Bug 2019789 (CVE-2021-3941)

Summary: CVE-2021-3941 openexr: Divide-by-zero in Imf_3_1::RGBtoXYZ
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bdettelb, hobbes1069, jridky, manisandro, rh-spice-bugs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: OpenEXR 3.1.2 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2019792, 2019793, 2021372, 2021373, 2021374    
Bug Blocks: 2013538, 2021560    
Attachments:
Description Flags
Patch none

Description Dhananjay Arunesh 2021-11-03 10:59:22 UTC 
A vulnerability was found in openexr where a Divide-by-zero was found in Imf_3_1::RGBtoXYZ.

References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39084
Comment 1 Dhananjay Arunesh 2021-11-03 11:03:06 UTC 
Created mingw-openexr tracking bugs for this issue:

Affects: fedora-all [bug 2019793]


Created openexr tracking bugs for this issue:

Affects: fedora-all [bug 2019792]
Comment 2 Todd Cullum 2021-11-05 17:35:26 UTC 
Upstream patch: https://github.com/AcademySoftwareFoundation/openexr/pull/1153/commits/ca289ef02c53b09a2d1e20de0333e5a718be3b1d
PR: https://github.com/AcademySoftwareFoundation/openexr/pull/1153
Comment 3 Richard Shaw 2021-11-05 17:44:13 UTC 
Unless this can be cleanly applied to the 2.5 series, I don't see the point in keeping this open. F35 and up are on 3.1.2 and about to be 3.1.3 where it's already been fixed.
Comment 4 Todd Cullum 2021-11-08 19:31:14 UTC 
In reply to comment #3:
> Unless this can be cleanly applied to the 2.5 series, I don't see the point
> in keeping this open. F35 and up are on 3.1.2 and about to be 3.1.3 where
> it's already been fixed.

Note that this is a "Flaw bug" - it is not tied *exclusively* to any version of Fedora or product. The status of a flaw bug is determined by and expresses the status of the security analysis of the vulnerability by the product security analyst, not the affected or fixed status directly. While having zero community or Red Hat products affected would likely result in a swift closure of a flaw, it should not be assumed that just because Fedora is not affected, that the flaw bug should be closed out at that time.

However, the "Tracker" bugs, in this case, [1][2], could be closed out directly by maintainers to reflect the status of the product or fix.

1. https://bugzilla.redhat.com/show_bug.cgi?id=2019792
2. https://bugzilla.redhat.com/show_bug.cgi?id=2019793
Comment 5 Todd Cullum 2021-11-09 02:19:04 UTC 
Flaw summary:

In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.
Comment 9 Sandro Mani 2022-01-28 18:56:38 UTC 
Created attachment 1857459 [details]
Patch

Patch for openexr-2.5.5