OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475

CVE-2021-3474 30.03.21 20:15

There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted

input file that is processed by OpenEXR could cause a shift overflow in

the FastHufDecoder, potentially leading to problems with application

availability.

Fix:

CVE-2021-3476 30.03.21 20:15

A flaw was found in OpenEXR's B44 uncompression functionality in

versions before 3.0.0-beta. An attacker who is able to submit a crafted

file to OpenEXR could trigger shift overflows, potentially affecting

application availability.

Fix:

CVE-2021-3475 30.03.21 20:15

There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker

who can submit a crafted file to be processed by OpenEXR could cause an

integer overflow, potentially leading to problems with application

availability.

Fix:

I could not check if these flaws affect the 2.5.2 version packaged in

GNU Guix yet.

tags 47509 + security

quit

Another wave it seems:

CVE-2021-3479 31.03.21 16:15

There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.

Fix:

CVE-2021-3478 31.03.21 16:15

There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.

Fix (? as Red Hat analyst points out in

https://bugzilla.redhat.com/show_bug.cgi?id=1939160#c3,it indeed looks

uncertain):

CVE-2021-3477 31.03.21 16:15

There's a flaw in OpenEXR's deep tile sample size calculations in

versions before 3.0.0-beta. An attacker who is able to submit a crafted

file to be processed by OpenEXR could trigger an integer overflow,

subsequently leading to an out-of-bounds read. The greatest risk of

this flaw is to application availability.

Fix (? as Red Hat analyst points out in

https://bugzilla.redhat.com/show_bug.cgi?id=1939159#c3,it indeed looks

uncertain):

Another:

CVE-2021-20296 01.04.21 16:15

A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted

input file supplied by an attacker, that is processed by the Dwa

decompression functionality of OpenEXR's IlmImf library, could cause a

NULL pointer dereference. The highest threat from this vulnerability is

to system availability.

Fix:

Hi,

I found [1] which lists which versions of OpenEXR are vulnerable to

which CVE. All the CVEs mentioned here were fixed in version 2.5.4 [2],

while we are currently tracking version 2.5.5, for which there are no

known CVEs.

I will close this issue. Feel free to reopen if I missed anything.

[1]

[2]