Bug 45363 - openexr: Multiple issues (4.2)
openexr: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-08 15:21 CEST by Arvid Requate
Modified: 2018-05-09 14:46 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 3.3 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-09-08 15:21:33 CEST
Upstream Debian package version 1.6.1-6+deb7u1 fixes:

* invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash. (CVE-2017-9110)

* invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash. (CVE-2017-9112)

* invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash. (CVE-2017-9116)
Comment 1 Philipp Hahn univentionstaff 2018-01-25 11:14:45 CET
UCS-4.2 has 1.6.1-8 from Debian-Jessie, deb7u1 is Debian-Wheezy = UCS-4.1
The currently is no patch for Jessie: <https://security-tracker.debian.org/tracker/CVE-2017-9110>
Comment 2 Philipp Hahn univentionstaff 2018-01-25 17:28:04 CET
r17993 | Bug #45363: openexr

Package: openexr
Version: 1.6.1-8A~4.2.0.201801251720
Branch: ucs_4.2-0
Scope: errata4.2-3

000c751e4e Bug #45363: OpenEXR
Comment 3 Quality Assurance univentionstaff 2018-05-04 16:57:20 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/openexr_1.6.1-8.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/openexr_1.6.1-8A~4.2.0.201801251720.dsc
@@ -1,3 +1,8 @@
+1.6.1-8A~4.2.0.201801251720 [Thu, 25 Jan 2018 17:20:18 +0100] Univention builddaemon <buildd@univention.de>:
+
+  * UCS auto build. The following patches have been applied to the original source package
+    CVE-2017-911x
+
 1.6.1-8 [Sun, 31 Aug 2014 07:56:20 +0200] Andreas Metzler <ametzler@debian.org>:
 
   * QA upload.
Comment 4 Arvid Requate univentionstaff 2018-05-08 13:20:11 CEST
Patched via 4.2-0-0-ucs/1.6.1-8-errata4.2-3/CVE-2017-911x.quilt

Patch origin unclear: our patch now has one patch hunk less than the commit *quoted* in it:

 https://github.com/binarycrusader/openexr/commit/cc603afc7857b99c55360be75a9549422991c1e9

=========================================================================
--- cc603afc7857b99c55360be75a9549422991c1e9.patch   2018-05-08 12:58:16.863748223 +0200
+++ 4.2-0-0-ucs/1.6.1-8-errata4.2-3/CVE-2017-911x.quilt      2018-05-08 12:54:32.614239161 +0200
@@ -1,26 +1,22 @@
-diff --git a/OpenEXR/IlmImf/ImfDwaCompressor.cpp b/OpenEXR/IlmImf/ImfDwaCompressor.cpp
-index 4985be62..804cf6ca 100644
---- a/OpenEXR/IlmImf/ImfDwaCompressor.cpp
-+++ b/OpenEXR/IlmImf/ImfDwaCompressor.cpp
-@@ -2386,7 +2386,12 @@ DwaCompressor::uncompress
- 
-     const char *dataPtr            = inPtr + NUM_SIZES_SINGLE * sizeof(Int64);
- 
--    if (inSize < headerSize + compressedSize) 
-+    /* Both the sum and individual sizes are checked in case of overflow. */
-+    if (inSize < (headerSize + compressedSize) ||
-+        inSize < unknownCompressedSize ||
-+        inSize < acCompressedSize ||
-+        inSize < dcCompressedSize ||
-+        inSize < rleCompressedSize)
-     {
-         throw Iex::InputExc("Error uncompressing DWA data"
-                             "(truncated file).");
=========================================================================


Also, I cloned that upstream repo and

git branch --contains cc603afc7857b99c55360be75a9549422991c1e9

doesn't find that commit any longer. Debian also didn't ship anything here.
Comment 5 Philipp Hahn univentionstaff 2018-05-08 14:08:25 CEST
(In reply to Arvid Requate from comment #4)
> Patched via 4.2-0-0-ucs/1.6.1-8-errata4.2-3/CVE-2017-911x.quilt
> 
> Patch origin unclear:

The original fix was for Debian-sid, with version 2.2.x:
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864078#19>.
The git commit ID is from that patch.

> our patch now has one patch hunk less than the commit
> *quoted* in it:
...
>  https://github.com/binarycrusader/openexr/commit/
> cc603afc7857b99c55360be75a9549422991c1e9
...
> ---- a/OpenEXR/IlmImf/ImfDwaCompressor.cpp
> -+++ b/OpenEXR/IlmImf/ImfDwaCompressor.cpp
> -@@ -2386,7 +2386,12 @@ DwaCompressor::uncompress

Debian-Jessie=UCS-4.2 only has 1.6.y; the affected code is not yet available:

$ grep ImfDwaCompressor.cpp ./debian/patches/CVE-2017-911x.quilt:
> The vulnerable code in ImfDwaCompressor.cpp is not present in this version.

> Also, I cloned that upstream repo and

Which one:
  https://github.com/openexr/openexr.git
or
  https://github.com/binarycrusader/openexr.git
as the later one is a fork from the upstream version (1st)

> git branch --contains cc603afc7857b99c55360be75a9549422991c1e9

Branches are usually deleted when the merge request/issue for them are done, so is okay to not find a branch.
Comment 6 Arvid Requate univentionstaff 2018-05-08 14:10:06 CEST
> Which one:

The one listed in the patch.
Comment 7 Arvid Requate univentionstaff 2018-05-09 13:03:27 CEST
Verified:
* Patch source validated
* Missing hunk does not apply to jessie version, code note present
* No other UCS specific patches
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok
Comment 8 Arvid Requate univentionstaff 2018-05-09 14:46:42 CEST
<http://errata.software-univention.de/ucs/4.2/416.html>