GNU bug report logs - #47509
OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Léo Le Bouter <lle-bout@HIDDEN>; Keywords: security; dated Wed, 31 Mar 2021 01:48:02 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 47509 <at> debbugs.gnu.org:


Received: (at 47509) by debbugs.gnu.org; 1 Apr 2021 13:26:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 01 09:26:40 2021
Received: from localhost ([127.0.0.1]:56681 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lRxLM-0001pM-1S
	for submit <at> debbugs.gnu.org; Thu, 01 Apr 2021 09:26:40 -0400
Received: from mail.zaclys.net ([178.33.93.72]:33843)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lRxLH-0001p1-He
 for 47509 <at> debbugs.gnu.org; Thu, 01 Apr 2021 09:26:37 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 131DQT3Y051232
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <47509 <at> debbugs.gnu.org>; Thu, 1 Apr 2021 15:26:29 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 131DQT3Y051232
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1617283589;
 bh=OlPnxG9tmcOTeZEZlQOBUCKjDsX4R2ukKjLV9L4W/HU=;
 h=Subject:From:To:Date:In-Reply-To:References:From;
 b=pcu6ZuBkNUKDbZ+qD609FhbF7tJcQzA+e9pA4XNh+7Tbr2NRKZJQp/11rUrnXlTDM
 0+ICXLl8HfPBCFn9zPGC4dInvgFcDEjt+rJovbxxyYzpwi+f965fT5bkofZm7Ysg5o
 V1opLVkqfOnjvvpX9ORjFyUWvo511HlkULa/HNgg=
Message-ID: <39ed8eb5a4a1accb3cc1e3fe428369987fd30aef.camel@HIDDEN>
Subject: Re: bug#47509: OpenEXR may be vulnerable to CVE-2021-3474,
 CVE-2021-3476 and CVE-2021-3475
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: 47509 <at> debbugs.gnu.org
Date: Thu, 01 Apr 2021 15:26:24 +0200
In-Reply-To: <a149c0f9538876ec9d93e75e40c44ce335d4682a.camel@HIDDEN>
References: <a149c0f9538876ec9d93e75e40c44ce335d4682a.camel@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-CX8pn5vhFbVPJ3R4a67x"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47509
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--=-CX8pn5vhFbVPJ3R4a67x
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Another wave it seems:

CVE-2021-3479	31.03.21 16:15
There's a flaw in OpenEXR's Scanline API functionality in versions before 3=
.0.0-beta. An attacker who is able to submit a crafted file to be processed=
 by OpenEXR could trigger excessive consumption of memory, resulting in an =
impact to system availability.

Fix:=20
https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d=
007ae80a162bf257ec291612c

CVE-2021-3478	31.03.21 16:15
There's a flaw in OpenEXR's scanline input file functionality in versions b=
efore 3.0.0-beta. An attacker able to submit a crafted file to be processed=
 by OpenEXR could consume excessive system memory. The greatest impact of t=
his flaw is to system availability.

Fix (? as Red Hat analyst points out in=20
https://bugzilla.redhat.com/show_bug.cgi?id=3D1939160#c3, it indeed looks
uncertain):=20
https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5=
bc5d11ad8ca55306da931283a


CVE-2021-3477	31.03.21 16:15
There's a flaw in OpenEXR's deep tile sample size calculations in
versions before 3.0.0-beta. An attacker who is able to submit a crafted
file to be processed by OpenEXR could trigger an integer overflow,
subsequently leading to an out-of-bounds read. The greatest risk of
this flaw is to application availability.

Fix (? as Red Hat analyst points out in=20
https://bugzilla.redhat.com/show_bug.cgi?id=3D1939159#c3, it indeed looks
uncertain):=20
https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642ef=
bbe6bdace558079f68c16acb1

--=-CX8pn5vhFbVPJ3R4a67x
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBlygAACgkQRaix6GvN
EKYhsQ/8DG/8IiaiEXkS53jgussV67oQGft+iFgxTCXyeanPvazZ5way4ulse/VL
ledGOfBkFZpduXcwgkgTz2DblyHsIVIS9rgi7v9u+QpI4CdszCN9RgTOWhHC0jk1
NyyeEWDeGM6xGftykP4rr1JHSPPA+DPnI//nQJRIetj/sBGmexzJixFrcBm79kdf
QSmKldEIQ/qDOD7qmSxzx2F1Absiv+gQaYC+uIw0XQDZCDjDu8KS6KwhHq0t6XT7
/07Fnsin1YitK2Wp/jS2f78HdETA0BT0CHTGE1/MqgFjSpV7g/1KArugEkyVlPF1
1CG+cqYT0rD1Jk6hyzg/S+4joDC//eTrY0P+0G7Xt28Zu6p7hpAUXBsOUBn3dGtk
NIUA2zJ7HRVoxIEKgG2TgbsJtH3+dxPO4v6DbeA0cu60PxpZljpiCZi2TY4+Kwu/
yUNb0ZDCZVH+HSxXe8xdtFSW4UTPA7WXKt72HJphinVS3WdvzgGCk/rwFdXA91zJ
PCWWD92KfR4FxwIMqOqFKvSYJZ/93VVCtdN8zHOrkp2B7NZ2+DCklezVOL/YhamN
HJ0PD2iD9KCOaT9I5hrVNnDgqKP/SMEty/6sUtodpSPcxfkBGuqvSUEAk0FO+B5N
7rzsQXfypCkuvS3x8642FCTg8PwAj08c4x6KE0cysnbsNjsN1ZM=
=qtCP
-----END PGP SIGNATURE-----

