An invalid pointer free flaw was found in OpenEXR by Huffman decoding. A remote attacker could provide a specially-crafted image file, which once opened to a local, unsuspecting user would lead to denial of service ("exrmakepreview" crash). Credit: Drew Yao of Apple Product Security -------
Public now via: http://seclists.org/fulldisclosure/2009/Jul/0444.html
This issue affects the versions of the OpenEXR package, as shipped with Fedora releases of 10 and 11. This issue affects the versions of the OpenEXR package, as shipped with Extra Packages for Enterprise Linux 4 (EPEL4) and Extra Packages for Enterprise Linux 5 (EPEL5) projects.
Created attachment 355419 [details] Freeing unitialised pointers (CVE-2009-1721) patch by Drew Yao
I can prepare fixed pkgs using these patches (thanks), is it ok to reference this bug when pushing the update?
(In reply to comment #6) > is it ok to reference this bug when pushing the update? Sure.
(In reply to comment #6) > I can prepare fixed pkgs using these patches (thanks) Hello Rex, thanks, just to explicitly mention, there are three issues CVE-2009-1720 CVE-2009-1721 and CVE-2009-1722 (only first two affecting Fedora's OpenEXR packages though).
OpenEXR-1.6.1-8.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/OpenEXR-1.6.1-8.fc10
OpenEXR-1.6.1-8.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/OpenEXR-1.6.1-8.fc11
OpenEXR-1.4.0a-5.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/OpenEXR-1.4.0a-5.el5
OpenEXR-1.4.0a-5.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/OpenEXR-1.4.0a-5.el4
OpenEXR-1.6.1-8.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
OpenEXR-1.6.1-8.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
OpenEXR-1.4.0a-5.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
OpenEXR-1.4.0a-5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.