Fedora has issued an advisory on December 31: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/T3LET4MEPBSBJZK4EMLEBY4FUXKU5BMN/ The issues are fixed upstream in 2.3.21.0.
Status comment: (none) => Fixed upstream in 2.3.21.0
Fedora has issued an advisory on January 1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MLUXEL7AB2S5ACSDCHG67GEZHUYZBR5O/ It fixes an additional issue which may affect Cauldron.
Summary: openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-4198 CVE-2022-41988 CVE-2022-41999 => openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43603
We have v2.4.6.1 in Cauldron. Leaving it to luigi whether this bug gets to include Cauldron in the light of the remark above. M8 for now. Many packagers have dealt with this SRPM lately, so assigning this update globally.
Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory today (February 22): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LK6TY36VQ3FQXMZ2VXHZGQ43VDLD67GG/ The issues are fixed upstream in 2.4.8.1. Mageia 8 is also affected.
Status comment: Fixed upstream in 2.3.21.0 => Fixed upstream in 2.4.8.1Source RPM: openimageio-2.2.10.0-1.mga8.src.rpm => openimageio-2.2.10.0-1.mga8.src.rpm, openimageio-2.4.6.1-6.mga9.src.rpmVersion: 8 => CauldronWhiteboard: (none) => MGA8TOOSummary: openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43603 => openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43603 CVE-2023-22845 CVE-2023-2447[23]
Debian has issued an advisory on April 5: https://www.debian.org/lts/security/2023/dla-3382 It fixes some of these issues plus others not previously listed.
Summary: openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43603 CVE-2023-22845 CVE-2023-2447[23] => openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-4198[18] CVE-2022-41999 CVE-2022-4395[2-9] CVE-2022-4360[0-3] CVE-2023-22845 CVE-2023-2447[23]
Hi, For Cauldron, a freeze move was requested for openimageio-2.4.10.0-1.mga9. For Mga8, Debian has issued an advisory on April 10: https://www.debian.org/security/2023/dsa-5384 but I could not find the source for 2.2.10.1+dfsg-1+deb11u1. Best regards,
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
Summary: openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-4198[18] CVE-2022-41999 CVE-2022-4395[2-9] CVE-2022-4360[0-3] CVE-2023-22845 CVE-2023-2447[23] => openimageio new security issues CVE-2022-36354 CVE-2022-38143 CVE-2022-41639 CVE-2022-41684 CVE-2022-41794 CVE-2022-41838 CVE-2022-41977 CVE-2022-4198[18] CVE-2022-41999 CVE-2022-4359[2-9] CVE-2022-4360[0-3] CVE-2023-22845 CVE-2023-2447[23]
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. (CVE-2022-36354) A heap out-of-bounds write vulnerability exists in the way OpenImageIO v2.3.19.0 processes RLE encoded BMP images. A specially-crafted bmp file can write to arbitrary out of bounds memory, which can lead to arbitrary code execution. (CVE-2022-38143) A heap based buffer overflow vulnerability exists in tile decoding code of TIFF image parser in OpenImageIO master-branch-9aeece7a and v2.3.19.0. A specially-crafted TIFF file can lead to an out of bounds memory corruption, which can result in arbitrary code execution. (CVE-2022-41639) A heap out of bounds read vulnerability exists in the OpenImageIO master-branch-9aeece7a when parsing the image file directory part of a PSD image file. A specially-crafted .psd file can cause a read of arbitrary memory address which can lead to denial of service. (CVE-2022-41684) A heap based buffer overflow vulnerability exists in the PSD thumbnail resource parsing code of OpenImageIO 2.3.19.0. A specially-crafted PSD file can lead to arbitrary code execution. (CVE-2022-41794) A code execution vulnerability exists in the DDS scanline parsing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially-crafted .dds can lead to a heap buffer overflow. (CVE-2022-41838) An out of bounds read vulnerability exists in the way OpenImageIO version v2.3.19.0 processes string fields in TIFF image files. A specially-crafted TIFF file can lead to information disclosure. (CVE-2022-41977) A stack-based buffer overflow vulnerability exists in the TGA file format parser of OpenImageIO v2.3.19.0. A specially-crafted targa file can lead to out of bounds read and write on the process stack, which can lead to arbitrary code execution. (CVE-2022-41981) An information disclosure vulnerability exists in the OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to a disclosure of sensitive information. (CVE-2022-41988) A denial of service vulnerability exists in the DDS native tile reading functionality of OpenImageIO Project OpenImageIO v2.3.19.0 and v2.4.4.2. A specially-crafted .dds can lead to denial of service. (CVE-2022-41999) An information disclosure vulnerability exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. (CVE-2022-43592) A denial of service vulnerability exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to null pointer dereference. (CVE-2022-43593) Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. This vulnerability applies to writing .bmp files. (CVE-2022-43594) Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. This