Bug 45363 – openexr: Multiple issues (4.2)

Bug 45363 - openexr: Multiple issues (4.2)


Summary:	openexr: Multiple issues (4.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-3-errata
Assigned To:	Philipp Hahn
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-09-08 15:21 CEST by Arvid Requate
Modified:	2018-05-09 14:46 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	3.3 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2017-09-08 15:21:33 CEST

Upstream Debian package version 1.6.1-6+deb7u1 fixes:

* invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash. (CVE-2017-9110)

* invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash. (CVE-2017-9112)

* invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash. (CVE-2017-9116)

Comment 1 Philipp Hahn

2018-01-25 11:14:45 CET

UCS-4.2 has 1.6.1-8 from Debian-Jessie, deb7u1 is Debian-Wheezy = UCS-4.1
The currently is no patch for Jessie: <https://security-tracker.debian.org/tracker/CVE-2017-9110>

Comment 2 Philipp Hahn

2018-01-25 17:28:04 CET

r17993 | Bug #45363: openexr

Package: openexr
Version: 1.6.1-8A~4.2.0.201801251720
Branch: ucs_4.2-0
Scope: errata4.2-3

000c751e4e Bug #45363: OpenEXR

Comment 3 Quality Assurance

2018-05-04 16:57:20 CEST

--- mirror/ftp/4.2/unmaintained/4.2-0/source/openexr_1.6.1-8.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/openexr_1.6.1-8A~4.2.0.201801251720.dsc
@@ -1,3 +1,8 @@
+1.6.1-8A~4.2.0.201801251720 [Thu, 25 Jan 2018 17:20:18 +0100] Univention builddaemon <buildd@univention.de>:
+
+  * UCS auto build. The following patches have been applied to the original source package
+    CVE-2017-911x
+
 1.6.1-8 [Sun, 31 Aug 2014 07:56:20 +0200] Andreas Metzler <ametzler@debian.org>:
 
   * QA upload.

Comment 4 Arvid Requate

2018-05-08 13:20:11 CEST

Patched via 4.2-0-0-ucs/1.6.1-8-errata4.2-3/CVE-2017-911x.quilt

Patch origin unclear: our patch now has one patch hunk less than the commit *quoted* in it:

 https://github.com/binarycrusader/openexr/commit/cc603afc7857b99c55360be75a9549422991c1e9

=========================================================================
--- cc603afc7857b99c55360be75a9549422991c1e9.patch   2018-05-08 12:58:16.863748223 +0200
+++ 4.2-0-0-ucs/1.6.1-8-errata4.2-3/CVE-2017-911x.quilt      2018-05-08 12:54:32.614239161 +0200
@@ -1,26 +1,22 @@
-diff --git a/OpenEXR/IlmImf/ImfDwaCompressor.cpp b/OpenEXR/IlmImf/ImfDwaCompressor.cpp
-index 4985be62..804cf6ca 100644
---- a/OpenEXR/IlmImf/ImfDwaCompressor.cpp
-+++ b/OpenEXR/IlmImf/ImfDwaCompressor.cpp
-@@ -2386,7 +2386,12 @@ DwaCompressor::uncompress
- 
-     const char *dataPtr            = inPtr + NUM_SIZES_SINGLE * sizeof(Int64);
- 
--    if (inSize < headerSize + compressedSize) 
-+    /* Both the sum and individual sizes are checked in case of overflow. */
-+    if (inSize < (headerSize + compressedSize) ||
-+        inSize < unknownCompressedSize ||
-+        inSize < acCompressedSize ||
-+        inSize < dcCompressedSize ||
-+        inSize < rleCompressedSize)
-     {
-         throw Iex::InputExc("Error uncompressing DWA data"
-                             "(truncated file).");
=========================================================================


Also, I cloned that upstream repo and

git branch --contains cc603afc7857b99c55360be75a9549422991c1e9

doesn't find that commit any longer. Debian also didn't ship anything here.

Comment 5 Philipp Hahn

2018-05-08 14:08:25 CEST

(In reply to Arvid Requate from comment #4)
> Patched via 4.2-0-0-ucs/1.6.1-8-errata4.2-3/CVE-2017-911x.quilt
> 
> Patch origin unclear:

The original fix was for Debian-sid, with version 2.2.x:
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864078#19>.
The git commit ID is from that patch.

> our patch now has one patch hunk less than the commit
> *quoted* in it:
...
>  https://github.com/binarycrusader/openexr/commit/
> cc603afc7857b99c55360be75a9549422991c1e9
...
> ---- a/OpenEXR/IlmImf/ImfDwaCompressor.cpp
> -+++ b/OpenEXR/IlmImf/ImfDwaCompressor.cpp
> -@@ -2386,7 +2386,12 @@ DwaCompressor::uncompress

Debian-Jessie=UCS-4.2 only has 1.6.y; the affected code is not yet available:

$ grep ImfDwaCompressor.cpp ./debian/patches/CVE-2017-911x.quilt:
> The vulnerable code in ImfDwaCompressor.cpp is not present in this version.

> Also, I cloned that upstream repo and

Which one:
  https://github.com/openexr/openexr.git
or
  https://github.com/binarycrusader/openexr.git
as the later one is a fork from the upstream version (1st)

> git branch --contains cc603afc7857b99c55360be75a9549422991c1e9

Branches are usually deleted when the merge request/issue for them are done, so is okay to not find a branch.

Comment 6 Arvid Requate

2018-05-08 14:10:06 CEST

> Which one:

The one listed in the patch.

Comment 7 Arvid Requate

2018-05-09 13:03:27 CEST

Verified:
* Patch source validated
* Missing hunk does not apply to jessie version, code note present
* No other UCS specific patches
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok

Comment 8 Arvid Requate

2018-05-09 14:46:42 CEST

<http://errata.software-univention.de/ucs/4.2/416.html>