GNU bug report logs -
#70174
OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942
Previous Next
To reply to this bug, email your comments to 70174 AT debbugs.gnu.org.
There is no need to reopen the bug first.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#70174; Package
guix.
(Thu, 04 Apr 2024 01:09:04 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Vinicius Monego <monego <at> posteo.net>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Thu, 04 Apr 2024 01:09:04 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
OpenEXR suffers from these vulnerabilities which were fixed in version
3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently 3.1.3.
The package contains 448 dependents, and a change in derivation
shouldn't be pushed to master, at least according to the patch
submission guidelines.
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942
Information forwarded
to
bug-guix <at> gnu.org:
bug#70174; Package
guix.
(Thu, 04 Apr 2024 02:51:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 70174 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello,
On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote:
> OpenEXR suffers from these vulnerabilities which were fixed in version
> 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently
> 3.1.3.
>
> The package contains 448 dependents, and a change in derivation
> shouldn't be pushed to master, at least according to the patch
> submission guidelines.
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841
>
> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942
Thanks for passing this along.
I've applied a patch, attached, locally to the mesa-updates branch which
updates openexr to the latest version, 3.2.4. It required a few minor
changes (fix a phase, an input) but it builds.
I may wait to queue up some more fixes for that branch, but don't
currently have anything pending. Either way, it will be there soon and
hopefully merged to master (just need to wait for everything to build
and look good).
Thanks!
John
[0001-gnu-openexr-Update-to-3.2.4-security-fixes.patch (text/x-patch, attachment)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#70174; Package
guix.
(Thu, 04 Apr 2024 03:48:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 70174 <at> debbugs.gnu.org (full text, mbox):
On Thu, Apr 04, 2024 at 02:50 AM, John Kehayias wrote:
> Hello,
>
> On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote:
>
>> OpenEXR suffers from these vulnerabilities which were fixed in version
>> 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently
>> 3.1.3.
>>
>> The package contains 448 dependents, and a change in derivation
>> shouldn't be pushed to master, at least according to the patch
>> submission guidelines.
>>
>> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841
>>
>> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942
>
> Thanks for passing this along.
>
> I've applied a patch, attached, locally to the mesa-updates branch which
> updates openexr to the latest version, 3.2.4. It required a few minor
> changes (fix a phase, an input) but it builds.
>
> I may wait to queue up some more fixes for that branch, but don't
> currently have anything pending. Either way, it will be there soon and
> hopefully merged to master (just need to wait for everything to build
> and look good).
>
> Thanks!
> John
Forgot to note the change in [inputs] in the changelog, fixed locally.
Reply sent
to
John Kehayias <john.kehayias <at> protonmail.com>:
You have taken responsibility.
(Thu, 18 Apr 2024 05:00:05 GMT)
Full text and
rfc822 format available.
Notification sent
to
Vinicius Monego <monego <at> posteo.net>:
bug acknowledged by developer.
(Thu, 18 Apr 2024 05:00:05 GMT)
Full text and
rfc822 format available.
Message #16 received at 70174-done <at> debbugs.gnu.org (full text, mbox):
On Thu, Apr 04, 2024 at 03:47 AM, John Kehayias wrote:
> On Thu, Apr 04, 2024 at 02:50 AM, John Kehayias wrote:
>
>> Hello,
>>
>> On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote:
>>
>>> OpenEXR suffers from these vulnerabilities which were fixed in version
>>> 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently
>>> 3.1.3.
>>>
>>> The package contains 448 dependents, and a change in derivation
>>> shouldn't be pushed to master, at least according to the patch
>>> submission guidelines.
>>>
>>> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841
>>>
>>> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942
>>
>> Thanks for passing this along.
>>
>> I've applied a patch, attached, locally to the mesa-updates branch which
>> updates openexr to the latest version, 3.2.4. It required a few minor
>> changes (fix a phase, an input) but it builds.
>>
>> I may wait to queue up some more fixes for that branch, but don't
>> currently have anything pending. Either way, it will be there soon and
>> hopefully merged to master (just need to wait for everything to build
>> and look good).
>>
>> Thanks!
>> John
>
> Forgot to note the change in [inputs] in the changelog, fixed locally.
Pushed as 410e699e0933653e69d03a4cdadf11854c6723f4 (and fixed some build
issues with 2718616f77aace28b3962fef29b4e38b87a512ce) and merged with
2d5736cc3e869fadd2592cc13a8d332fac63b144.
Thanks!
John
This bug report was last modified 16 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.