From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id +DnWEFvKZWB7qwAAgWs5BA
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 01 Apr 2021 15:27:55 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id IFWiC1vKZWDAcQAA1q6Kng
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 01 Apr 2021 13:27:55 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id C65A819250
	for <larch@yhetil.org>; Thu,  1 Apr 2021 15:27:54 +0200 (CEST)
Received: from localhost ([::1]:45080 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1lRxMX-0000Db-TX
	for larch@yhetil.org; Thu, 01 Apr 2021 09:27:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:40322)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lRxLo-00009p-IK
 for bug-guix@gnu.org; Thu, 01 Apr 2021 09:27:08 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:45135)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lRxLi-0003ir-BQ
 for bug-guix@gnu.org; Thu, 01 Apr 2021 09:27:05 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lRxLi-0001pv-87
 for bug-guix@gnu.org; Thu, 01 Apr 2021 09:27:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#47509: OpenEXR may be vulnerable to CVE-2021-3474,
 CVE-2021-3476 and CVE-2021-3475
Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Thu, 01 Apr 2021 13:27:02 +0000
Resent-Message-ID: <handler.47509.B47509.16172836007032@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 47509
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: security
To: 47509@debbugs.gnu.org
Received: via spool by 47509-submit@debbugs.gnu.org id=B47509.16172836007032
 (code B ref 47509); Thu, 01 Apr 2021 13:27:02 +0000
Received: (at 47509) by debbugs.gnu.org; 1 Apr 2021 13:26:40 +0000
Received: from localhost ([127.0.0.1]:56681 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lRxLM-0001pM-1S
 for submit@debbugs.gnu.org; Thu, 01 Apr 2021 09:26:40 -0400
Received: from mail.zaclys.net ([178.33.93.72]:33843)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lRxLH-0001p1-He
 for 47509@debbugs.gnu.org; Thu, 01 Apr 2021 09:26:37 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 131DQT3Y051232
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <47509@debbugs.gnu.org>; Thu, 1 Apr 2021 15:26:29 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 131DQT3Y051232
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1617283589;
 bh=OlPnxG9tmcOTeZEZlQOBUCKjDsX4R2ukKjLV9L4W/HU=;
 h=Subject:From:To:Date:In-Reply-To:References:From;
 b=pcu6ZuBkNUKDbZ+qD609FhbF7tJcQzA+e9pA4XNh+7Tbr2NRKZJQp/11rUrnXlTDM
 0+ICXLl8HfPBCFn9zPGC4dInvgFcDEjt+rJovbxxyYzpwi+f965fT5bkofZm7Ysg5o
 V1opLVkqfOnjvvpX9ORjFyUWvo511HlkULa/HNgg=
Message-ID: <39ed8eb5a4a1accb3cc1e3fe428369987fd30aef.camel@zaclys.net>
Date: Thu, 01 Apr 2021 15:26:24 +0200
In-Reply-To: <a149c0f9538876ec9d93e75e40c44ce335d4682a.camel@zaclys.net>
References: <a149c0f9538876ec9d93e75e40c44ce335d4682a.camel@zaclys.net>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-CX8pn5vhFbVPJ3R4a67x"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
Reply-to:  =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
From:  =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1617283674;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=OlPnxG9tmcOTeZEZlQOBUCKjDsX4R2ukKjLV9L4W/HU=;
	b=DzjxVK6gm2ZOrMjXKSjLpzDRTuwDNuYnQx/pQMZkBv4MKtBVMyvp/3uIpOXIgxoyqf2oh+
	kWuysTQpDLdLdL0Ebciu58XwIKSzL9ufe9tg9Od+Ppv9CEUllq9fcho6SrgQ278VS/8T6u
	UOnOYosBIEyoqCS9ZWYlx1k6VRzjjj9RCPW35uDYk50WgsWlmdKZkp1r2f8S/ZKxCj6vNX
	TZeXtKxT5gMmq4Bkd0h6lyj6AEw00wN2Ax3jhYGNIx6RlluA31kFJlnGpjd+cf2R4NCu0K
	tFUlRJW0xwHOK9Ny89aBkmKY1S/JIsRjlRlUCt9Bf2ldjK6OE8vANq0OOXg4BA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617283674; a=rsa-sha256; cv=none;
	b=Xx5m3K/ZijOIpqN7/OzeHStqWEoVcjcZhRR88ldsNqJJD1FuavNfXTGTA1/AxM7YJ6oqBQ
	VP9yPOo6ydcqDCOCWakFbyyw2y6qpqRfFgBluGjaNRJIdqj/fwkbq8X5mjKsPf9yOlQ4vW
	P9DZV6Wkiy2WTJKkTuA/NqQVI0sq1MN9G0vo0ap+s8f8l5WJGYRmrlRtKaBnnyO5g4oWl4
	JjYScii8uW6iXU8UasVCycmfWH/psjGK2jBOxf7DsLT4/0M4kBOvY0BqTdldTxyEX1jIKA
	QFyVogl4qzvh0bYJnBEqgUoPbZcIFBGyAKGtrVWND4mUz/OzaddbY7DjqqmBMg==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=pcu6ZuBk;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -5.03
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=pcu6ZuBk;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: C65A819250
X-Spam-Score: -5.03
X-Migadu-Scanner: scn0.migadu.com
X-TUID: aao7FUM+HPPO


