OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475

  • Done
  • quality assurance status badge
Details
2 participants
  • Léo Le Bouter
  • Vinicius Monego
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal

Debbugs page

L
L
Léo Le Bouter wrote on 30 Mar 2021 18:47
(address . bug-guix@gnu.org)
a149c0f9538876ec9d93e75e40c44ce335d4682a.camel@zaclys.net
CVE-2021-3474 30.03.21 20:15
There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted
input file that is processed by OpenEXR could cause a shift overflow in
the FastHufDecoder, potentially leading to problems with application
availability.

Fix:

CVE-2021-3476 30.03.21 20:15
A flaw was found in OpenEXR's B44 uncompression functionality in
versions before 3.0.0-beta. An attacker who is able to submit a crafted
file to OpenEXR could trigger shift overflows, potentially affecting
application availability.

Fix:

CVE-2021-3475 30.03.21 20:15
There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker
who can submit a crafted file to be processed by OpenEXR could cause an
integer overflow, potentially leading to problems with application
availability.

Fix:

I could not check if these flaws affect the 2.5.2 version packaged in
GNU Guix yet.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBj1LQACgkQRaix6GvN
EKZWcxAAjvsfz0VM8nDNd3GIt4t+TF3cn5spiImsfzr8ZvvJkWwj0CAoZxzKt9p+
N8/oSHs9Uq7T95yNs6n1wih0nq09bhTrwl4J+J4POLoCYl4v0KrFm3rMujYe6VVb
R85YMaTkzX8qjjb7tBGSYxMTbziZIOwYBb1G8AcKD+W5h01YR988aX41ex4epUoA
dD5E4TQxpCKFdykonWSrZMjOohzgsdW8utU39D7Q6OdOXZmgPtaxfSfcQW+LVLza
3MsqhnX1tDIkORppG1nSFO2tIGPSuKzMkE5Okl5XaI/C+e3KfNiIpx2ZKWNNW5IT
wzUy10kW6glAGLd0LzTBgILATND6Cbu3JRISeWC9GWJp0g6/elpSiXT8Njgme4B+
NZ2dp6iawG6dS9BQMOaNVulZ36t13XT7QDE6ZuAP4rguBZLB7muHYKRGTiy5EH4C
x73YCBmU81AJd+81mDniNAPzKkjJr1zwGU0MJzDav8hgqLRzSxYKkTzgOFBhTQlJ
jwYxnuq9I7/Jep5vS9TfFNfadKZYhwHZ35HB6gZVyuSqnjBYb5B3YWRp0UmxtTAv
IhCWx9DC9EUBZwJT5VzqlFoST+AH28GQ4le7m0eEyvF0yWiw4woOCapjw6Dzttw9
uDoaBcn0R1Rcj9zZsWEO5rBfz8akED6UOolYRql16KebHz5OtF0=
=JiLR
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 30 Mar 2021 18:50
(address . control@debbugs.gnu.org)
752221debf55bcf849797ca9696625bc9df52f27.camel@zaclys.net
tags 47509 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBj1XUACgkQRaix6GvN
EKbn1g/8CikJLjzZHTaHWsTNHuVvtpe9T2bIzslUr0NE4MEYyv6b6pdldcR55RVV
mspSc2oUzNg0MthCejoSlO5Jp5m9tIiiML5Gxd1kuR09h0rdKeVUO4K1iV5sj6Eq
8co1fN1IHZLxqHdsrb6G0pHPZDl8JsEtpVyQj2kZVr4yzcEVFZgWRS9ZhnrPuFb5
JPGQYW+qm0HAhkH4p7gSBGr/o1V0bRAwHlGlXKpImoe2B/9Q43HhHViIh0wj4v7G
vwYitpd79optnxrA8W+HXd83bLkHC/spb9fiwN1e7fhkBzi1qovI2J1VHQqvkRnl
hPhd38aA8Y3KaNE9b17rEKUOHoPw0DfamNeVSUkAa5U2h3g+qmKNL7QVpG9u29TM
9JCs/u1jDoIbkWT0JHSZEDtocPX4wCYjYm4BGGSO8Ky9wgaMymXyrc5uvsqRI/lE
w5IUfwMpR+3aCjzphRZigeoxxvNbQQ64oVlnDGivP6POi1LkgFeoRU7uyDfxajfa
aHxiHehuFJuNMH9ZdY2ENrsg8YsHLtcYeGFdH0rohL+r9XqP/iGNUAzV/SgVU4ue
oUlS+2jCIjUxgZk63VNszospBoSAbhW3S1qxDXv78IQszLdQkTiFHFZMaBqiAkXf
k7F+QF/wIYPLPXLrihgndoz2xr3yN4xzEznTVo1N5X7w8CAEEZs=
=NI9F
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 1 Apr 2021 06:26
(address . 47509@debbugs.gnu.org)
39ed8eb5a4a1accb3cc1e3fe428369987fd30aef.camel@zaclys.net
Another wave it seems:

CVE-2021-3479 31.03.21 16:15
There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.

