bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942

[John Kehayias via Bug reports for GNU Guix <bug-guix@gnu.org>]

[-- Attachment #1: Type: text/plain, Size: 981 bytes --]

Hello,

On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote:

> OpenEXR suffers from these vulnerabilities which were fixed in version
> 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently
> 3.1.3.
>
> The package contains 448 dependents, and a change in derivation
> shouldn't be pushed to master, at least according to the patch
> submission guidelines.
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841
>
> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942

Thanks for passing this along.

I've applied a patch, attached, locally to the mesa-updates branch which
 updates openexr to the latest version, 3.2.4. It required a few minor
 changes (fix a phase, an input) but it builds.

I may wait to queue up some more fixes for that branch, but don't
currently have anything pending. Either way, it will be there soon and
hopefully merged to master (just need to wait for everything to build
and look good).

Thanks!
John

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-openexr-Update-to-3.2.4-security-fixes.patch --]
[-- Type: text/x-patch; name=0001-gnu-openexr-Update-to-3.2.4-security-fixes.patch, Size: 3966 bytes --]

From 870359351e80a3d14304a4f6a1b734f67c1ea167 Mon Sep 17 00:00:00 2001
Message-ID: <870359351e80a3d14304a4f6a1b734f67c1ea167.1712198858.git.john.kehayias@protonmail.com>
From: John Kehayias <john.kehayias@protonmail.com>
Date: Wed, 3 Apr 2024 22:45:50 -0400
Subject: [PATCH] gnu: openexr: Update to 3.2.4 [security fixes].

Previous versions, 3.2.2 and 3.1.4, fixed CVE-2023-5841 and CVE-2021-45942,
respectively.

* gnu/packages/graphics.scm (openexr): Update to 3.2.4.

Reported-by: Vinicius Monego <monego@posteo.net>
Change-Id: I72f82e623c9b8988cae433947117cd81f40cdbc3
---
 gnu/packages/graphics.scm | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/graphics.scm b/gnu/packages/graphics.scm
index ad08141c96..188e066766 100644
--- a/gnu/packages/graphics.scm
+++ b/gnu/packages/graphics.scm
@@ -1200,7 +1200,7 @@ (define-public ogre
 (define-public openexr
   (package
     (name "openexr")
-    (version "3.1.3")
+    (version "3.2.4")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -1210,7 +1210,7 @@ (define-public openexr
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "0c9vla0kbsbbhkk42jlbf94nzfb1anqh7dy9b0b3nna1qr6v4bh6"))))
+                "00s1a05kggk71vfbnsvykyjc2j7y6yyzgl63sy4yiddshz2k2mcr"))))
     (build-system cmake-build-system)
     (arguments
      (list #:phases
@@ -1218,8 +1218,6 @@ (define-public openexr
                (add-after 'unpack 'patch-test-directory
                  (lambda _
                    (substitute* (list
-                                 "src/test/OpenEXRUtilTest/tmpDir.h"
-                                 "src/test/OpenEXRFuzzTest/tmpDir.h"
                                  "src/test/OpenEXRTest/tmpDir.h"
                                  "src/test/OpenEXRCoreTest/main.cpp")
                      (("/var/tmp")
@@ -1247,7 +1245,7 @@ (define-public openexr
                                 "")
                                (("TEST \\(testOptimizedInterleavePatterns, \"basic\"\\);")
                                 "")))))))))
-    (inputs (list imath zlib))
+    (inputs (list imath libdeflate zlib))
     (home-page "https://www.openexr.com/")
     (synopsis "High-dynamic-range file format library")
     (description

base-commit: 1cba1f8ce6f84c4737650401c0eb0473a45f9ff7
prerequisite-patch-id: fa1f23e1340a3eeb9f347ed719b9b0fa0558fb3f
prerequisite-patch-id: a1eb5f0955b9988d3bfe3be8403c75999a1cae5f
prerequisite-patch-id: 2889be19c4a046760f2f608cefff987b11b65a31
prerequisite-patch-id: ea93b6662275aeec1e014a9bc9fe7a96f26ac600
prerequisite-patch-id: 177440a12b7c797d22f8bb1253db133d2fbad348
prerequisite-patch-id: 3a5189c1e8e4612ceb6f1b70cc3c83e39a977eb9
prerequisite-patch-id: 7ddfa796914f078615724949db7c1ac6c148d09f
prerequisite-patch-id: 3037b56c731bc0a62c6b4a2cfecbadc8ead38453
prerequisite-patch-id: 163581597c141e701fc8089a6337683abce82894
prerequisite-patch-id: f2f116d9fedadb3443bc61ff3824c479cda5fcf0
prerequisite-patch-id: 57807814fe98a68ffc68fb9ebdb92a7115959e0b
prerequisite-patch-id: 95f518cd6bd40014a2cb1b83f5af807b069a84cf
prerequisite-patch-id: 040ecf8f843498b7bcedac335cff1b84af17fad9
prerequisite-patch-id: 06b54c27f5ecd182574be222a50f592c5fb3fa4d
prerequisite-patch-id: 50f1bd0ac736d175116893d79869780070a2ea59
prerequisite-patch-id: 03be0e6d28cd6c11eaaf7b9784ba032fa72be4ff
prerequisite-patch-id: dce4ebc8c7dc26df87b1a91f676f660a87379c8a
prerequisite-patch-id: e3f21290baa6ec82b673387974ae2561caad7e64
prerequisite-patch-id: 15f266f43c1918cc8526406283af83369c4dc80e
prerequisite-patch-id: 78eedd30786c77e0e0a06f1d959ee9b687902d8f
prerequisite-patch-id: 3ad571d4975f17216c7ab008f3e81c5e038ec65b
prerequisite-patch-id: 8bcf03f489b2f139d277d0e46552ac0211b061b2
prerequisite-patch-id: 0e92576d6b767e75d64accf5b5d38eda08dae78e
-- 
2.41.0