GNU bug report logs - #47509
OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Wed, 31 Mar 2021 01:48:02 UTC

Severity: normal

Tags: security

Done: Vinicius Monego <monego <at> posteo.net>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47509 in the body.
You can then email your comments to 47509 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#47509; Package guix. (Wed, 31 Mar 2021 01:48:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 31 Mar 2021 01:48:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and
 CVE-2021-3475
Date: Wed, 31 Mar 2021 03:47:32 +0200

[Message part 1 (text/plain, inline)]
CVE-2021-3474	30.03.21 20:15
There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted
input file that is processed by OpenEXR could cause a shift overflow in
the FastHufDecoder, potentially leading to problems with application
availability.

Fix: 
https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f

CVE-2021-3476	30.03.21 20:15
A flaw was found in OpenEXR's B44 uncompression functionality in
versions before 3.0.0-beta. An attacker who is able to submit a crafted
file to OpenEXR could trigger shift overflows, potentially affecting
application availability.

Fix: 
https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9

CVE-2021-3475	30.03.21 20:15
There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker
who can submit a crafted file to be processed by OpenEXR could cause an
integer overflow, potentially leading to problems with application
availability.

Fix: 
https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753

I could not check if these flaws affect the 2.5.2 version packaged in
GNU Guix yet.

[signature.asc (application/pgp-signature, inline)]
Added tag(s) security. Request was from Léo Le Bouter <lle-bout <at> zaclys.net> to control <at> debbugs.gnu.org. (Wed, 31 Mar 2021 01:51:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#47509; Package guix. (Thu, 01 Apr 2021 13:27:02 GMT) Full text and rfc822 format available.

Message #10 received at 47509 <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: 47509 <at> debbugs.gnu.org
Subject: Re: bug#47509: OpenEXR may be vulnerable to CVE-2021-3474,
 CVE-2021-3476 and CVE-2021-3475
Date: Thu, 01 Apr 2021 15:26:24 +0200

[Message part 1 (text/plain, inline)]
Another wave it seems:

CVE-2021-3479	31.03.21 16:15
There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.

Fix: 
https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c

CVE-2021-3478	31.03.21 16:15
There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.

Fix (? as Red Hat analyst points out in 
https://bugzilla.redhat.com/show_bug.cgi?id=1939160#c3, it indeed looks
uncertain): 
https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a


CVE-2021-3477	31.03.21 16:15
There's a flaw in OpenEXR's deep tile sample size calculations in
versions before 3.0.0-beta. An attacker who is able to submit a crafted
file to be processed by OpenEXR could trigger an integer overflow,
subsequently leading to an out-of-bounds read. The greatest risk of
this flaw is to application availability.

Fix (? as Red Hat analyst points out in 
https://bugzilla.redhat.com/show_bug.cgi?id=1939159#c3, it indeed looks
uncertain): 
https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#47509; Package guix. (Fri, 02 Apr 2021 10:05:01 GMT) Full text and rfc822 format available.

Message #13 received at 47509 <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: 47509 <at> debbugs.gnu.org
Subject: Re: bug#47509: OpenEXR may be vulnerable to CVE-2021-3474,
 CVE-2021-3476 and CVE-2021-3475
Date: Fri, 02 Apr 2021 12:04:09 +0200

[Message part 1 (text/plain, inline)]
Another:

CVE-2021-20296	01.04.21 16:15
A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted
input file supplied by an attacker, that is processed by the Dwa
decompression functionality of OpenEXR's IlmImf library, could cause a
NULL pointer dereference. The highest threat from this vulnerability is
to system availability.

Fix: 
https://github.com/AcademySoftwareFoundation/openexr/commit/b0c63c0b96eb9b0d3998f603e12f9f414fb0d44a

[signature.asc (application/pgp-signature, inline)]
Reply sent to Vinicius Monego <monego <at> posteo.net>:
You have taken responsibility. (Mon, 05 Jul 2021 23:47:02 GMT) Full text and rfc822 format available.
Notification sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
bug acknowledged by developer. (Mon, 05 Jul 2021 23:47:02 GMT) Full text and rfc822 format available.

Message #18 received at 47509-done <at> debbugs.gnu.org (full text, mbox):

From: Vinicius Monego <monego <at> posteo.net>
To: 47509-done <at> debbugs.gnu.org
Subject: OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and
 CVE-2021-3475
Date: Mon, 05 Jul 2021 23:46:15 +0000

Hi,

I found [1] which lists which versions of OpenEXR are vulnerable to
which CVE. All the CVEs mentioned here were fixed in version 2.5.4 [2],
while we are currently tracking version 2.5.5, for which there are no
known CVEs.

I will close this issue. Feel free to reopen if I missed anything.

[1]
https://github.com/AcademySoftwareFoundation/openexr/blob/master/SECURITY.md

[2]
https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-254-december-31-2020
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 03 Aug 2021 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 267 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.