* bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942
@ 2024-04-04 1:07 Vinicius Monego
2024-04-04 2:50 ` John Kehayias via Bug reports for GNU Guix
0 siblings, 1 reply; 4+ messages in thread
From: Vinicius Monego @ 2024-04-04 1:07 UTC (permalink / raw)
To: 70174
OpenEXR suffers from these vulnerabilities which were fixed in version
3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently 3.1.3.
The package contains 448 dependents, and a change in derivation
shouldn't be pushed to master, at least according to the patch
submission guidelines.
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942
2024-04-04 1:07 bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942 Vinicius Monego
@ 2024-04-04 2:50 ` John Kehayias via Bug reports for GNU Guix
2024-04-04 3:47 ` John Kehayias via Bug reports for GNU Guix
0 siblings, 1 reply; 4+ messages in thread
From: John Kehayias via Bug reports for GNU Guix @ 2024-04-04 2:50 UTC (permalink / raw)
To: Vinicius Monego; +Cc: 70174
[-- Attachment #1: Type: text/plain, Size: 981 bytes --]
Hello,
On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote:
> OpenEXR suffers from these vulnerabilities which were fixed in version
> 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently
> 3.1.3.
>
> The package contains 448 dependents, and a change in derivation
> shouldn't be pushed to master, at least according to the patch
> submission guidelines.
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841
>
> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942
Thanks for passing this along.
I've applied a patch, attached, locally to the mesa-updates branch which
updates openexr to the latest version, 3.2.4. It required a few minor
changes (fix a phase, an input) but it builds.
I may wait to queue up some more fixes for that branch, but don't
currently have anything pending. Either way, it will be there soon and
hopefully merged to master (just need to wait for everything to build
and look good).
Thanks!
John
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-openexr-Update-to-3.2.4-security-fixes.patch --]
[-- Type: text/x-patch; name=0001-gnu-openexr-Update-to-3.2.4-security-fixes.patch, Size: 3966 bytes --]
From 870359351e80a3d14304a4f6a1b734f67c1ea167 Mon Sep 17 00:00:00 2001
Message-ID: <870359351e80a3d14304a4f6a1b734f67c1ea167.1712198858.git.john.kehayias@protonmail.com>
From: John Kehayias <john.kehayias@protonmail.com>
Date: Wed, 3 Apr 2024 22:45:50 -0400
Subject: [PATCH] gnu: openexr: Update to 3.2.4 [security fixes].
Previous versions, 3.2.2 and 3.1.4, fixed CVE-2023-5841 and CVE-2021-45942,
respectively.
* gnu/packages/graphics.scm (openexr): Update to 3.2.4.
Reported-by: Vinicius Monego <monego@posteo.net>
Change-Id: I72f82e623c9b8988cae433947117cd81f40cdbc3
---
gnu/packages/graphics.scm | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/gnu/packages/graphics.scm b/gnu/packages/graphics.scm
index ad08141c96..188e066766 100644
--- a/gnu/packages/graphics.scm
+++ b/gnu/packages/graphics.scm
@@ -1200,7 +1200,7 @@ (define-public ogre
(define-public openexr
(package
(name "openexr")
- (version "3.1.3")
+ (version "3.2.4")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -1210,7 +1210,7 @@ (define-public openexr
(file-name (git-file-name name version))
(sha256
(base32
- "0c9vla0kbsbbhkk42jlbf94nzfb1anqh7dy9b0b3nna1qr6v4bh6"))))
+ "00s1a05kggk71vfbnsvykyjc2j7y6yyzgl63sy4yiddshz2k2mcr"))))
(build-system cmake-build-system)
(arguments
(list #:phases
@@ -1218,8 +1218,6 @@ (define-public openexr
(add-after 'unpack 'patch-test-directory
(lambda _
(substitute* (list
- "src/test/OpenEXRUtilTest/tmpDir.h"
- "src/test/OpenEXRFuzzTest/tmpDir.h"
"src/test/OpenEXRTest/tmpDir.h"
"src/test/OpenEXRCoreTest/main.cpp")
(("/var/tmp")
@@ -1247,7 +1245,7 @@ (define-public openexr
"")
(("TEST \\(testOptimizedInterleavePatterns, \"basic\"\\);")
"")))))))))
- (inputs (list imath zlib))
+ (inputs (list imath libdeflate zlib))
(home-page "https://www.openexr.com/")
(synopsis "High-dynamic-range file format library")
(description
base-commit: 1cba1f8ce6f84c4737650401c0eb0473a45f9ff7
prerequisite-patch-id: fa1f23e1340a3eeb9f347ed719b9b0fa0558fb3f
prerequisite-patch-id: a1eb5f0955b9988d3bfe3be8403c75999a1cae5f
prerequisite-patch-id: 2889be19c4a046760f2f608cefff987b11b65a31
prerequisite-patch-id: ea93b6662275aeec1e014a9bc9fe7a96f26ac600
prerequisite-patch-id: 177440a12b7c797d22f8bb1253db133d2fbad348
prerequisite-patch-id: 3a5189c1e8e4612ceb6f1b70cc3c83e39a977eb9
prerequisite-patch-id: 7ddfa796914f078615724949db7c1ac6c148d09f
prerequisite-patch-id: 3037b56c731bc0a62c6b4a2cfecbadc8ead38453
prerequisite-patch-id: 163581597c141e701fc8089a6337683abce82894
