From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 06:04:23 2021 Received: (at 47509) by debbugs.gnu.org; 2 Apr 2021 10:04:23 +0000 Received: from localhost ([127.0.0.1]:59200 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSGf8-0001jJ-RZ for submit@debbugs.gnu.org; Fri, 02 Apr 2021 06:04:23 -0400 Received: from mail.zaclys.net ([178.33.93.72]:33441) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSGf6-0001j4-IO for 47509@debbugs.gnu.org; Fri, 02 Apr 2021 06:04:21 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132A4EfV011651 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <47509@debbugs.gnu.org>; Fri, 2 Apr 2021 12:04:14 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132A4EfV011651 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617357854; bh=eiM2jb5+3YiF9QZtmHYoGHYTPHGEuPZyvZogt4pIOXw=; h=Subject:From:To:Date:In-Reply-To:References:From; b=kDXUbJ106T7u3Ef2T24TnfnkGIC1SSS/fjjJe0zL+IIh3/X/IbSiby3aWDx2x0csv vCEayZH5SHnjtFJx46efj7vkQr+xyFAm8KLjEOujp5l0/2pgmCRBBjiO8vUcwsZpBK 4L/P1qfkmixIusr3pwH4zgb2ALHcGUNWoT32keE8= Message-ID: <5a683bcf509b1c441d82fd15d8123511c67fdadf.camel@zaclys.net> Subject: Re: bug#47509: OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: 47509@debbugs.gnu.org Date: Fri, 02 Apr 2021 12:04:09 +0200 In-Reply-To: <39ed8eb5a4a1accb3cc1e3fe428369987fd30aef.camel@zaclys.net> References: <39ed8eb5a4a1accb3cc1e3fe428369987fd30aef.camel@zaclys.net> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-cXXk3fDBXtsLSq/qzlFK" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47509 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-cXXk3fDBXtsLSq/qzlFK Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Another: CVE-2021-20296 01.04.21 16:15 A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted input file supplied by an attacker, that is processed by the Dwa decompression functionality of OpenEXR's IlmImf library, could cause a NULL pointer dereference. The highest threat from this vulnerability is to system availability. Fix:=20 https://github.com/AcademySoftwareFoundation/openexr/commit/b0c63c0b96eb9b0= d3998f603e12f9f414fb0d44a --=-cXXk3fDBXtsLSq/qzlFK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm7BkACgkQRaix6GvN EKbA/BAAsXO9oAV9QDjSYHmyonMm/DZLYjdHeBe+6Mjm8Er88DDVTA/uv8PJO2Xb wrP0gJToPVkJHh3zokIv/ZpZ1WyuDxOk4++wy/dNH7FVssknsNfqiuC6tAKvXtgW khCh7tmbasbseJy+XiF3jvVxZD2tYlRg8Q9OdUU8Buw1gKEDbpgPBpS7l59lJaEs e8c/tUaH4nuoLthS65yye4yJEYBswan6s3HjLrIYag6rvjRx/C32gJrzc3P+AdfD D+KdW7evcTutHGxAcOxoX2oAZUm7xqzhf7J10zxTV4KTUzvYRm/okdCzeO5v4p+N hcH5Px13JwlCQ+r3Gf2YptbHpXT2OEX5x1k5fKKN/v1Wv5IoVnKYeoHtdi4F+k7h +tiNMFTKRRRe5D0Gezcw0wW9pPzdPZBZ82h75PeWA3X4qsdxUa4bhk9qHVWmInvd CyocMzvTDd9/2apo2tWrLPnWUs6WXVFQsozMO/TTZqrs7WhHfRHzcrrfqB9wTZz2 SGnhOdEBsfHPaxJ4Y4jV7q5oIfmvsI7WbApatdhFq11eWx8WAg6YDht7ewpztFNJ c/eviIP0MfogM32EpB9LC1y7H2JIWzNMgzi/HAVs/Mh3AieAso1v9inARHpDk5E1 BhIeEV9Lvk29MXkeymgj+17/D6H2ueOYVHPCqtX0rMfVSWKSYvc= =o2+p -----END PGP SIGNATURE----- --=-cXXk3fDBXtsLSq/qzlFK--