Fix:

CVE-2021-3478 31.03.21 16:15
There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.

Fix (? as Red Hat analyst points out in
uncertain):


CVE-2021-3477 31.03.21 16:15
There's a flaw in OpenEXR's deep tile sample size calculations in
versions before 3.0.0-beta. An attacker who is able to submit a crafted
file to be processed by OpenEXR could trigger an integer overflow,
subsequently leading to an out-of-bounds read. The greatest risk of
this flaw is to application availability.

Fix (? as Red Hat analyst points out in
uncertain):
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBlygAACgkQRaix6GvN
EKYhsQ/8DG/8IiaiEXkS53jgussV67oQGft+iFgxTCXyeanPvazZ5way4ulse/VL
ledGOfBkFZpduXcwgkgTz2DblyHsIVIS9rgi7v9u+QpI4CdszCN9RgTOWhHC0jk1
NyyeEWDeGM6xGftykP4rr1JHSPPA+DPnI//nQJRIetj/sBGmexzJixFrcBm79kdf
QSmKldEIQ/qDOD7qmSxzx2F1Absiv+gQaYC+uIw0XQDZCDjDu8KS6KwhHq0t6XT7
/07Fnsin1YitK2Wp/jS2f78HdETA0BT0CHTGE1/MqgFjSpV7g/1KArugEkyVlPF1
1CG+cqYT0rD1Jk6hyzg/S+4joDC//eTrY0P+0G7Xt28Zu6p7hpAUXBsOUBn3dGtk
NIUA2zJ7HRVoxIEKgG2TgbsJtH3+dxPO4v6DbeA0cu60PxpZljpiCZi2TY4+Kwu/
yUNb0ZDCZVH+HSxXe8xdtFSW4UTPA7WXKt72HJphinVS3WdvzgGCk/rwFdXA91zJ
PCWWD92KfR4FxwIMqOqFKvSYJZ/93VVCtdN8zHOrkp2B7NZ2+DCklezVOL/YhamN
HJ0PD2iD9KCOaT9I5hrVNnDgqKP/SMEty/6sUtodpSPcxfkBGuqvSUEAk0FO+B5N
7rzsQXfypCkuvS3x8642FCTg8PwAj08c4x6KE0cysnbsNjsN1ZM=
=qtCP
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 2 Apr 2021 03:04
(address . 47509@debbugs.gnu.org)
5a683bcf509b1c441d82fd15d8123511c67fdadf.camel@zaclys.net
Another:

CVE-2021-20296 01.04.21 16:15
A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted
input file supplied by an attacker, that is processed by the Dwa
decompression functionality of OpenEXR's IlmImf library, could cause a
NULL pointer dereference. The highest threat from this vulnerability is
to system availability.

Fix:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm7BkACgkQRaix6GvN
EKbA/BAAsXO9oAV9QDjSYHmyonMm/DZLYjdHeBe+6Mjm8Er88DDVTA/uv8PJO2Xb
wrP0gJToPVkJHh3zokIv/ZpZ1WyuDxOk4++wy/dNH7FVssknsNfqiuC6tAKvXtgW
khCh7tmbasbseJy+XiF3jvVxZD2tYlRg8Q9OdUU8Buw1gKEDbpgPBpS7l59lJaEs
e8c/tUaH4nuoLthS65yye4yJEYBswan6s3HjLrIYag6rvjRx/C32gJrzc3P+AdfD
D+KdW7evcTutHGxAcOxoX2oAZUm7xqzhf7J10zxTV4KTUzvYRm/okdCzeO5v4p+N
hcH5Px13JwlCQ+r3Gf2YptbHpXT2OEX5x1k5fKKN/v1Wv5IoVnKYeoHtdi4F+k7h
+tiNMFTKRRRe5D0Gezcw0wW9pPzdPZBZ82h75PeWA3X4qsdxUa4bhk9qHVWmInvd
CyocMzvTDd9/2apo2tWrLPnWUs6WXVFQsozMO/TTZqrs7WhHfRHzcrrfqB9wTZz2
SGnhOdEBsfHPaxJ4Y4jV7q5oIfmvsI7WbApatdhFq11eWx8WAg6YDht7ewpztFNJ
c/eviIP0MfogM32EpB9LC1y7H2JIWzNMgzi/HAVs/Mh3AieAso1v9inARHpDk5E1
BhIeEV9Lvk29MXkeymgj+17/D6H2ueOYVHPCqtX0rMfVSWKSYvc=
=o2+p
-----END PGP SIGNATURE-----


V
V
Vinicius Monego wrote on 5 Jul 2021 16:46
OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475
(address . 47509-done@debbugs.gnu.org)
db3160c50ea1ed51018ec9cdf093151937b43d4e.camel@posteo.net
Hi,

I found [1] which lists which versions of OpenEXR are vulnerable to
which CVE. All the CVEs mentioned here were fixed in version 2.5.4 [2],
while we are currently tracking version 2.5.5, for which there are no
known CVEs.

I will close this issue. Feel free to reopen if I missed anything.

[1]

[2]
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 47509@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47509
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch