FS#70555 - [openexr] [Security] arbitrary code execution (CVE-2021-23169)
Attached to Project:
Arch Linux
Opened by Jonas Witschel (diabonas) - Friday, 23 April 2021, 08:34 GMT
Last edited by Antonio Rojas (arojas) - Friday, 23 April 2021, 09:32 GMT
Opened by Jonas Witschel (diabonas) - Friday, 23 April 2021, 08:34 GMT
Last edited by Antonio Rojas (arojas) - Friday, 23 April 2021, 09:32 GMT
|
Details
Summary
======= The package openexr is vulnerable to arbitrary code execution via CVE-2021-23169. Guidance ======== Upgrading openexr to the latest version 3.0.1 (https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.0.1) fixes the issue. References ========== https://security.archlinux.org/AVG-1862 https://github.com/AcademySoftwareFoundation/openexr/pull/872 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28051 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28155 https://github.com/AcademySoftwareFoundation/openexr/commit/ae6d203892cc9311917a7f4f05354ef792b3e58e |
This task depends upon
Comment by Antonio Rojas (arojas) -
Friday, 23 April 2021, 09:20 GMT
Comment by
Jonas Witschel (diabonas) - Friday,
23 April 2021, 09:29 GMT
Which is the relevant part of the commit? Except for the first
chunk, the rest of the code is not in 2.5.5
Oh, you are right, the exrcheck executable that is affected by
this issue has only been introduced in the 3.0.0 release. This bug
report can be closed then, sorry for the noise!