--=-CX8pn5vhFbVPJ3R4a67x--





Information forwarded to bug-guix@HIDDEN:
bug#47509; Package guix. Full text available.
Added tag(s) security. Request was from Léo Le Bouter <lle-bout@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 31 Mar 2021 01:47:47 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 30 21:47:47 2021
Received: from localhost ([127.0.0.1]:53116 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lRPxT-0003ub-Cf
	for submit <at> debbugs.gnu.org; Tue, 30 Mar 2021 21:47:47 -0400
Received: from lists.gnu.org ([209.51.188.17]:40778)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lRPxP-0003uR-7u
 for submit <at> debbugs.gnu.org; Tue, 30 Mar 2021 21:47:45 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48732)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lRPxO-0003Uy-Tf
 for bug-guix@HIDDEN; Tue, 30 Mar 2021 21:47:42 -0400
Received: from mail.zaclys.net ([178.33.93.72]:41821)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lRPxM-0007V6-7j
 for bug-guix@HIDDEN; Tue, 30 Mar 2021 21:47:42 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12V1lbB9010443
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@HIDDEN>; Wed, 31 Mar 2021 03:47:37 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12V1lbB9010443
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1617155257;
 bh=30dZtXsqD9BvXh6PqQSj2WsS41lpnwjACNDfyaOCDQc=;
 h=Subject:From:To:Date:From;
 b=HeFhuwMaY6/3S9wJSWzj6dVADlEhibW22nHmhXXKq/AcdOKsP7cY4/C42aNZ7YRow
 VxJHzdDhvQt7rOGxby1wgcXug/evsQNKH3WfQpJmwARqudvDu1TDMmt5XyCPBLVRKa
 clUMTDir0d7BkgBJVblm3mUiaHfJzlpKC33dcTyk=
Message-ID: <a149c0f9538876ec9d93e75e40c44ce335d4682a.camel@HIDDEN>
Subject: OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and
 CVE-2021-3475
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: bug-guix@HIDDEN
Date: Wed, 31 Mar 2021 03:47:32 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-u0uyiMRmZ19IM4joHPgb"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.4 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  CVE-2021-3474 30.03.21 20:15 There's a flaw in OpenEXR in
 versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR
 could cause a shift overflow in the FastHufDecoder, potentially [...] 
 Content analysis details:   (1.4 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
 [209.51.188.17 listed in wl.mailspike.net]
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 2.7 MAY_BE_FORGED          Relay IP's reverse DNS does not resolve to IP
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-u0uyiMRmZ19IM4joHPgb
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

CVE-2021-3474	30.03.21 20:15
There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted
input file that is processed by OpenEXR could cause a shift overflow in
the FastHufDecoder, potentially leading to problems with application
availability.

Fix:=20
https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf=
4524a644cb2af81dc8cfab33f

CVE-2021-3476	30.03.21 20:15
A flaw was found in OpenEXR's B44 uncompression functionality in
versions before 3.0.0-beta. An attacker who is able to submit a crafted
file to OpenEXR could trigger shift overflows, potentially affecting
application availability.

Fix:=20
https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2=
778c973ae4af112107b33d9c9

CVE-2021-3475	30.03.21 20:15
There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker
who can submit a crafted file to be processed by OpenEXR could cause an
integer overflow, potentially leading to problems with application
availability.

Fix:=20
https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a85459=
8c2a20b5dd7e782b436a1e753

I could not check if these flaws affect the 2.5.2 version packaged in
GNU Guix yet.

--=-u0uyiMRmZ19IM4joHPgb
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBj1LQACgkQRaix6GvN
EKZWcxAAjvsfz0VM8nDNd3GIt4t+TF3cn5spiImsfzr8ZvvJkWwj0CAoZxzKt9p+
N8/oSHs9Uq7T95yNs6n1wih0nq09bhTrwl4J+J4POLoCYl4v0KrFm3rMujYe6VVb
R85YMaTkzX8qjjb7tBGSYxMTbziZIOwYBb1G8AcKD+W5h01YR988aX41ex4epUoA
dD5E4TQxpCKFdykonWSrZMjOohzgsdW8utU39D7Q6OdOXZmgPtaxfSfcQW+LVLza
3MsqhnX1tDIkORppG1nSFO2tIGPSuKzMkE5Okl5XaI/C+e3KfNiIpx2ZKWNNW5IT
wzUy10kW6glAGLd0LzTBgILATND6Cbu3JRISeWC9GWJp0g6/elpSiXT8Njgme4B+
NZ2dp6iawG6dS9BQMOaNVulZ36t13XT7QDE6ZuAP4rguBZLB7muHYKRGTiy5EH4C
x73YCBmU81AJd+81mDniNAPzKkjJr1zwGU0MJzDav8hgqLRzSxYKkTzgOFBhTQlJ
jwYxnuq9I7/Jep5vS9TfFNfadKZYhwHZ35HB6gZVyuSqnjBYb5B3YWRp0UmxtTAv
IhCWx9DC9EUBZwJT5VzqlFoST+AH28GQ4le7m0eEyvF0yWiw4woOCapjw6Dzttw9
uDoaBcn0R1Rcj9zZsWEO5rBfz8akED6UOolYRql16KebHz5OtF0=
=JiLR
-----END PGP SIGNATURE-----

--=-u0uyiMRmZ19IM4joHPgb--





Acknowledgement sent to Léo Le Bouter <lle-bout@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47509; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Thu, 1 Apr 2021 13:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.