An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp. References: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020
Created OpenEXR tracking bugs for this issue: Affects: fedora-all [bug 1829008] Created mingw-OpenEXR tracking bugs for this issue: Affects: fedora-all [bug 1829007]
Upstream patch: https://github.com/AcademySoftwareFoundation/openexr/commit/37750013830def57f19f3c3b7faaa9fc1dae81b3#diff-ed1802b70da789f8506b84624c3f166c
Cause: memcpy was being called on an input buffer to rleUncompress which was not large enough to fit all of the data.
Statement: Red Hat Enterprise Linux 7 and prior do not ship the versions of OpenEXR which are vulnerable to this flaw.
This functionality was added as part of the DWA Compressor support in v2.2.0[1] 1. https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.2.0
This flaw shares the same underlying cause/patch as CVE-2020-11763.
*** Bug 1970991 has been marked as a duplicate of this bug. ***