(64)openimageio-devel-2.2.10.0-1.1.mga8
openimageio-2.2.10.0-1.1.mga8
python3-openimageio-2.2.10.0-1.1.mga8

from SRPM:
openimageio-2.2.10.0-1.1.mga8.src.rpm

Status comment: Fixed upstream in 2.4.8.1 => (none)
Assignee: pkg-bugs => qa-bugs
Source RPM: openimageio-2.2.10.0-1.mga8.src.rpm, openimageio-2.4.6.1-6.mga9.src.rpm => openimageio-2.2.10.0-1.mga8.src.rpm

Comment 7 Thomas Andrews 2023-04-17 18:32:09 CEST

MGA8-64 Plasma system on an HP Probook 6550b, i3, Intel graphics. No installation issues.

Looking for a test, urpmq --whatrequires on the library indicates only a few, with Blender being the obvious choice. Unfortunately, Blender is a very complex application, requiring a certain amount of user experience to use effectively, which I do not possess. 

So I looked elsewhere. Openimageio includes a simple command line image viewer for 2D images of the formats it supports, so I tried that, viewing jpg, png, and a couple of old bmp images that I have on hand with no discernible issues.

I believe that is sufficient for an OK, and will validate. If it needs something more, let me know. I can *try* Blender if necessary, but I make no promises of success.

Advisory in comment 6.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-04-23 23:49:33 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2023-04-24 02:21:51 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0151.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.