Bug 1970991 (CVE-2021-3605)
| Summary: | CVE-2021-3605 OpenEXR: Heap buffer overflow in the rleUncompress function | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | carnil, jeischma, jridky, manisandro, rdieter, rh-spice-bugs, sjamison |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | OpenEXR 3.0.5 | Doc Type: | If docs needed, set a value |
| Doc Text: |
There's a flaw in OpenEXR's rleUncompress functionality. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-28 15:58:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1834513, 1970993, 1970994, 1973434, 1973435, 1990996 | ||
| Bug Blocks: | 1970995, 1972358 | ||
|
Description
Pedro Sampaio
2021-06-11 15:42:14 UTC
Created OpenEXR tracking bugs for this issue: Affects: fedora-all [bug 1970993] Created mingw-OpenEXR tracking bugs for this issue: Affects: fedora-all [bug 1970994] Hi, This could be a duplicate for the assigned CVE-2020-11760. Can you check it the CVE is meant to cover another attack vector in case you agree? Good catch - thank you. Hi (In reply to Shawn Jamison from comment #6) > Good catch - thank you. Thank for double-checking. In this case can you REJECT CVE-2021-3605 and remove the alias for this bug as well later? This will avoid some confusion in tracking those CVEs. Thank you already! Actually this might have been wrong. Further triage in Debian by Syvain Beucler has shown the following, but again please double-check if this is correct: CVE-2020-11760 is specifically for https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 and fixed with https://github.com/AcademySoftwareFoundation/openexr/commit/37750013830def57f19f3c3b7faaa9fc1dae81b3 CVE-2021-3605 initially refers to your Bugzilla entry, referring to https://github.com/AcademySoftwareFoundation/openexr/pull/1036 and so possibly https://github.com/AcademySoftwareFoundation/openexr/commit/25259a84827234a283f6f9db72978198c7a3f268 which is differnt part of the code, patched very similarly. So form a further round of review it looks safe to assume both CVEs are valid and distinct. Hi Shawn, As per comment 8, seems the two CVEs are distinct. Can you review them and let me know, please? Upon closer review, they are indeed distinct. I believe I've taken the steps needed to separate this flaw from CVE-2020-11760. Can you review and let me know if additional actions are needed, please? In reply to comment #10: > Upon closer review, they are indeed distinct. I believe I've taken the steps > needed to separate this flaw from CVE-2020-11760. Can you review and let me > know if additional actions are needed, please? I think it would be better to make comments like '*** This bug has been marked as a duplicate of bug 1829006 ***' being marked private on both flaw bugs for avoid confusion. Also, please add the fixedin version information when available so we can report this CVE to Mitre. Let me know if you have any additional questions. |