Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

openexr: CVE-2021-3933 CVE-2021-3941 CVE-2021-45942

Related Vulnerabilities: CVE-2021-3933   CVE-2021-3941   CVE-2021-45942  

Source

Debian Bug report logs - #1014828
openexr: CVE-2021-3933 CVE-2021-3941 CVE-2021-45942

version graph

Package: src:openexr; Maintainer for src:openexr is Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Tue, 12 Jul 2022 19:33:02 UTC

Severity: grave

Tags: security, upstream

Found in version openexr/2.5.7-1

Fixed in version openexr/3.1.4-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#1014828; Package src:openexr. (Tue, 12 Jul 2022 19:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Tue, 12 Jul 2022 19:33:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: openexr: CVE-2021-3933 CVE-2021-3941 CVE-2021-45942
Date: Tue, 12 Jul 2022 21:29:40 +0200
Source: openexr
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for openexr.

CVE-2021-3933[0]:
| An integer overflow could occur when OpenEXR processes a crafted file
| on systems where size_t &lt; 64 bits. This could cause an invalid
| bytesPerLine and maxBytesPerLine value, which could lead to problems
| with application stability or lead to other attack paths.

https://bugzilla.redhat.com/show_bug.cgi?id=2019783
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38912
Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17

CVE-2021-3941[1]:
| In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division
| operations such as `float Z = (1 - chroma.white.x - chroma.white.y) *
| Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the
| divisor is not checked for a 0 value. A specially crafted file could
| trigger a divide-by-zero condition which could affect the availability
| of programs linked with OpenEXR.

https://bugzilla.redhat.com/show_bug.cgi?id=2019789
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39084
https://github.com/AcademySoftwareFoundation/openexr/pull/1153
Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/a0cfa81153b2464b864c5fe39a53cb03339092ed

CVE-2021-45942[2]:
| OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in
| Imf_3_1::LineCompositeTask::execute (called from
| IlmThread_3_1::NullThreadPoolProvider::addTask and
| IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be
| inapplicable.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416
https://github.com/AcademySoftwareFoundation/openexr/pull/1209
https://github.com/AcademySoftwareFoundation/openexr/commit/11cad77da87c4fa2aab7d58dd5339e254db7937e

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3933
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3933
[1] https://security-tracker.debian.org/tracker/CVE-2021-3941
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3941
[2] https://security-tracker.debian.org/tracker/CVE-2021-45942
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45942

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 12 Jul 2022 20:33:03 GMT) (full text, mbox, link).

Marked as fixed in versions openexr/3.1.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 13 Jul 2022 05:39:06 GMT) (full text, mbox, link).

Marked as found in versions openexr/2.5.7-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 13 Jul 2022 05:39:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jul 13 13:16:23 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started