Bug 1939153 (CVE-2021-20300)

Summary: CVE-2021-20300 OpenEXR: Integer-overflow in Imf_2_5::hufUncompress
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jeischma, jridky, kwizart, rdieter, rh-spice-bugs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: OpenEXR 3.0.0-beta Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenEXR's hufUncompress function in OpenEXR/IlmImf/ImfHuf.cpp. This flaw allows an attacker who can submit a crafted file that is processed by OpenEXR, to trigger an integer overflow. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 23:20:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1939174, 1944443    
Bug Blocks: 1929339, 1944753    

Description Michael Kaplan 2021-03-15 17:26:52 UTC 
Integer-overflow in Imf_2_5::hufUncompress
Comment 1 Michael Kaplan 2021-03-15 17:26:56 UTC 
External References:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25562
Comment 2 Michael Kaplan 2021-03-15 17:40:29 UTC 
Created OpenEXR tracking bugs for this issue:

Affects: fedora-all [bug 1939174]
Comment 3 Todd Cullum 2021-03-29 23:20:15 UTC 
Upstream patch: https://github.com/AcademySoftwareFoundation/openexr/commit/ed560b8a932c78d5e8e5990ce36fe7808b35d9f0
Comment 4 Todd Cullum 2021-03-29 23:24:09 UTC 
Flaw summary:

in hufUncompress of OpenEXR/IlmImf/ImfHuf.cpp, nBits+7 could overflow in the calculation of `if ( ptr + (nBits+7 )/8 > compressed+nCompressed)`. This could lead to an impact to application availability if nBits is too large. The patch casts to 64-bit type to prevent this.
Comment 7 Todd Cullum 2021-03-29 23:44:40 UTC 
Statement:

This flaw does not affect OpenEXR shipped with Red Hat Enterprise Linux 6, 7, or 8 because the vulnerable code was introduced in a newer version of OpenEXR.