Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2017-12596

Source

Debian Bug report logs - #877352
openexr: CVE-2017-12596

Package: src:openexr; Maintainer for src:openexr is Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 30 Sep 2017 19:51:01 UTC

Severity: important

Tags: security, upstream

Found in versions openexr/2.2.0-11, openexr/1.6.1-6

Fixed in versions 2.2.1-1, openexr/2.2.0-11.1

Done: "Matteo F. Vescovi" <mfv@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/openexr/openexr/issues/238

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#877352; Package src:openexr. (Sat, 30 Sep 2017 19:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Sat, 30 Sep 2017 19:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: openexr
Version: 2.2.0-11.1
Severity: important
Tags: upstream security
Forwarded: https://github.com/openexr/openexr/issues/238

Hi,

the following vulnerability was published for openexr, filling this
bug to track the upstream issue at [1].

CVE-2017-12596[0]:
| In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read
| in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled
| execution; it may result in denial of service or possibly unspecified
| other impact.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12596
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12596
[1] https://github.com/openexr/openexr/issues/238

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Changed Bug title to 'openexr: CVE-2017-12596' from 'openexr:CVE-2017-12596'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 30 Sep 2017 19:57:04 GMT) (full text, mbox, link).

Reply sent to "Matteo F. Vescovi" <mfv@debian.org>:
You have taken responsibility. (Wed, 10 Jan 2018 16:39:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 10 Jan 2018 16:39:05 GMT) (full text, mbox, link).

Message #12 received at 877352-done@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Version: 2.2.1-1

On 2017-09-30 at 22:48 (+0200), Salvatore Bonaccorso wrote:
> Source: openexr
> Version: 2.2.0-11.1
> Severity: important
> Tags: upstream security
> Forwarded: https://github.com/openexr/openexr/issues/238
>
> Hi,
>
> the following vulnerability was published for openexr, filling this
> bug to track the upstream issue at [1].
>
> CVE-2017-12596[0]:
> | In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read
> | in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled
> | execution; it may result in denial of service or possibly unspecified
> | other impact.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

CVE id has been added, but forgot to close this bug report.

Doing it now.

Cheers.


-- 
Matteo F. Vescovi

[signature.asc (application/pgp-signature, inline)]

No longer marked as found in versions openexr/2.2.0-11.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Jan 2018 20:15:06 GMT) (full text, mbox, link).

Marked as found in versions openexr/2.2.0-11. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Jan 2018 20:15:06 GMT) (full text, mbox, link).

Marked as fixed in versions openexr/2.2.0-11.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Jan 2018 20:15:07 GMT) (full text, mbox, link).

Marked as found in versions openexr/1.6.1-6. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Jan 2018 20:15:16 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 08 Feb 2018 07:28:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:30:34 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

openexr: CVE-2017-12596

Debian Bug report logs - #877352
openexr: CVE-2017-12596

Vulmon Search

About

Products

Connect

openexr: CVE-2017-12596

Debian Bug report logs - #877352 openexr: CVE-2017-12596

Vulmon Search

About

Products

Connect

Debian Bug report logs - #877352
openexr: CVE-2017-12596