2019789 – (CVE-2021-3941) CVE-2021-3941 openexr: Divide-by-zero in Imf_3_1::RGBtoXYZ

Bug 2019789 (CVE-2021-3941) - CVE-2021-3941 openexr: Divide-by-zero in Imf_3_1::RGBtoXYZ

Summary: CVE-2021-3941 openexr: Divide-by-zero in Imf_3_1::RGBtoXYZ

Keywords:
Status:	NEW
Alias:	CVE-2021-3941
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2019792 2019793 2021372 2021373 2021374
Blocks:	2013538 2021560
TreeView+	depends on / blocked

Reported:	2021-11-03 10:59 UTC by Dhananjay Arunesh
Modified:	2023-09-22 09:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:	OpenEXR 3.1.2
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)
Patch (2.56 KB, patch) 2022-01-28 18:56 UTC, Sandro Mani	no flags	Details \| Diff
View All

Description Dhananjay Arunesh 2021-11-03 10:59:22 UTC

A vulnerability was found in openexr where a Divide-by-zero was found in Imf_3_1::RGBtoXYZ.

References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39084

Comment 1 Dhananjay Arunesh 2021-11-03 11:03:06 UTC

Created mingw-openexr tracking bugs for this issue:

Affects: fedora-all [bug 2019793]


Created openexr tracking bugs for this issue:

Affects: fedora-all [bug 2019792]

Comment 2 Todd Cullum 2021-11-05 17:35:26 UTC

Upstream patch: https://github.com/AcademySoftwareFoundation/openexr/pull/1153/commits/ca289ef02c53b09a2d1e20de0333e5a718be3b1d
PR: https://github.com/AcademySoftwareFoundation/openexr/pull/1153

Comment 3 Richard Shaw 2021-11-05 17:44:13 UTC

Unless this can be cleanly applied to the 2.5 series, I don't see the point in keeping this open. F35 and up are on 3.1.2 and about to be 3.1.3 where it's already been fixed.

Comment 4 Todd Cullum 2021-11-08 19:31:14 UTC

In reply to comment #3:
> Unless this can be cleanly applied to the 2.5 series, I don't see the point
> in keeping this open. F35 and up are on 3.1.2 and about to be 3.1.3 where
> it's already been fixed.

Note that this is a "Flaw bug" - it is not tied *exclusively* to any version of Fedora or product. The status of a flaw bug is determined by and expresses the status of the security analysis of the vulnerability by the product security analyst, not the affected or fixed status directly. While having zero community or Red Hat products affected would likely result in a swift closure of a flaw, it should not be assumed that just because Fedora is not affected, that the flaw bug should be closed out at that time.

However, the "Tracker" bugs, in this case, [1][2], could be closed out directly by maintainers to reflect the status of the product or fix.

1. https://bugzilla.redhat.com/show_bug.cgi?id=2019792
2. https://bugzilla.redhat.com/show_bug.cgi?id=2019793

Comment 5 Todd Cullum 2021-11-09 02:19:04 UTC

Flaw summary:

In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.

Comment 9 Sandro Mani 2022-01-28 18:56:38 UTC

Created attachment 1857459 [details]
Patch

Patch for openexr-2.5.5

Note You need to log in before you can comment on or make changes to this bug.