prerequisite-patch-id: f2f116d9fedadb3443bc61ff3824c479cda5fcf0
prerequisite-patch-id: 57807814fe98a68ffc68fb9ebdb92a7115959e0b
prerequisite-patch-id: 95f518cd6bd40014a2cb1b83f5af807b069a84cf
prerequisite-patch-id: 040ecf8f843498b7bcedac335cff1b84af17fad9
prerequisite-patch-id: 06b54c27f5ecd182574be222a50f592c5fb3fa4d
prerequisite-patch-id: 50f1bd0ac736d175116893d79869780070a2ea59
prerequisite-patch-id: 03be0e6d28cd6c11eaaf7b9784ba032fa72be4ff
prerequisite-patch-id: dce4ebc8c7dc26df87b1a91f676f660a87379c8a
prerequisite-patch-id: e3f21290baa6ec82b673387974ae2561caad7e64
prerequisite-patch-id: 15f266f43c1918cc8526406283af83369c4dc80e
prerequisite-patch-id: 78eedd30786c77e0e0a06f1d959ee9b687902d8f
prerequisite-patch-id: 3ad571d4975f17216c7ab008f3e81c5e038ec65b
prerequisite-patch-id: 8bcf03f489b2f139d277d0e46552ac0211b061b2
prerequisite-patch-id: 0e92576d6b767e75d64accf5b5d38eda08dae78e
--
2.41.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942
2024-04-04 2:50 ` John Kehayias via Bug reports for GNU Guix
@ 2024-04-04 3:47 ` John Kehayias via Bug reports for GNU Guix
2024-04-18 4:58 ` John Kehayias via Bug reports for GNU Guix
0 siblings, 1 reply; 4+ messages in thread
From: John Kehayias via Bug reports for GNU Guix @ 2024-04-04 3:47 UTC (permalink / raw)
To: Vinicius Monego; +Cc: 70174
On Thu, Apr 04, 2024 at 02:50 AM, John Kehayias wrote:
> Hello,
>
> On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote:
>
>> OpenEXR suffers from these vulnerabilities which were fixed in version
>> 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently
>> 3.1.3.
>>
>> The package contains 448 dependents, and a change in derivation
>> shouldn't be pushed to master, at least according to the patch
>> submission guidelines.
>>
>> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841
>>
>> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942
>
> Thanks for passing this along.
>
> I've applied a patch, attached, locally to the mesa-updates branch which
> updates openexr to the latest version, 3.2.4. It required a few minor
> changes (fix a phase, an input) but it builds.
>
> I may wait to queue up some more fixes for that branch, but don't
> currently have anything pending. Either way, it will be there soon and
> hopefully merged to master (just need to wait for everything to build
> and look good).
>
> Thanks!
> John
Forgot to note the change in [inputs] in the changelog, fixed locally.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942
2024-04-04 3:47 ` John Kehayias via Bug reports for GNU Guix
@ 2024-04-18 4:58 ` John Kehayias via Bug reports for GNU Guix
0 siblings, 0 replies; 4+ messages in thread
From: John Kehayias via Bug reports for GNU Guix @ 2024-04-18 4:58 UTC (permalink / raw)
To: Vinicius Monego; +Cc: 70174-done
On Thu, Apr 04, 2024 at 03:47 AM, John Kehayias wrote:
> On Thu, Apr 04, 2024 at 02:50 AM, John Kehayias wrote:
>
>> Hello,
>>
>> On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote:
>>
>>> OpenEXR suffers from these vulnerabilities which were fixed in version
>>> 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently
>>> 3.1.3.
>>>
>>> The package contains 448 dependents, and a change in derivation
>>> shouldn't be pushed to master, at least according to the patch
>>> submission guidelines.
>>>
>>> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841
>>>
>>> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942
>>
>> Thanks for passing this along.
>>
>> I've applied a patch, attached, locally to the mesa-updates branch which
>> updates openexr to the latest version, 3.2.4. It required a few minor
>> changes (fix a phase, an input) but it builds.
>>
>> I may wait to queue up some more fixes for that branch, but don't
>> currently have anything pending. Either way, it will be there soon and
>> hopefully merged to master (just need to wait for everything to build
>> and look good).
>>
>> Thanks!
>> John
>
> Forgot to note the change in [inputs] in the changelog, fixed locally.
Pushed as 410e699e0933653e69d03a4cdadf11854c6723f4 (and fixed some build
issues with 2718616f77aace28b3962fef29b4e38b87a512ce) and merged with
2d5736cc3e869fadd2592cc13a8d332fac63b144.
Thanks!
John
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-04-18 5:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-04 1:07 bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942 Vinicius Monego
2024-04-04 2:50 ` John Kehayias via Bug reports for GNU Guix
2024-04-04 3:47 ` John Kehayias via Bug reports for GNU Guix
2024-04-18 4:58 ` John Kehayias via Bug reports for GNU Guix
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).