Debian Bug report logs -
#864078
openexr: CVE-2017-9110 CVE-2017-9112 CVE-2017-9116
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 4 Jun 2017 06:48:02 UTC
Severity: grave
Tags: patch, security
Found in version openexr/2.2.0-11
Fixed in version openexr/2.2.0-11.1
Done: Markus Koschany <apo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#864078; Package src:openexr.
(Sun, 04 Jun 2017 06:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Sun, 04 Jun 2017 06:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openexr
Severity: grave
Tags: security
Please see http://www.openwall.com/lists/oss-security/2017/05/12/5
These were reported upstream at https://github.com/openexr/openexr/issues/232
Upstream fixes are linked in the github bug.
Cheers,
Moritz
Marked as found in versions openexr/2.2.0-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 04 Jun 2017 06:57:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#864078; Package src:openexr.
(Sun, 04 Jun 2017 12:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Mathieu Malaterre <malat@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Sun, 04 Jun 2017 12:48:04 GMT) (full text, mbox, link).
Message #12 received at 864078@bugs.debian.org (full text, mbox, reply):
Control: tags -1 patch
https://github.com/binarycrusader/openexr/commit/749193265ac99956f01a2dd9b20f124f2f7859d0.patch
Added tag(s) patch.
Request was from Mathieu Malaterre <malat@debian.org>
to 864078-submit@bugs.debian.org.
(Sun, 04 Jun 2017 12:48:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#864078; Package src:openexr.
(Thu, 31 Aug 2017 22:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Thu, 31 Aug 2017 22:21:02 GMT) (full text, mbox, link).
Message #19 received at 864078@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
clone 864078 -1
severity -1 important
thanks
I have prepared a security update for openexr which I am going to upload
in due course. The upload will fix CVE-2017-9110, CVE-2017-9112 and
CVE-2017-9116. The other CVE are not considered being critical by
upstream. In fact it looks more like they are just normal bugs in the
exr2aces test program which is not built by default. I'm going to clone
this bug report because of the outstanding issues but will lower the
severity to important.
Regards,
Markus
[openexr.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Bug 864078 cloned as bug 873885
Request was from Markus Koschany <apo@debian.org>
to control@bugs.debian.org.
(Thu, 31 Aug 2017 22:21:05 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Thu, 31 Aug 2017 22:57:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 31 Aug 2017 22:57:03 GMT) (full text, mbox, link).
Message #26 received at 864078-close@bugs.debian.org (full text, mbox, reply):
Source: openexr
Source-Version: 2.2.0-11.1
We believe that the bug you reported is fixed in the latest version of
openexr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864078@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated openexr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 31 Aug 2017 23:52:03 +0200
Source: openexr
Binary: openexr openexr-doc libopenexr-dev libopenexr22
Architecture: source
Version: 2.2.0-11.1
Distribution: unstable
Urgency: high
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libopenexr-dev - development files for the OpenEXR image library
libopenexr22 - runtime files for the OpenEXR image library
openexr - command-line tools for the OpenEXR image format
openexr-doc - documentation and examples for the OpenEXR image format
Closes: 864078
Changes:
openexr (2.2.0-11.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2017-9110, CVE-2017-9112 and CVE-2017-9116.
Brandon Perry discovered that openexr was affected by an integer overflow
vulnerability and missing boundary checks that would allow a remote
attacker to cause a denial of service (application crash) via specially
crafted image files. (Closes: #864078)
Checksums-Sha1:
593be276da8186200a66d17fbf48a09a2719a175 2439 openexr_2.2.0-11.1.dsc
221bfdeb51296f243601a3273e3c413bf38f3b0f 17344 openexr_2.2.0-11.1.debian.tar.xz
e48088e2be4d28facdecfc754acad8240d71a452 7006 openexr_2.2.0-11.1_amd64.buildinfo
Checksums-Sha256:
8d987878d616cf3c089042b2becedeb06b5d599936194ab92e5a5b44d663bf0f 2439 openexr_2.2.0-11.1.dsc
d0499a25e6307dea5f985cb11a00045b7f22b71f4b86bca00b133be4acfa8a4e 17344 openexr_2.2.0-11.1.debian.tar.xz
9872fe715f8b473b6c030330b7d85dc3327e79d041f0fa3faf41cbf5474dc460 7006 openexr_2.2.0-11.1_amd64.buildinfo
Files:
5523c1dfe6e72693501b9416012fda92 2439 graphics optional openexr_2.2.0-11.1.dsc
4ffdb4a4d1c0f997147e7748bc2ab35c 17344 graphics optional openexr_2.2.0-11.1.debian.tar.xz
8a3c634ed6ed896658061562de8cad48 7006 graphics optional openexr_2.2.0-11.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlmojNJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkD6kP/RE59KHJw8mXUHXSsEtMKVctE2vcUfKbdo5I
dl1DUzUiLGV3uAR75c0/1kAYYr8xeUbFmB4kadpbTVvl6dWJk3bgN04LkB/Jp8rr
r0GyzgHM3w78XXIzBnUy8fEhMVUJ7jCkJQ1s5GRNnUXpkK26Rm9KOTt4RCZGoXjg
hvlWir/pE+OMhOWYssa2QQSqValeYVF5eDmtRn5MBjZWKLOgKYik/nQ3a67l91Kh
suawzYkfQM5Ny3oXb53gD0C9bm0iwpHg0/xJ2tY35WPpAWQ0rVCzwKZ332RUNlyK
a08xMxO+g0S2q8OqruVihwjsGwOUO13o4XQrR+n5nW3asHj+L68r3z3WM4nl33KZ
fWgdge9jldZ5P/lUHSFqRLBcr+aRdeUvhao9sxymn4gzfgjZicpp3beyTtf8/0jx
9kAUvslaLpfUeWrPmINY4iEFYL7UKMZs67KFrsD75oYASiosbpPJPfvh98c3Eb9K
QsBPWRUgGfWbzMDKBtvbSpmgkkOFMcG+GYF0AUoSUOzEcgcad4rbaWy9dKde9VPk
vlkNq/959iDBOJgi5jHhf5oSfTOzLZ8Dcax8Fnq6I0O+doGRKsspGaFTJLUREsVh
Rpu55yZMxGCm1rQW9+Mb/hFWwTqGjDshfSyRZHSTfGdHSzWx3FKuclMPXMGkaUXZ
XG8nRFe2
=3DLb
-----END PGP SIGNATURE-----
Changed Bug title to 'openexr: CVE-2017-9110 CVE-2017-9112 CVE-2017-9116' from 'CVE-2017-9110 CVE-2017-9111 CVE-2017-9112 CVE-2017-9113 CVE-2017-9114 CVE-2017-9115 CVE-2017-9116 CVE-2017-9117'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Sep 2017 04:09:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:47:23 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon