[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47509: closed (OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-
From: |
GNU bug Tracking System |
Subject: |
bug#47509: closed (OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475) |
Date: |
Mon, 05 Jul 2021 23:47:02 +0000 |
Your message dated Mon, 05 Jul 2021 23:46:15 +0000
with message-id <db3160c50ea1ed51018ec9cdf093151937b43d4e.camel@posteo.net>
and subject line OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and
CVE-2021-3475
has caused the debbugs.gnu.org bug report #47509,
regarding OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and
CVE-2021-3475
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)
--
47509: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47509
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems
--- Begin Message ---
Subject: |
OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475 |
Date: |
Wed, 31 Mar 2021 03:47:32 +0200 |
User-agent: |
Evolution 3.34.2 |
CVE-2021-3474 30.03.21 20:15
There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted
input file that is processed by OpenEXR could cause a shift overflow in
the FastHufDecoder, potentially leading to problems with application
availability.
Fix:
https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f
CVE-2021-3476 30.03.21 20:15
A flaw was found in OpenEXR's B44 uncompression functionality in
versions before 3.0.0-beta. An attacker who is able to submit a crafted
file to OpenEXR could trigger shift overflows, potentially affecting
application availability.
Fix:
https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9
CVE-2021-3475 30.03.21 20:15
There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker
who can submit a crafted file to be processed by OpenEXR could cause an
integer overflow, potentially leading to problems with application
availability.
Fix:
https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753
I could not check if these flaws affect the 2.5.2 version packaged in
GNU Guix yet.
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Subject: |
OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475 |
Date: |
Mon, 05 Jul 2021 23:46:15 +0000 |
Hi,
I found [1] which lists which versions of OpenEXR are vulnerable to
which CVE. All the CVEs mentioned here were fixed in version 2.5.4 [2],
while we are currently tracking version 2.5.5, for which there are no
known CVEs.
I will close this issue. Feel free to reopen if I missed anything.
[1]
https://github.com/AcademySoftwareFoundation/openexr/blob/master/SECURITY.md
[2]
https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-254-december-31-2020
--- End Message ---
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#47509: closed (OpenEXR may be vulnerable to CVE-2021-3474, CVE-2021-3476 and CVE-2021-3475),
GNU bug Tracking System <=