Bug 1828995 (CVE-2020-11763)

Summary: CVE-2020-11763 OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jridky, kwizart, manisandro, rdieter, rh-spice-bugs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: OpenEXR 2.4.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 22:00:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1828996, 1828997, 1833565, 1833566, 1833567    
Bug Blocks: 1829017    

Description Guilherme de Almeida Suckevicz 2020-04-28 17:16:30 UTC 
An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp.

References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020
Comment 1 Guilherme de Almeida Suckevicz 2020-04-28 17:16:49 UTC 
Created OpenEXR tracking bugs for this issue:

Affects: fedora-all [bug 1828996]


Created mingw-OpenEXR tracking bugs for this issue:

Affects: fedora-all [bug 1828997]
Comment 3 Todd Cullum 2020-05-08 22:21:03 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 4 Todd Cullum 2020-05-08 22:23:02 UTC 
This flaw affects versions of OpenEXR shipped in Red Hat Enterprise Linux 7 and 8.
Comment 6 Todd Cullum 2020-05-12 18:12:26 UTC 
Upstream patch: https://github.com/AcademySoftwareFoundation/openexr/pull/643/commits/d0303d1785d2a8cb994efee9efa81f8ee4be4c17
Comment 7 errata-xmlrpc 2020-09-29 20:50:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4039 https://access.redhat.com/errata/RHSA-2020:4039
Comment 8 Product Security DevOps Team 2020-09-29 22:00:37 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11763