OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475

DoneSubmitted by Léo Le Bouter.
Details
2 participants
  • Léo Le Bouter
  • Vinicius Monego
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 31 Mar 03:47 +0200
(address . bug-guix@gnu.org)
a149c0f9538876ec9d93e75e40c44ce335d4682a.camel@zaclys.net
CVE-2021-3474 30.03.21 20:15There's a flaw in OpenEXR in versions before 3.0.0-beta. A craftedinput file that is processed by OpenEXR could cause a shift overflow inthe FastHufDecoder, potentially leading to problems with applicationavailability.
Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f
CVE-2021-3476 30.03.21 20:15A flaw was found in OpenEXR's B44 uncompression functionality inversions before 3.0.0-beta. An attacker who is able to submit a craftedfile to OpenEXR could trigger shift overflows, potentially affectingapplication availability.
Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9
CVE-2021-3475 30.03.21 20:15There is a flaw in OpenEXR in versions before 3.0.0-beta. An attackerwho can submit a crafted file to be processed by OpenEXR could cause aninteger overflow, potentially leading to problems with applicationavailability.
Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753
I could not check if these flaws affect the 2.5.2 version packaged inGNU Guix yet.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBj1LQACgkQRaix6GvNEKZWcxAAjvsfz0VM8nDNd3GIt4t+TF3cn5spiImsfzr8ZvvJkWwj0CAoZxzKt9p+N8/oSHs9Uq7T95yNs6n1wih0nq09bhTrwl4J+J4POLoCYl4v0KrFm3rMujYe6VVbR85YMaTkzX8qjjb7tBGSYxMTbziZIOwYBb1G8AcKD+W5h01YR988aX41ex4epUoAdD5E4TQxpCKFdykonWSrZMjOohzgsdW8utU39D7Q6OdOXZmgPtaxfSfcQW+LVLza3MsqhnX1tDIkORppG1nSFO2tIGPSuKzMkE5Okl5XaI/C+e3KfNiIpx2ZKWNNW5ITwzUy10kW6glAGLd0LzTBgILATND6Cbu3JRISeWC9GWJp0g6/elpSiXT8Njgme4B+NZ2dp6iawG6dS9BQMOaNVulZ36t13XT7QDE6ZuAP4rguBZLB7muHYKRGTiy5EH4Cx73YCBmU81AJd+81mDniNAPzKkjJr1zwGU0MJzDav8hgqLRzSxYKkTzgOFBhTQlJjwYxnuq9I7/Jep5vS9TfFNfadKZYhwHZ35HB6gZVyuSqnjBYb5B3YWRp0UmxtTAvIhCWx9DC9EUBZwJT5VzqlFoST+AH28GQ4le7m0eEyvF0yWiw4woOCapjw6Dzttw9uDoaBcn0R1Rcj9zZsWEO5rBfz8akED6UOolYRql16KebHz5OtF0==JiLR-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 31 Mar 03:50 +0200
(address . control@debbugs.gnu.org)
752221debf55bcf849797ca9696625bc9df52f27.camel@zaclys.net
tags 47509 + securityquit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBj1XUACgkQRaix6GvNEKbn1g/8CikJLjzZHTaHWsTNHuVvtpe9T2bIzslUr0NE4MEYyv6b6pdldcR55RVVmspSc2oUzNg0MthCejoSlO5Jp5m9tIiiML5Gxd1kuR09h0rdKeVUO4K1iV5sj6Eq8co1fN1IHZLxqHdsrb6G0pHPZDl8JsEtpVyQj2kZVr4yzcEVFZgWRS9ZhnrPuFb5JPGQYW+qm0HAhkH4p7gSBGr/o1V0bRAwHlGlXKpImoe2B/9Q43HhHViIh0wj4v7GvwYitpd79optnxrA8W+HXd83bLkHC/spb9fiwN1e7fhkBzi1qovI2J1VHQqvkRnlhPhd38aA8Y3KaNE9b17rEKUOHoPw0DfamNeVSUkAa5U2h3g+qmKNL7QVpG9u29TM9JCs/u1jDoIbkWT0JHSZEDtocPX4wCYjYm4BGGSO8Ky9wgaMymXyrc5uvsqRI/lEw5IUfwMpR+3aCjzphRZigeoxxvNbQQ64oVlnDGivP6POi1LkgFeoRU7uyDfxajfaaHxiHehuFJuNMH9ZdY2ENrsg8YsHLtcYeGFdH0rohL+r9XqP/iGNUAzV/SgVU4ueoUlS+2jCIjUxgZk63VNszospBoSAbhW3S1qxDXv78IQszLdQkTiFHFZMaBqiAkXfk7F+QF/wIYPLPXLrihgndoz2xr3yN4xzEznTVo1N5X7w8CAEEZs==NI9F-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 1 Apr 15:26 +0200
(address . 47509@debbugs.gnu.org)
39ed8eb5a4a1accb3cc1e3fe428369987fd30aef.camel@zaclys.net
Another wave it seems:
CVE-2021-3479 31.03.21 16:15There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.
Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c
CVE-2021-3478 31.03.21 16:15There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.
Fix (? as Red Hat analyst points out in https://bugzilla.redhat.com/show_bug.cgi?id=1939160#c3,it indeed looksuncertain): https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a

