[-- Attachment #1: Type: text/plain, Size: 1204 bytes --] CVE-2021-3474 30.03.21 20:15 There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application availability. Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f CVE-2021-3476 30.03.21 20:15 A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially affecting application availability. Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9 CVE-2021-3475 30.03.21 20:15 There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow, potentially leading to problems with application availability. Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753 I could not check if these flaws affect the 2.5.2 version packaged in GNU Guix yet. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --]
[-- Attachment #1: Type: text/plain, Size: 1538 bytes --] Another wave it seems: CVE-2021-3479 31.03.21 16:15 There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability. Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c CVE-2021-3478 31.03.21 16:15 There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability. Fix (? as Red Hat analyst points out in https://bugzilla.redhat.com/show_bug.cgi?id=1939160#c3, it indeed looks uncertain): https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a CVE-2021-3477 31.03.21 16:15 There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability. Fix (? as Red Hat analyst points out in https://bugzilla.redhat.com/show_bug.cgi?id=1939159#c3, it indeed looks uncertain): https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1 [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --]
[-- Attachment #1: Type: text/plain, Size: 460 bytes --] Another: CVE-2021-20296 01.04.21 16:15 A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted input file supplied by an attacker, that is processed by the Dwa decompression functionality of OpenEXR's IlmImf library, could cause a NULL pointer dereference. The highest threat from this vulnerability is to system availability. Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/b0c63c0b96eb9b0d3998f603e12f9f414fb0d44a [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --]
Hi, I found [1] which lists which versions of OpenEXR are vulnerable to which CVE. All the CVEs mentioned here were fixed in version 2.5.4 [2], while we are currently tracking version 2.5.5, for which there are no known CVEs. I will close this issue. Feel free to reopen if I missed anything. [1] https://github.com/AcademySoftwareFoundation/openexr/blob/master/SECURITY.md [2] https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-254-december-31-2020