Bug 1970991 (CVE-2021-3605) - CVE-2021-3605 OpenEXR: Heap buffer overflow in the rleUncompress function
Summary: CVE-2021-3605 OpenEXR: Heap buffer overflow in the rleUncompress function
Keywords:
Status: NEW
Alias: CVE-2021-3605
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1834513 1970993 1970994 1973434 1973435 1990996
Blocks: 1970995 1972358
TreeView+ depends on / blocked
 
Reported: 2021-06-11 15:42 UTC by Pedro Sampaio
Modified: 2023-07-07 08:35 UTC (History)
7 users (show)

Fixed In Version: OpenEXR 3.0.5
Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in OpenEXR's rleUncompress functionality. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
Clone Of:
Environment:
Last Closed: 2021-06-28 15:58:33 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-06-11 15:42:14 UTC 
A heap-buffer overflow was found in the rleUncompress function of OpenEXR
in versions before 3.0.3. An attacker could use this flaw to execute
arbitrary code with the permissions of the user running the application
compiled against OpenEXR.


References:

https://github.com/AcademySoftwareFoundation/openexr/pull/1036
Comment 1 Pedro Sampaio 2021-06-11 15:43:26 UTC 
Created OpenEXR tracking bugs for this issue:

Affects: fedora-all [bug 1970993]


Created mingw-OpenEXR tracking bugs for this issue:

Affects: fedora-all [bug 1970994]
Comment 4 Salvatore Bonaccorso 2021-06-27 12:22:12 UTC 
Hi, 

This could be a duplicate for the assigned CVE-2020-11760. Can you check it the CVE is meant to cover another attack vector in case you agree?
Comment 6 Shawn Jamison 2021-06-28 15:59:59 UTC 
Good catch - thank you.
Comment 7 Salvatore Bonaccorso 2021-07-06 12:51:34 UTC 
Hi

(In reply to Shawn Jamison from comment #6)
> Good catch - thank you.

Thank for double-checking. In this case can you REJECT CVE-2021-3605 and remove the alias for this bug as well later?

This will avoid some confusion in tracking those CVEs.

Thank you already!
Comment 8 Salvatore Bonaccorso 2021-07-06 17:51:26 UTC 
Actually this might have been wrong. Further triage in Debian by Syvain Beucler has shown the following, but again please double-check if this is correct:

CVE-2020-11760 is specifically for 
https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 and fixed with https://github.com/AcademySoftwareFoundation/openexr/commit/37750013830def57f19f3c3b7faaa9fc1dae81b3


CVE-2021-3605 initially refers to your Bugzilla entry, referring to https://github.com/AcademySoftwareFoundation/openexr/pull/1036 and so possibly https://github.com/AcademySoftwareFoundation/openexr/commit/25259a84827234a283f6f9db72978198c7a3f268 which is differnt part of the code, patched very similarly.

So form a further round of review it looks safe to assume both CVEs are valid and distinct.
Comment 9 Pedro Sampaio 2021-07-07 20:12:57 UTC 
Hi Shawn,

As per comment 8, seems the two CVEs are distinct. Can you review them and let me know, please?
Comment 10 Shawn Jamison 2021-07-19 21:54:06 UTC 
Upon closer review, they are indeed distinct. I believe I've taken the steps needed to separate this flaw from CVE-2020-11760. Can you review and let me know if additional actions are needed, please?
Comment 11 Guilherme de Almeida Suckevicz 2021-07-22 13:41:34 UTC 
In reply to comment #10:
> Upon closer review, they are indeed distinct. I believe I've taken the steps
> needed to separate this flaw from CVE-2020-11760. Can you review and let me
> know if additional actions are needed, please?

I think it would be better to make comments like '*** This bug has been marked as a duplicate of bug 1829006 ***' being marked private on both flaw bugs for avoid confusion. Also, please add the fixedin version information when available so we can report this CVE to Mitre.

Let me know if you have any additional questions.
Note You need to log in before you can comment on or make changes to this bug.