A heap-buffer overflow was found in the rleUncompress function of OpenEXR
in versions before 3.0.3. An attacker could use this flaw to execute
arbitrary code with the permissions of the user running the application
compiled against OpenEXR.
Created OpenEXR tracking bugs for this issue:
Affects: fedora-all [bug 1970993]
Created mingw-OpenEXR tracking bugs for this issue:
Affects: fedora-all [bug 1970994]
This could be a duplicate for the assigned CVE-2020-11760. Can you check it the CVE is meant to cover another attack vector in case you agree?
Good catch - thank you.
(In reply to Shawn Jamison from comment #6)
> Good catch - thank you.
Thank for double-checking. In this case can you REJECT CVE-2021-3605 and remove the alias for this bug as well later?
This will avoid some confusion in tracking those CVEs.
Thank you already!
Actually this might have been wrong. Further triage in Debian by Syvain Beucler has shown the following, but again please double-check if this is correct:
CVE-2020-11760 is specifically for
https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 and fixed with https://github.com/AcademySoftwareFoundation/openexr/commit/37750013830def57f19f3c3b7faaa9fc1dae81b3
CVE-2021-3605 initially refers to your Bugzilla entry, referring to https://github.com/AcademySoftwareFoundation/openexr/pull/1036 and so possibly https://github.com/AcademySoftwareFoundation/openexr/commit/25259a84827234a283f6f9db72978198c7a3f268 which is differnt part of the code, patched very similarly.
So form a further round of review it looks safe to assume both CVEs are valid and distinct.
As per comment 8, seems the two CVEs are distinct. Can you review them and let me know, please?
Upon closer review, they are indeed distinct. I believe I've taken the steps needed to separate this flaw from CVE-2020-11760. Can you review and let me know if additional actions are needed, please?
In reply to comment #10:
> Upon closer review, they are indeed distinct. I believe I've taken the steps
> needed to separate this flaw from CVE-2020-11760. Can you review and let me
> know if additional actions are needed, please?
I think it would be better to make comments like '*** This bug has been marked as a duplicate of bug 1829006 ***' being marked private on both flaw bugs for avoid confusion. Also, please add the fixedin version information when available so we can report this CVE to Mitre.
Let me know if you have any additional questions.