CVE-2021-3477 31.03.21 16:15There's a flaw in OpenEXR's deep tile sample size calculations inversions before 3.0.0-beta. An attacker who is able to submit a craftedfile to be processed by OpenEXR could trigger an integer overflow,subsequently leading to an out-of-bounds read. The greatest risk ofthis flaw is to application availability.
Fix (? as Red Hat analyst points out in https://bugzilla.redhat.com/show_bug.cgi?id=1939159#c3,it indeed looksuncertain): https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBlygAACgkQRaix6GvNEKYhsQ/8DG/8IiaiEXkS53jgussV67oQGft+iFgxTCXyeanPvazZ5way4ulse/VLledGOfBkFZpduXcwgkgTz2DblyHsIVIS9rgi7v9u+QpI4CdszCN9RgTOWhHC0jk1NyyeEWDeGM6xGftykP4rr1JHSPPA+DPnI//nQJRIetj/sBGmexzJixFrcBm79kdfQSmKldEIQ/qDOD7qmSxzx2F1Absiv+gQaYC+uIw0XQDZCDjDu8KS6KwhHq0t6XT7/07Fnsin1YitK2Wp/jS2f78HdETA0BT0CHTGE1/MqgFjSpV7g/1KArugEkyVlPF11CG+cqYT0rD1Jk6hyzg/S+4joDC//eTrY0P+0G7Xt28Zu6p7hpAUXBsOUBn3dGtkNIUA2zJ7HRVoxIEKgG2TgbsJtH3+dxPO4v6DbeA0cu60PxpZljpiCZi2TY4+Kwu/yUNb0ZDCZVH+HSxXe8xdtFSW4UTPA7WXKt72HJphinVS3WdvzgGCk/rwFdXA91zJPCWWD92KfR4FxwIMqOqFKvSYJZ/93VVCtdN8zHOrkp2B7NZ2+DCklezVOL/YhamNHJ0PD2iD9KCOaT9I5hrVNnDgqKP/SMEty/6sUtodpSPcxfkBGuqvSUEAk0FO+B5N7rzsQXfypCkuvS3x8642FCTg8PwAj08c4x6KE0cysnbsNjsN1ZM==qtCP-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 2 Apr 12:04 +0200
(address . 47509@debbugs.gnu.org)
5a683bcf509b1c441d82fd15d8123511c67fdadf.camel@zaclys.net
Another:
CVE-2021-20296 01.04.21 16:15A flaw was found in OpenEXR in versions before 3.0.0-beta. A craftedinput file supplied by an attacker, that is processed by the Dwadecompression functionality of OpenEXR's IlmImf library, could cause aNULL pointer dereference. The highest threat from this vulnerability isto system availability.
Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/b0c63c0b96eb9b0d3998f603e12f9f414fb0d44a
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm7BkACgkQRaix6GvNEKbA/BAAsXO9oAV9QDjSYHmyonMm/DZLYjdHeBe+6Mjm8Er88DDVTA/uv8PJO2XbwrP0gJToPVkJHh3zokIv/ZpZ1WyuDxOk4++wy/dNH7FVssknsNfqiuC6tAKvXtgWkhCh7tmbasbseJy+XiF3jvVxZD2tYlRg8Q9OdUU8Buw1gKEDbpgPBpS7l59lJaEse8c/tUaH4nuoLthS65yye4yJEYBswan6s3HjLrIYag6rvjRx/C32gJrzc3P+AdfDD+KdW7evcTutHGxAcOxoX2oAZUm7xqzhf7J10zxTV4KTUzvYRm/okdCzeO5v4p+NhcH5Px13JwlCQ+r3Gf2YptbHpXT2OEX5x1k5fKKN/v1Wv5IoVnKYeoHtdi4F+k7h+tiNMFTKRRRe5D0Gezcw0wW9pPzdPZBZ82h75PeWA3X4qsdxUa4bhk9qHVWmInvdCyocMzvTDd9/2apo2tWrLPnWUs6WXVFQsozMO/TTZqrs7WhHfRHzcrrfqB9wTZz2SGnhOdEBsfHPaxJ4Y4jV7q5oIfmvsI7WbApatdhFq11eWx8WAg6YDht7ewpztFNJc/eviIP0MfogM32EpB9LC1y7H2JIWzNMgzi/HAVs/Mh3AieAso1v9inARHpDk5E1BhIeEV9Lvk29MXkeymgj+17/D6H2ueOYVHPCqtX0rMfVSWKSYvc==o2+p-----END PGP SIGNATURE-----

V
V
Vinicius Monego wrote on 6 Jul 01:46 +0200
OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475
(address . 47509-done@debbugs.gnu.org)
db3160c50ea1ed51018ec9cdf093151937b43d4e.camel@posteo.net
Hi,
I found [1] which lists which versions of OpenEXR are vulnerable towhich CVE. All the CVEs mentioned here were fixed in version 2.5.4 [2],while we are currently tracking version 2.5.5, for which there are noknown CVEs.
I will close this issue. Feel free to reopen if I missed anything.
[1]https://github.com/AcademySoftwareFoundation/openexr/blob/master/SECURITY.md
[2]https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-254-december-31-2020
Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 47509@debbugs.gnu.org