vulnerability applies to writing .fits files. (CVE-2022-43595) An information disclosure vulnerability exists in the IFFOutput channel interleaving functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. (CVE-2022-43596) Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary code execution. This vulnerability arises when the `m_spec.format` is `TypeDesc::UINT8`. (CVE-2022-43597) Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary code execution. This vulnerability arises when the `m_spec.format` is `TypeDesc::UINT16`. (CVE-2022-43598) Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. This vulnerability arises when the `xmax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8`. (CVE-2022-43599) Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. This vulnerability arises when the `xmax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT16`. (CVE-2022-43600) Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. This vulnerability arises when the `ymax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT16`. (CVE-2022-43601) Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. This vulnerability arises when the `ymax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8`. (CVE-2022-43602) A denial of service vulnerability exists in the ZfileOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to denial of service. (CVE-2022-43603) An out-of-bounds read vulnerability exists in the TGAInput::decode_pixel() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to information disclosure. (CVE-2023-22845) A denial of service vulnerability exists in the FitsOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted ImageOutput Object can lead to denial of service. (CVE-2023-24472) An information disclosure vulnerability exists in the TGAInput::read_tga2_header functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to a disclosure of sensitive information. (CVE-2023-24473) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36354 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38143 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41639 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41684 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41794 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41838 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41977 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41981 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41988 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41999 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43592 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43593 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43594 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43595 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43596 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43597 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43598 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43599 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43600 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43601 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43602 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43603 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22845 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24472 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24473 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/T3LET4MEPBSBJZK4EMLEBY4FUXKU5BMN/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MLUXEL7AB2S5ACSDCHG67GEZHUYZBR5O/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LK6TY36VQ3FQXMZ2VXHZGQ43VDLD67GG/ https://www.debian.org/lts/security/2023/dla-3382 https://www.debian.org/security/2023/dsa-5384 ======================== Updated packages in core/updates_testing: ======================== lib(64)openimageio2.2-2.2.10.0-1.1.mga8 lib(64)openimageio-devel-2.2.10.0-1.1.mga8 openimageio-2.2.10.0-1.1.mga8 python3-openimageio-2.2.10.0-1.1.mga8 from SRPM: openimageio-2.2.10.0-1.1.mga8.src.rpm
Status comment: Fixed upstream in 2.4.8.1 => (none)Assignee: pkg-bugs => qa-bugsSource RPM: openimageio-2.2.10.0-1.mga8.src.rpm, openimageio-2.4.6.1-6.mga9.src.rpm => openimageio-2.2.10.0-1.mga8.src.rpm
MGA8-64 Plasma system on an HP Probook 6550b, i3, Intel graphics. No installation issues. Looking for a test, urpmq --whatrequires on the library indicates only a few, with Blender being the obvious choice. Unfortunately, Blender is a very complex application, requiring a certain amount of user experience to use effectively, which I do not possess. So I looked elsewhere. Openimageio includes a simple command line image viewer for 2D images of the formats it supports, so I tried that, viewing jpg, png, and a couple of old bmp images that I have on hand with no discernible issues. I believe that is sufficient for an OK, and will validate. If it needs something more, let me know. I can *try* Blender if necessary, but I make no promises of success. Advisory in comment 6.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0151.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED