OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475

Léo Le Bouter wrote on 31 Mar 03:47 +0200

Recipients:(address . bug-guix@gnu.org)

Message-ID:a149c0f9538876ec9d93e75e40c44ce335d4682a.camel@zaclys.net

CVE-2021-3474 30.03.21 20:15There's a flaw in OpenEXR in versions before 3.0.0-beta. A craftedinput file that is processed by OpenEXR could cause a shift overflow inthe FastHufDecoder, potentially leading to problems with applicationavailability.
Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f
CVE-2021-3476 30.03.21 20:15A flaw was found in OpenEXR's B44 uncompression functionality inversions before 3.0.0-beta. An attacker who is able to submit a craftedfile to OpenEXR could trigger shift overflows, potentially affectingapplication availability.
Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9
CVE-2021-3475 30.03.21 20:15There is a flaw in OpenEXR in versions before 3.0.0-beta. An attackerwho can submit a crafted file to be processed by OpenEXR could cause aninteger overflow, potentially leading to problems with applicationavailability.
Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753
I could not check if these flaws affect the 2.5.2 version packaged inGNU Guix yet.

Léo Le Bouter wrote on 31 Mar 03:50 +0200

Recipients:(address . control@debbugs.gnu.org)

Message-ID:752221debf55bcf849797ca9696625bc9df52f27.camel@zaclys.net

tags 47509 + securityquit

Léo Le Bouter wrote on 1 Apr 15:26 +0200

Recipients:(address . 47509@debbugs.gnu.org)

Message-ID:39ed8eb5a4a1accb3cc1e3fe428369987fd30aef.camel@zaclys.net

Another wave it seems:
CVE-2021-3479 31.03.21 16:15There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.
Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c
CVE-2021-3478 31.03.21 16:15There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.
Fix (? as Red Hat analyst points out in https://bugzilla.redhat.com/show_bug.cgi?id=1939160#c3,it indeed looksuncertain): https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a

CVE-2021-3477 31.03.21 16:15There's a flaw in OpenEXR's deep tile sample size calculations inversions before 3.0.0-beta. An attacker who is able to submit a craftedfile to be processed by OpenEXR could trigger an integer overflow,subsequently leading to an out-of-bounds read. The greatest risk ofthis flaw is to application availability.
Fix (? as Red Hat analyst points out in https://bugzilla.redhat.com/show_bug.cgi?id=1939159#c3,it indeed looksuncertain): https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1

Léo Le Bouter wrote on 2 Apr 12:04 +0200

Recipients:(address . 47509@debbugs.gnu.org)

Message-ID:5a683bcf509b1c441d82fd15d8123511c67fdadf.camel@zaclys.net

Another:
CVE-2021-20296	01.04.21 16:15A flaw was found in OpenEXR in versions before 3.0.0-beta. A craftedinput file supplied by an attacker, that is processed by the Dwadecompression functionality of OpenEXR's IlmImf library, could cause aNULL pointer dereference. The highest threat from this vulnerability isto system availability.
Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/b0c63c0b96eb9b0d3998f603e12f9f414fb0d44a

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date