Bug 2019783 (CVE-2021-3933)

Summary: CVE-2021-3933 openexr: Integer-overflow in Imf_3_1::bytesPerDeepLineTable
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, hobbes1069, jridky, manisandro, rh-spice-bugs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: OpenEXR 3.1.2 Doc Type: If docs needed, set a value
Doc Text:
An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t is less than 64 bits. This issue could cause an invalid bytesPerLine and maxBytesPerLine value, which leads to problems with application stability or other attack paths.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2019784, 2019785, 2020444, 2020445, 2020446    
Bug Blocks: 2013538, 2021121    

Description Dhananjay Arunesh 2021-11-03 10:53:32 UTC 
A vulnerability was found in openexr where an Integer-overflow was found in Imf_3_1::bytesPerDeepLineTable.

References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38912
Comment 1 Dhananjay Arunesh 2021-11-03 10:54:00 UTC 
Created mingw-openexr tracking bugs for this issue:

Affects: fedora-all [bug 2019785]


Created openexr tracking bugs for this issue:

Affects: fedora-all [bug 2019784]
Comment 2 Richard Shaw 2021-11-04 02:02:49 UTC 
This is already fixed for Fedora 35+ (already on 3.1.2). Unless upstream wants to backport the fixes/patches to 2.5 I have no intention of update Fedora 33 & 34.
Comment 3 Todd Cullum 2021-11-04 21:18:27 UTC 
Flaw summary:

An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.
Comment 8 Sandro Mani 2022-01-28 18:51:58 UTC 
Patch: https://github.com/AcademySoftwareFoundation/openexr/commit/5db6f7aee79e3e75e8c3780b18b28699614dd08e (also applies to ImfMisc.cpp of openexr-2.5.5)