Bug 2262397 (CVE-2023-5841) - CVE-2023-5841 OpenEXR: Heap Overflow in Scanline Deep Data Parsing
Summary: CVE-2023-5841 OpenEXR: Heap Overflow in Scanline Deep Data Parsing
Keywords:
Status: NEW
Alias: CVE-2023-5841
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2262398 2262399 2262406 2262407
Blocks: 2262396
TreeView+ depends on / blocked
 
Reported: 2024-02-02 13:51 UTC by Patrick Del Bello
Modified: 2025-04-11 14:06 UTC (History)
3 users (show)

Fixed In Version: OpenEXR 3.2.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:8800 0 None None None 2024-11-04 12:16:36 UTC
Red Hat Product Errata RHSA-2024:8801 0 None None None 2024-11-04 12:06:21 UTC
Red Hat Product Errata RHSA-2024:8802 0 None None None 2024-11-04 11:58:10 UTC
Red Hat Product Errata RHSA-2024:9548 0 None None None 2024-11-13 15:25:32 UTC

Description Patrick Del Bello 2024-02-02 13:51:38 UTC 
Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.

https://takeonme.org/cves/CVE-2023-5841.html
Comment 1 Patrick Del Bello 2024-02-02 13:53:31 UTC 
Created openexr2 tracking bugs for this issue:

Affects: fedora-all [bug 2262399]


Created usd tracking bugs for this issue:

Affects: fedora-all [bug 2262398]
Comment 3 Mauro Matteo Cascella 2024-02-02 14:41:29 UTC 
Created mingw-openexr tracking bugs for this issue:

Affects: fedora-all [bug 2262407]


Created openexr tracking bugs for this issue:

Affects: fedora-all [bug 2262406]
Comment 4 Cary Phillips 2024-03-01 01:25:56 UTC 
Addressed in:
* OpenEXR v3.2.2: https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.2
* OpenEXR v3.1.12: https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.1.12
Comment 7 errata-xmlrpc 2024-11-04 11:58:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:8802 https://access.redhat.com/errata/RHSA-2024:8802
Comment 8 errata-xmlrpc 2024-11-04 12:06:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:8801 https://access.redhat.com/errata/RHSA-2024:8801
Comment 9 errata-xmlrpc 2024-11-04 12:16:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:8800 https://access.redhat.com/errata/RHSA-2024:8800
Comment 10 errata-xmlrpc 2024-11-13 15:25:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9548 https://access.redhat.com/errata/RHSA-2024:9548
Note You need to log in before you can comment on or make changes to this bug.