openexr: CVE-2017-12596

Related Vulnerabilities: CVE-2017-12596  

Debian Bug report logs - #877352
openexr: CVE-2017-12596

version graph

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 30 Sep 2017 19:51:01 UTC

Severity: important

Tags: security, upstream

Found in versions openexr/2.2.0-11, openexr/1.6.1-6

Fixed in versions 2.2.1-1, openexr/2.2.0-11.1

Done: "Matteo F. Vescovi" <mfv@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/openexr/openexr/issues/238

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#877352; Package src:openexr. (Sat, 30 Sep 2017 19:51:04 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Sat, 30 Sep 2017 19:51:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openexr:CVE-2017-12596
Date: Sat, 30 Sep 2017 21:48:44 +0200
Source: openexr
Version: 2.2.0-11.1
Severity: important
Tags: upstream security
Forwarded: https://github.com/openexr/openexr/issues/238

Hi,

the following vulnerability was published for openexr, filling this
bug to track the upstream issue at [1].

CVE-2017-12596[0]:
| In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read
| in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled
| execution; it may result in denial of service or possibly unspecified
| other impact.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12596
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12596
[1] https://github.com/openexr/openexr/issues/238

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Changed Bug title to 'openexr: CVE-2017-12596' from 'openexr:CVE-2017-12596'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 30 Sep 2017 19:57:04 GMT) (full text, mbox, link).


Reply sent to "Matteo F. Vescovi" <mfv@debian.org>:
You have taken responsibility. (Wed, 10 Jan 2018 16:39:05 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 10 Jan 2018 16:39:05 GMT) (full text, mbox, link).


Message #12 received at 877352-done@bugs.debian.org (full text, mbox, reply):

From: "Matteo F. Vescovi" <mfv@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 877352-done@bugs.debian.org
Subject: Re: Bug#877352: openexr:CVE-2017-12596
Date: Wed, 10 Jan 2018 17:37:29 +0100
[Message part 1 (text/plain, inline)]
Version: 2.2.1-1

On 2017-09-30 at 22:48 (+0200), Salvatore Bonaccorso wrote:
> Source: openexr
> Version: 2.2.0-11.1
> Severity: important
> Tags: upstream security
> Forwarded: https://github.com/openexr/openexr/issues/238
>
> Hi,
>
> the following vulnerability was published for openexr, filling this
> bug to track the upstream issue at [1].
>
> CVE-2017-12596[0]:
> | In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read
> | in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled
> | execution; it may result in denial of service or possibly unspecified
> | other impact.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

CVE id has been added, but forgot to close this bug report.

Doing it now.

Cheers.


-- 
Matteo F. Vescovi
[signature.asc (application/pgp-signature, inline)]

No longer marked as found in versions openexr/2.2.0-11.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Jan 2018 20:15:06 GMT) (full text, mbox, link).


Marked as found in versions openexr/2.2.0-11. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Jan 2018 20:15:06 GMT) (full text, mbox, link).


Marked as fixed in versions openexr/2.2.0-11.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Jan 2018 20:15:07 GMT) (full text, mbox, link).


Marked as found in versions openexr/1.6.1-6. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Jan 2018 20:15:16 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 08 Feb 2018 07:28:19 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:30:34 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.