git: b41e604352c1 - main - security/vuxml: document OpenEXR < 3.1.4 vuln

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Matthias Andree <mandree_at_FreeBSD.org>
Date: Fri, 28 Jan 2022 18:52:02 UTC
The branch main has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=b41e604352c150eed8fa42cd04bc0176cd2190c0

commit b41e604352c150eed8fa42cd04bc0176cd2190c0
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2022-01-28 18:48:14 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2022-01-28 18:51:52 +0000

    security/vuxml: document OpenEXR < 3.1.4 vuln
    
    Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute
    
    Security:       b6ef8a53-8062-11ec-9af3-fb232efe4d2e
    Security:       CVE-2021-45942
---
 security/vuxml/vuln-2022.xml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index e11b932683af..9337a4faab3e 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,36 @@
+  <vuln vid="b6ef8a53-8062-11ec-9af3-fb232efe4d2e">
+    <topic>OpenEXR -- Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute</topic>
+    <affects>
+      <package>
+	<name>openexr</name>
+	<range><lt>3.1.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Cary Phillips reports:</p>
+	<blockquote cite="https://github.com/AcademySoftwareFoundation/openexr/blob/v3.1.4/CHANGES.md#version-314-january-26-2022">
+	  <p>[OpenEXR Version 3.1.4 is a] patch release that [...]
+	    addresses one public security vulnerability:
+	    CVE-2021-45942 Heap-buffer-overflow in
+	    Imf_3_1::LineCompositeTask::execute [and several]
+	    specific OSS-fuzz issues [...].</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2021-45942</cvename>
+      <url>https://github.com/AcademySoftwareFoundation/openexr/blob/v3.1.4/CHANGES.md#version-314-january-26-2022</url>
+      <url>https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416</url> <!-- reported for dates.discovery below -->
+      <url>https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41999</url> <!-- reported 2021-12-04 -->
+      <url>https://github.com/AcademySoftwareFoundation/openexr/pull/1209</url> <!-- fix for CVE-inducing issue -->
+    </references>
+    <dates>
+      <discovery>2021-11-26</discovery>
+      <entry>2022-01-28</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="1aaaa5c6-804d-11ec-8be6-d4c9ef517024">
     <topic>OpenSSL -- BN_mod_exp incorrect results on MIPS</topic>
     <affects>