--=-CX8pn5vhFbVPJ3R4a67x
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Another wave it seems:

CVE-2021-3479	31.03.21 16:15
There's a flaw in OpenEXR's Scanline API functionality in versions before 3=
.0.0-beta. An attacker who is able to submit a crafted file to be processed=
 by OpenEXR could trigger excessive consumption of memory, resulting in an =
impact to system availability.

Fix:=20
https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d=
007ae80a162bf257ec291612c

CVE-2021-3478	31.03.21 16:15
There's a flaw in OpenEXR's scanline input file functionality in versions b=
efore 3.0.0-beta. An attacker able to submit a crafted file to be processed=
 by OpenEXR could consume excessive system memory. The greatest impact of t=
his flaw is to system availability.

Fix (? as Red Hat analyst points out in=20
https://bugzilla.redhat.com/show_bug.cgi?id=3D1939160#c3, it indeed looks
uncertain):=20
https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5=
bc5d11ad8ca55306da931283a


CVE-2021-3477	31.03.21 16:15
There's a flaw in OpenEXR's deep tile sample size calculations in
versions before 3.0.0-beta. An attacker who is able to submit a crafted
file to be processed by OpenEXR could trigger an integer overflow,
subsequently leading to an out-of-bounds read. The greatest risk of
this flaw is to application availability.

Fix (? as Red Hat analyst points out in=20
https://bugzilla.redhat.com/show_bug.cgi?id=3D1939159#c3, it indeed looks
uncertain):=20
https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642ef=
bbe6bdace558079f68c16acb1

--=-CX8pn5vhFbVPJ3R4a67x
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBlygAACgkQRaix6GvN
EKYhsQ/8DG/8IiaiEXkS53jgussV67oQGft+iFgxTCXyeanPvazZ5way4ulse/VL
ledGOfBkFZpduXcwgkgTz2DblyHsIVIS9rgi7v9u+QpI4CdszCN9RgTOWhHC0jk1
NyyeEWDeGM6xGftykP4rr1JHSPPA+DPnI//nQJRIetj/sBGmexzJixFrcBm79kdf
QSmKldEIQ/qDOD7qmSxzx2F1Absiv+gQaYC+uIw0XQDZCDjDu8KS6KwhHq0t6XT7
/07Fnsin1YitK2Wp/jS2f78HdETA0BT0CHTGE1/MqgFjSpV7g/1KArugEkyVlPF1
1CG+cqYT0rD1Jk6hyzg/S+4joDC//eTrY0P+0G7Xt28Zu6p7hpAUXBsOUBn3dGtk
NIUA2zJ7HRVoxIEKgG2TgbsJtH3+dxPO4v6DbeA0cu60PxpZljpiCZi2TY4+Kwu/
yUNb0ZDCZVH+HSxXe8xdtFSW4UTPA7WXKt72HJphinVS3WdvzgGCk/rwFdXA91zJ
PCWWD92KfR4FxwIMqOqFKvSYJZ/93VVCtdN8zHOrkp2B7NZ2+DCklezVOL/YhamN
HJ0PD2iD9KCOaT9I5hrVNnDgqKP/SMEty/6sUtodpSPcxfkBGuqvSUEAk0FO+B5N
7rzsQXfypCkuvS3x8642FCTg8PwAj08c4x6KE0cysnbsNjsN1ZM=
=qtCP
-----END PGP SIGNATURE-----

--=-CX8pn5vhFbVPJ3R4a67x--