Your message dated Sat, 10 Dec 2022 19:17:13 +0000 with message-id <e1p45lv-004rey...@fasolo.debian.org> and subject line Bug#1014828: fixed in openexr 2.5.4-2+deb11u1 has caused the Debian Bug report #1014828, regarding openexr: CVE-2021-3933 CVE-2021-3941 CVE-2021-45942 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1014828: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014828 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openexr X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openexr. CVE-2021-3933[0]: | An integer overflow could occur when OpenEXR processes a crafted file | on systems where size_t < 64 bits. This could cause an invalid | bytesPerLine and maxBytesPerLine value, which could lead to problems | with application stability or lead to other attack paths. https://bugzilla.redhat.com/show_bug.cgi?id=2019783 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38912 Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17 CVE-2021-3941[1]: | In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division | operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * | Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the | divisor is not checked for a 0 value. A specially crafted file could | trigger a divide-by-zero condition which could affect the availability | of programs linked with OpenEXR. https://bugzilla.redhat.com/show_bug.cgi?id=2019789 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39084 https://github.com/AcademySoftwareFoundation/openexr/pull/1153 Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/a0cfa81153b2464b864c5fe39a53cb03339092ed CVE-2021-45942[2]: | OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in | Imf_3_1::LineCompositeTask::execute (called from | IlmThread_3_1::NullThreadPoolProvider::addTask and | IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be | inapplicable. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416 https://github.com/AcademySoftwareFoundation/openexr/pull/1209 https://github.com/AcademySoftwareFoundation/openexr/commit/11cad77da87c4fa2aab7d58dd5339e254db7937e If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3933 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3933 [1] https://security-tracker.debian.org/tracker/CVE-2021-3941 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3941 [2] https://security-tracker.debian.org/tracker/CVE-2021-45942 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45942 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: openexr Source-Version: 2.5.4-2+deb11u1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of openexr, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1014...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated openexr package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 10 Dec 2022 15:03:52 CET Source: openexr Architecture: source Version: 2.5.4-2+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian PhotoTools Maintainers <pkg-phototools-de...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Checksums-Sha1: 5e02983d0c476b13a5813ca3cbe07429d9862359 2467 openexr_2.5.4-2+deb11u1.dsc 13a75bed4e3bfc10ff1304599b8de3613844971b 27535491 openexr_2.5.4.orig.tar.gz 23b0c22a137c3d9dc2ccf99edcf62b4b45173605 25788 openexr_2.5.4-2+deb11u1.debian.tar.xz ddb131a8c56e364b77b28ba24dc6c4ccb3bbfef8 8662 openexr_2.5.4-2+deb11u1_amd64.buildinfo Checksums-Sha256: 2807eaffae0d6ffde4e5414bfdf3fb89c2216b46dda5d9e4daefd14236bec3c5 2467 openexr_2.5.4-2+deb11u1.dsc dba19e9c6720c6f64fbc8b9d1867eaa75da6438109b941eefdc75ed141b6576d 27535491 openexr_2.5.4.orig.tar.gz 83fba965ff63da0ba233b7cf7aca946e25b43ce15b8653b52291f07ce081bc1b 25788 openexr_2.5.4-2+deb11u1.debian.tar.xz 800b8a4e611d6fa9da4c3d02cfa47822bc8537553deea55ca68ff446c55ea003 8662 openexr_2.5.4-2+deb11u1_amd64.buildinfo Closes: 990450 990899 992703 1014828 Changes: openexr (2.5.4-2+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload. * Fix CVE-2021-3598, CVE-2021-3605, CVE-2021-3933, CVE-2021-3941, CVE-2021-23215, CVE-2021-26260 and CVE-2021-45942. Multiple security vulnerabilities have been found in OpenEXR, command-line tools and a library for the OpenEXR image format. Buffer overflows or out-of-bound reads could lead to a denial of service (application crash) if a malformed image file is processed. (Closes: #992703, #990450, #990899, #1014828, #1014828) Files: 992773b63b8311e663418af41ab15609 2467 graphics optional openexr_2.5.4-2+deb11u1.dsc e84577f884f05f7432b235432dfec455 27535491 graphics optional openexr_2.5.4.orig.tar.gz 98e9c23b8a1015c2541d283eead967ec 25788 graphics optional openexr_2.5.4-2+deb11u1.debian.tar.xz 2d8e495ef3a9b17b78dcb6000802b8ac 8662 graphics optional openexr_2.5.4-2+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOUkc5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkY/IQALcxDCQOzT3U85D7EM1osUTjmhx3XppUhPFc sLNsXYFNdHWZYlwdeRRkRMVcYfpIRx5HiIORK78JRGGMGhoWIpYidnpYm9DapZfb tywRnMEvQeqOoKs144yvHq3orsMyIp9YrYZsN659xU1ftlfyJmCrucpIO0VE+Cv6 cwixGcvIODFBhqMf4Q7hIOitPbM45QR4m/fX72LuEgkn3JTVudx/UaD6PaLC1+0p qFC7D67Z6iINrnCAWeLAShlTEi+HS0HXL4lquQnfTHRQn0gUEpn79Ut6yyG0Ak3g DOiyVbnsRg2FD3gf7TYcO4YMs0EA4XQCm9pAXnJ8xd4pnSL8qKGR/vJRgMYnRJrT lT/PvZn7YfhnBYfuggCJJSp7h/+5mX8+XfDPe0t7IXO5s6Xm1AI/jr75bV7l0DVs 7CN3OvXBVWf7RdwAEMMsBP6bM2XPaYc7ufCJyGoHNUMHfKDlJ1xrXNsLZNGh7DpH 8iS8yvYjyvNq/cTq73Ztm53UAPyxLRToGxg6D7jmUTYyr+ZuPYCh5wEwbMGHWojy S7vLQXpY8Z9Sc9V7XY8V7MQDsWqrBiKTHFhO4LZ7WMxqhgpw4GwvBiTtbaVf5rSS UswFngAj6RL4rFGw3MesiVfaL0bTyZyFcUQ/XJ5JySsmkyVhpvxpP/gqgzqvk35O 5xrzzVLQ =Kw3W -----END PGP SIGNATURE-----
--- End Message ---
