clone 864078 -1
severity -1 important
thanks
I have prepared a security update for openexr which I am going to upload
in due course. The upload will fix CVE-2017-9110, CVE-2017-9112 and
CVE-2017-9116. The other CVE are not considered being critical by
upstream. In fact it looks more like they are just normal bugs in the
exr2aces test program which is not built by default. I'm going to clone
this bug report because of the outstanding issues but will lower the
severity to important.
Regards,
Markus
diff -Nru openexr-2.2.0/debian/changelog openexr-2.2.0/debian/changelog
--- openexr-2.2.0/debian/changelog 2016-07-19 08:53:33.0 +0200
+++ openexr-2.2.0/debian/changelog 2017-08-31 23:52:03.0 +0200
@@ -1,3 +1,14 @@
+openexr (2.2.0-11.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2017-9110, CVE-2017-9112 and CVE-2017-9116.
+Brandon Perry discovered that openexr was affected by an integer overflow
+vulnerability and missing boundary checks that would allow a remote
+attacker to cause a denial of service (application crash) via specially
+crafted image files. (Closes: #864078)
+
+ -- Markus Koschany Thu, 31 Aug 2017 23:52:03 +0200
+
openexr (2.2.0-11) unstable; urgency=medium
* Remove symbols files. Closes: #807079
diff -Nru openexr-2.2.0/debian/patches/CVE-2017-911x.patch
openexr-2.2.0/debian/patches/CVE-2017-911x.patch
--- openexr-2.2.0/debian/patches/CVE-2017-911x.patch1970-01-01
01:00:00.0 +0100
+++ openexr-2.2.0/debian/patches/CVE-2017-911x.patch2017-08-31
23:52:03.0 +0200
@@ -0,0 +1,97 @@
+From: Markus Koschany
+Date: Thu, 31 Aug 2017 23:31:42 +0200
+Subject: CVE-2017-911x
+
+Bug-Upstream: https://github.com/openexr/openexr/issues/232
+Bug-Debian: https://bugs.debian.org/864078
+Origin:
https://github.com/binarycrusader/openexr/commit/cc603afc7857b99c55360be75a9549422991c1e9
+---
+ IlmImf/ImfDwaCompressor.cpp | 7 ++-
+ IlmImf/ImfHuf.cpp | 10 ++
+ IlmImf/ImfPizCompressor.cpp | 6 ++
+ 3 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/IlmImf/ImfDwaCompressor.cpp b/IlmImf/ImfDwaCompressor.cpp
+index 1c1bd45..2ef8878 100644
+--- a/IlmImf/ImfDwaCompressor.cpp
b/IlmImf/ImfDwaCompressor.cpp
+@@ -2377,7 +2377,12 @@ DwaCompressor::uncompress
+
+ const char *dataPtr= inPtr + NUM_SIZES_SINGLE * sizeof(Int64);
+
+-if (inSize < headerSize + compressedSize)
++/* Both the sum and individual sizes are checked in case of overflow. */
++if (inSize < (headerSize + compressedSize) ||
++inSize < unknownCompressedSize ||
++inSize < acCompressedSize ||
++inSize < dcCompressedSize ||
++inSize < rleCompressedSize)
+ {
+ throw Iex::InputExc("Error uncompressing DWA data"
+ "(truncated file).");
+diff --git a/IlmImf/ImfHuf.cpp b/IlmImf/ImfHuf.cpp
+index a375d05..97909a5 100644
+--- a/IlmImf/ImfHuf.cpp
b/IlmImf/ImfHuf.cpp
+@@ -822,7 +822,7 @@ hufEncode // return: output size
(in bits)
+ }
+
+
+-#define getCode(po, rlc, c, lc, in, out, oe) \
++#define getCode(po, rlc, c, lc, in, out, ob, oe)\
+ { \
+ if (po == rlc)\
+ { \
+@@ -835,6 +835,8 @@ hufEncode // return: output size
(in bits)
+ \
+ if (out + cs > oe) \
+ tooMuchData(); \
++ else if (out - 1 < ob) \
++ notEnoughData();\
+ \
+ unsigned short s = out[-1]; \
+ \
+@@ -895,7 +897,7 @@ hufDecode
+ //
+
+ lc -= pl.len;
+- getCode (pl.lit, rlc, c, lc, in, out, oe);
++ getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
+ }
+ else
+ {
+@@ -925,7 +927,7 @@ hufDecode
+ //
+
+ lc -= l;
+- getCode (pl.p[j], rlc, c, lc, in, out, oe);
++ getCode (pl.p[j], rlc, c, lc, in, out, outb, oe);
+ break;
+ }
+ }
+@@ -952,7 +954,7 @@ hufDecode
+ if (pl.len)
+ {
+ lc -= pl.len;
+- getCode (pl.lit, rlc, c, lc, in, out, oe);
++ getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
+ }
+ else
+ {
+diff --git a/IlmImf/ImfPizCompressor.cpp b/IlmImf/ImfPizCompressor.cpp
+index 46c6fba..8b3ee38 100644
+--- a/IlmImf/ImfPizCompressor.cpp
b/IlmImf/ImfPizCompressor.cpp
+@@ -573,6 +573,12 @@ PizCompressor::uncompress (const char *inPtr,
+ int length;
+ Xdr::read (inPtr, length);
+
++if (length > inSize)
++{
++
