Bug 1939153 (CVE-2021-20300) - CVE-2021-20300 OpenEXR: Integer-overflow in Imf_2_5::hufUncompress
Summary: CVE-2021-20300 OpenEXR: Integer-overflow in Imf_2_5::hufUncompress
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-20300
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1939174 1944443
Blocks: 1929339 1944753
TreeView+ depends on / blocked
 
Reported: 2021-03-15 17:26 UTC by Michael Kaplan
Modified: 2022-04-17 21:12 UTC (History)
5 users (show)

Fixed In Version: OpenEXR 3.0.0-beta
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenEXR's hufUncompress function in OpenEXR/IlmImf/ImfHuf.cpp. This flaw allows an attacker who can submit a crafted file that is processed by OpenEXR, to trigger an integer overflow. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-11-02 23:20:16 UTC
Embargoed:

Attachments (Terms of Use)

Description Michael Kaplan 2021-03-15 17:26:52 UTC 
Integer-overflow in Imf_2_5::hufUncompress
Comment 1 Michael Kaplan 2021-03-15 17:26:56 UTC 
External References:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25562
Comment 2 Michael Kaplan 2021-03-15 17:40:29 UTC 
Created OpenEXR tracking bugs for this issue:

Affects: fedora-all [bug 1939174]
Comment 3 Todd Cullum 2021-03-29 23:20:15 UTC 
Upstream patch: https://github.com/AcademySoftwareFoundation/openexr/commit/ed560b8a932c78d5e8e5990ce36fe7808b35d9f0
Comment 4 Todd Cullum 2021-03-29 23:24:09 UTC 
Flaw summary:

in hufUncompress of OpenEXR/IlmImf/ImfHuf.cpp, nBits+7 could overflow in the calculation of `if ( ptr + (nBits+7 )/8 > compressed+nCompressed)`. This could lead to an impact to application availability if nBits is too large. The patch casts to 64-bit type to prevent this.
Comment 7 Todd Cullum 2021-03-29 23:44:40 UTC 
Statement:

This flaw does not affect OpenEXR shipped with Red Hat Enterprise Linux 6, 7, or 8 because the vulnerable code was introduced in a newer version of OpenEXR.
Note You need to log in before you can comment on or make changes to this bug.