Univention Bugzilla – Bug 45363
openexr: Multiple issues (4.2)
Last modified: 2018-05-09 14:46:42 CEST
Upstream Debian package version 1.6.1-6+deb7u1 fixes: * invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash. (CVE-2017-9110) * invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash. (CVE-2017-9112) * invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash. (CVE-2017-9116)
UCS-4.2 has 1.6.1-8 from Debian-Jessie, deb7u1 is Debian-Wheezy = UCS-4.1 The currently is no patch for Jessie: <https://security-tracker.debian.org/tracker/CVE-2017-9110>
r17993 | Bug #45363: openexr Package: openexr Version: 1.6.1-8A~4.2.0.201801251720 Branch: ucs_4.2-0 Scope: errata4.2-3 000c751e4e Bug #45363: OpenEXR
--- mirror/ftp/4.2/unmaintained/4.2-0/source/openexr_1.6.1-8.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/openexr_1.6.1-8A~4.2.0.201801251720.dsc @@ -1,3 +1,8 @@ +1.6.1-8A~4.2.0.201801251720 [Thu, 25 Jan 2018 17:20:18 +0100] Univention builddaemon <buildd@univention.de>: + + * UCS auto build. The following patches have been applied to the original source package + CVE-2017-911x + 1.6.1-8 [Sun, 31 Aug 2014 07:56:20 +0200] Andreas Metzler <ametzler@debian.org>: * QA upload.
Patched via 4.2-0-0-ucs/1.6.1-8-errata4.2-3/CVE-2017-911x.quilt Patch origin unclear: our patch now has one patch hunk less than the commit *quoted* in it: https://github.com/binarycrusader/openexr/commit/cc603afc7857b99c55360be75a9549422991c1e9 ========================================================================= --- cc603afc7857b99c55360be75a9549422991c1e9.patch 2018-05-08 12:58:16.863748223 +0200 +++ 4.2-0-0-ucs/1.6.1-8-errata4.2-3/CVE-2017-911x.quilt 2018-05-08 12:54:32.614239161 +0200 @@ -1,26 +1,22 @@ -diff --git a/OpenEXR/IlmImf/ImfDwaCompressor.cpp b/OpenEXR/IlmImf/ImfDwaCompressor.cpp -index 4985be62..804cf6ca 100644 ---- a/OpenEXR/IlmImf/ImfDwaCompressor.cpp -+++ b/OpenEXR/IlmImf/ImfDwaCompressor.cpp -@@ -2386,7 +2386,12 @@ DwaCompressor::uncompress - - const char *dataPtr = inPtr + NUM_SIZES_SINGLE * sizeof(Int64); - -- if (inSize < headerSize + compressedSize) -+ /* Both the sum and individual sizes are checked in case of overflow. */ -+ if (inSize < (headerSize + compressedSize) || -+ inSize < unknownCompressedSize || -+ inSize < acCompressedSize || -+ inSize < dcCompressedSize || -+ inSize < rleCompressedSize) - { - throw Iex::InputExc("Error uncompressing DWA data" - "(truncated file)."); ========================================================================= Also, I cloned that upstream repo and git branch --contains cc603afc7857b99c55360be75a9549422991c1e9 doesn't find that commit any longer. Debian also didn't ship anything here.
(In reply to Arvid Requate from comment #4) > Patched via 4.2-0-0-ucs/1.6.1-8-errata4.2-3/CVE-2017-911x.quilt > > Patch origin unclear: The original fix was for Debian-sid, with version 2.2.x: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864078#19>. The git commit ID is from that patch. > our patch now has one patch hunk less than the commit > *quoted* in it: ... > https://github.com/binarycrusader/openexr/commit/ > cc603afc7857b99c55360be75a9549422991c1e9 ... > ---- a/OpenEXR/IlmImf/ImfDwaCompressor.cpp > -+++ b/OpenEXR/IlmImf/ImfDwaCompressor.cpp > -@@ -2386,7 +2386,12 @@ DwaCompressor::uncompress Debian-Jessie=UCS-4.2 only has 1.6.y; the affected code is not yet available: $ grep ImfDwaCompressor.cpp ./debian/patches/CVE-2017-911x.quilt: > The vulnerable code in ImfDwaCompressor.cpp is not present in this version. > Also, I cloned that upstream repo and Which one: https://github.com/openexr/openexr.git or https://github.com/binarycrusader/openexr.git as the later one is a fork from the upstream version (1st) > git branch --contains cc603afc7857b99c55360be75a9549422991c1e9 Branches are usually deleted when the merge request/issue for them are done, so is okay to not find a branch.
> Which one: The one listed in the patch.
Verified: * Patch source validated * Missing hunk does not apply to jessie version, code note present * No other UCS specific patches * Comparison to previously shipped version ok * Binary package update Ok * Advisory Ok
<http://errata.software-univention.de/ucs/4.2/416.html>