Debian Bug report logs -
#1027143
penimageio: CVE-2022-36354 CVE-2022-38143 CVE-2022-43592 CVE-2022-43593 CVE-2022-43594 CVE-2022-43595 CVE-2022-43596 CVE-2022-43597 CVE-2022-43598 CVE-2022-43599 CVE-2022-43600 CVE-2022-43601 CVE-2022-43602 CVE-2022-41639 CVE-2022-41649 CVE-2022-41684 CVE-2022-41794 CVE-2022-41837 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#1027143; Package src:openimageio.
(Wed, 28 Dec 2022 16:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Wed, 28 Dec 2022 16:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openimageio
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for openimageio.
CVE-2022-43592[0]:
| An information disclosure vulnerability exists in the
| DPXOutput::close() functionality of OpenImageIO Project OpenImageIO
| v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked
| heap data. An attacker can provide malicious input to trigger this
| vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1651
CVE-2022-43593[1]:
| A denial of service vulnerability exists in the DPXOutput::close()
| functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially
| crafted ImageOutput Object can lead to null pointer dereference. An
| attacker can provide malicious input to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1652
CVE-2022-43594[2]:
| Multiple denial of service vulnerabilities exist in the image output
| closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2.
| Specially crafted ImageOutput Objects can lead to multiple null
| pointer dereferences. An attacker can provide malicious multiple
| inputs to trigger these vulnerabilities.This vulnerability applies to
| writing .bmp files.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1653
CVE-2022-43595[3]:
| Multiple denial of service vulnerabilities exist in the image output
| closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2.
| Specially crafted ImageOutput Objects can lead to multiple null
| pointer dereferences. An attacker can provide malicious multiple
| inputs to trigger these vulnerabilities.This vulnerability applies to
| writing .fits files.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1653
CVE-2022-43596[4]:
| An information disclosure vulnerability exists in the IFFOutput
| channel interleaving functionality of OpenImageIO Project OpenImageIO
| v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked
| heap data. An attacker can provide malicious input to trigger this
| vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1654
CVE-2022-43597[5]:
| Multiple memory corruption vulnerabilities exist in the IFFOutput
| alignment padding functionality of OpenImageIO Project OpenImageIO
| v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary
| code execution. An attacker can provide malicious input to trigger
| these vulnerabilities.This vulnerability arises when the
| `m_spec.format` is `TypeDesc::UINT8`.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1655
CVE-2022-43598[6]:
| Multiple memory corruption vulnerabilities exist in the IFFOutput
| alignment padding functionality of OpenImageIO Project OpenImageIO
| v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary
| code execution. An attacker can provide malicious input to trigger
| these vulnerabilities.This vulnerability arises when the
| `m_spec.format` is `TypeDesc::UINT16`.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1655
CVE-2022-43599[7]:
| Multiple code execution vulnerabilities exist in the
| IFFOutput::close() functionality of OpenImageIO Project OpenImageIO
| v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap
| buffer overflow. An attacker can provide malicious input to trigger
| these vulnerabilities.This vulnerability arises when the `xmax`
| variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8`
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656
CVE-2022-43600[8]:
| Multiple code execution vulnerabilities exist in the
| IFFOutput::close() functionality of OpenImageIO Project OpenImageIO
| v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap
| buffer overflow. An attacker can provide malicious input to trigger
| these vulnerabilities.This vulnerability arises when the `xmax`
| variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT16`
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656
CVE-2022-43601[9]:
| Multiple code execution vulnerabilities exist in the
| IFFOutput::close() functionality of OpenImageIO Project OpenImageIO
| v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap
| buffer overflow. An attacker can provide malicious input to trigger
| these vulnerabilities.This vulnerability arises when the `ymax`
| variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT16`
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656
CVE-2022-43602[10]:
| Multiple code execution vulnerabilities exist in the
| IFFOutput::close() functionality of OpenImageIO Project OpenImageIO
| v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap
| buffer overflow. An attacker can provide malicious input to trigger
| these vulnerabilities.This vulnerability arises when the `ymax`
| variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8`
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656
CVE-2022-41639[11]:
| A heap based buffer overflow vulnerability exists in tile decoding
| code of TIFF image parser in OpenImageIO master-branch-9aeece7a and
| v2.3.19.0. A specially-crafted TIFF file can lead to an out of bounds
| memory corruption, which can result in arbitrary code execution. An
| attacker can provide a malicious file to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1633
CVE-2022-41649[12]:
| A heap out of bounds read vulnerability exists in the handling of IPTC
| data while parsing TIFF images in OpenImageIO v2.3.19.0. A specially-
| crafted TIFF file can cause a read of adjacent heap memory, which can
| leak sensitive process information. An attacker can provide a
| malicious file to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1631
CVE-2022-41684[13]:
| A heap out of bounds read vulnerability exists in the OpenImageIO
| master-branch-9aeece7a when parsing the image file directory part of a
