Bug 2019789 (CVE-2021-3941) - CVE-2021-3941 openexr: Divide-by-zero in Imf_3_1::RGBtoXYZ
Summary: CVE-2021-3941 openexr: Divide-by-zero in Imf_3_1::RGBtoXYZ
Keywords:
Status: NEW
Alias: CVE-2021-3941
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2019792 2019793 2021372 2021373 2021374
Blocks: 2013538 2021560
TreeView+ depends on / blocked
 
Reported: 2021-11-03 10:59 UTC by Dhananjay Arunesh
Modified: 2023-09-22 09:21 UTC (History)
5 users (show)

Fixed In Version: OpenEXR 3.1.2
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)
Patch (2.56 KB, patch)
2022-01-28 18:56 UTC, Sandro Mani
no flags Details | Diff

Description Dhananjay Arunesh 2021-11-03 10:59:22 UTC
A vulnerability was found in openexr where a Divide-by-zero was found in Imf_3_1::RGBtoXYZ.

References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39084

Comment 1 Dhananjay Arunesh 2021-11-03 11:03:06 UTC
Created mingw-openexr tracking bugs for this issue:

Affects: fedora-all [bug 2019793]


Created openexr tracking bugs for this issue:

Affects: fedora-all [bug 2019792]

Comment 3 Richard Shaw 2021-11-05 17:44:13 UTC
Unless this can be cleanly applied to the 2.5 series, I don't see the point in keeping this open. F35 and up are on 3.1.2 and about to be 3.1.3 where it's already been fixed.

Comment 4 Todd Cullum 2021-11-08 19:31:14 UTC
In reply to comment #3:
> Unless this can be cleanly applied to the 2.5 series, I don't see the point
> in keeping this open. F35 and up are on 3.1.2 and about to be 3.1.3 where
> it's already been fixed.

Note that this is a "Flaw bug" - it is not tied *exclusively* to any version of Fedora or product. The status of a flaw bug is determined by and expresses the status of the security analysis of the vulnerability by the product security analyst, not the affected or fixed status directly. While having zero community or Red Hat products affected would likely result in a swift closure of a flaw, it should not be assumed that just because Fedora is not affected, that the flaw bug should be closed out at that time.

However, the "Tracker" bugs, in this case, [1][2], could be closed out directly by maintainers to reflect the status of the product or fix.

1. https://bugzilla.redhat.com/show_bug.cgi?id=2019792
2. https://bugzilla.redhat.com/show_bug.cgi?id=2019793

Comment 5 Todd Cullum 2021-11-09 02:19:04 UTC
Flaw summary:

In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.

Comment 9 Sandro Mani 2022-01-28 18:56:38 UTC
Created attachment 1857459 [details]
Patch

Patch for openexr-2.5.5


Note You need to log in before you can comment on or make changes to this bug.