Bug 1939153 (CVE-2021-20300) - CVE-2021-20300 OpenEXR: Integer-overflow in Imf_2_5::hufUncompress
Summary: CVE-2021-20300 OpenEXR: Integer-overflow in Imf_2_5::hufUncompress
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-20300
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1939174 1944443
Blocks: 1944753 1929339
TreeView+ depends on / blocked
 
Reported: 2021-03-15 17:26 UTC by Michael Kaplan
Modified: 2022-04-17 21:12 UTC (History)
5 users (show)

Fixed In Version: OpenEXR 3.0.0-beta
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenEXR's hufUncompress function in OpenEXR/IlmImf/ImfHuf.cpp. This flaw allows an attacker who can submit a crafted file that is processed by OpenEXR, to trigger an integer overflow. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-11-02 23:20:16 UTC


Attachments (Terms of Use)

Description Michael Kaplan 2021-03-15 17:26:52 UTC
Integer-overflow in Imf_2_5::hufUncompress

Comment 1 Michael Kaplan 2021-03-15 17:26:56 UTC
External References:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25562

Comment 2 Michael Kaplan 2021-03-15 17:40:29 UTC
Created OpenEXR tracking bugs for this issue:

Affects: fedora-all [bug 1939174]

Comment 4 Todd Cullum 2021-03-29 23:24:09 UTC
Flaw summary:

in hufUncompress of OpenEXR/IlmImf/ImfHuf.cpp, nBits+7 could overflow in the calculation of `if ( ptr + (nBits+7 )/8 > compressed+nCompressed)`. This could lead to an impact to application availability if nBits is too large. The patch casts to 64-bit type to prevent this.

Comment 7 Todd Cullum 2021-03-29 23:44:40 UTC
Statement:

This flaw does not affect OpenEXR shipped with Red Hat Enterprise Linux 6, 7, or 8 because the vulnerable code was introduced in a newer version of OpenEXR.


Note You need to log in before you can comment on or make changes to this bug.