| PSD image file. A specially-crafted .psd file can cause a read of
| arbitrary memory address which can lead to denial of service. An
| attacker can provide a malicious file to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1632
CVE-2022-41794[14]:
| A heap based buffer overflow vulnerability exists in the PSD thumbnail
| resource parsing code of OpenImageIO 2.3.19.0. A specially-crafted PSD
| file can lead to arbitrary code execution. An attacker can provide a
| malicious file to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1626
CVE-2022-41837[15]:
| An out-of-bounds write vulnerability exists in the
| OpenImageIO::add_exif_item_to_spec functionality of OpenImageIO
| Project OpenImageIO v2.4.4.2. Specially-crafted exif metadata can lead
| to stack-based memory corruption. An attacker can provide a malicious
| file to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1636
CVE-2022-41838[16]:
| A code execution vulnerability exists in the DDS scanline parsing
| functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A
| specially-crafted .dds can lead to a heap buffer overflow. An attacker
| can provide a malicious file to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1634
CVE-2022-41977[17]:
| An out of bounds read vulnerability exists in the way OpenImageIO
| version v2.3.19.0 processes string fields in TIFF image files. A
| specially-crafted TIFF file can lead to information disclosure. An
| attacker can provide a malicious file to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1627
CVE-2022-41981[18]:
| A stack-based buffer overflow vulnerability exists in the TGA file
| format parser of OpenImageIO v2.3.19.0. A specially-crafted targa file
| can lead to out of bounds read and write on the process stack, which
| can lead to arbitrary code execution. An attacker can provide a
| malicious file to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1628
CVE-2022-41988[19]:
| An information disclosure vulnerability exists in the
| OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project
| OpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to a
| disclosure of sensitive information. An attacker can provide a
| malicious file to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1643
https://github.com/OpenImageIO/oiio/commit/e9103925bb2aeed36b01b3805f36959f5d1a2e18#diff-8496b368a265f99b41e3c06bf99a5ea82d4f40fff1919ee79caa26ae033b3a06R118
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-43592
https://www.cve.org/CVERecord?id=CVE-2022-43592
[1] https://security-tracker.debian.org/tracker/CVE-2022-43593
https://www.cve.org/CVERecord?id=CVE-2022-43593
[2] https://security-tracker.debian.org/tracker/CVE-2022-43594
https://www.cve.org/CVERecord?id=CVE-2022-43594
[3] https://security-tracker.debian.org/tracker/CVE-2022-43595
https://www.cve.org/CVERecord?id=CVE-2022-43595
[4] https://security-tracker.debian.org/tracker/CVE-2022-43596
https://www.cve.org/CVERecord?id=CVE-2022-43596
[5] https://security-tracker.debian.org/tracker/CVE-2022-43597
https://www.cve.org/CVERecord?id=CVE-2022-43597
[6] https://security-tracker.debian.org/tracker/CVE-2022-43598
https://www.cve.org/CVERecord?id=CVE-2022-43598
[7] https://security-tracker.debian.org/tracker/CVE-2022-43599
https://www.cve.org/CVERecord?id=CVE-2022-43599
[8] https://security-tracker.debian.org/tracker/CVE-2022-43600
https://www.cve.org/CVERecord?id=CVE-2022-43600
[9] https://security-tracker.debian.org/tracker/CVE-2022-43601
https://www.cve.org/CVERecord?id=CVE-2022-43601
[10] https://security-tracker.debian.org/tracker/CVE-2022-43602
https://www.cve.org/CVERecord?id=CVE-2022-43602
[11] https://security-tracker.debian.org/tracker/CVE-2022-41639
https://www.cve.org/CVERecord?id=CVE-2022-41639
[12] https://security-tracker.debian.org/tracker/CVE-2022-41649
https://www.cve.org/CVERecord?id=CVE-2022-41649
[13] https://security-tracker.debian.org/tracker/CVE-2022-41684
https://www.cve.org/CVERecord?id=CVE-2022-41684
[14] https://security-tracker.debian.org/tracker/CVE-2022-41794
https://www.cve.org/CVERecord?id=CVE-2022-41794
[15] https://security-tracker.debian.org/tracker/CVE-2022-41837
https://www.cve.org/CVERecord?id=CVE-2022-41837
[16] https://security-tracker.debian.org/tracker/CVE-2022-41838
https://www.cve.org/CVERecord?id=CVE-2022-41838
[17] https://security-tracker.debian.org/tracker/CVE-2022-41977
https://www.cve.org/CVERecord?id=CVE-2022-41977
[18] https://security-tracker.debian.org/tracker/CVE-2022-41981
https://www.cve.org/CVERecord?id=CVE-2022-41981
[19] https://security-tracker.debian.org/tracker/CVE-2022-41988
https://www.cve.org/CVERecord?id=CVE-2022-41988
Please adjust the affected versions in the BTS as needed.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#1027143; Package src:openimageio.
(Wed, 28 Dec 2022 17:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Wed, 28 Dec 2022 17:33:03 GMT) (full text, mbox, link).
Message #10 received at 1027143@bugs.debian.org (full text, mbox, reply):
Am Wed, Dec 28, 2022 at 05:31:34PM +0100 schrieb Moritz Mühlenhoff:
> Source: openimageio
> X-Debbugs-CC: team@security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerabilities were published for openimageio.
And two more:
CVE-2022-38143:
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1630
CVE-2022-36354:
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 28 Dec 2022 19:45:04 GMT) (full text, mbox, link).
Changed Bug title to 'penimageio: CVE-2022-36354 CVE-2022-38143 CVE-2022-43592 CVE-2022-43593 CVE-2022-43594 CVE-2022-43595 CVE-2022-43596 CVE-2022-43597 CVE-2022-43598 CVE-2022-43599 CVE-2022-43600 CVE-2022-43601 CVE-2022-43602 CVE-2022-41639 CVE-2022-41649 CVE-2022-41684 CVE-2022-41794 CVE-2022-41837 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988' from 'openimageio: CVE-2022-43592 CVE-2022-43593 CVE-2022-43594 CVE-2022-43595 CVE-2022-43596 CVE-2022-43597 CVE-2022-43598 CVE-2022-43599 CVE-2022-43600 CVE-2022-43601 CVE-2022-43602 CVE-2022-41639 CVE-2022-41649 CVE-2022-41684 CVE-2022-41794 CVE-2022-41837 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 28 Dec 2022 20:33:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Dec 29 16:36:15 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon
