[Pkg-phototools-devel] Bug#864078: CVE-2017-9110 CVE-2017-9111 CVE-2017-9112 CVE-2017-9113 CVE-2017-9114 CVE-2017-9115 CVE-2017-9116 CVE-2017-9117

Markus Koschany apo at debian.org
Thu Aug 31 22:16:44 UTC 2017


clone 864078 -1
severity -1 important
thanks

I have prepared a security update for openexr which I am going to upload
in due course. The upload will fix CVE-2017-9110, CVE-2017-9112 and
CVE-2017-9116. The other CVE are not considered being critical by
upstream. In fact it looks more like they are just normal bugs in the
exr2aces test program which is not built by default. I'm going to clone
this bug report because of the outstanding issues but will lower the
severity to important.

Regards,

Markus
-------------- next part --------------
diff -Nru openexr-2.2.0/debian/changelog openexr-2.2.0/debian/changelog
--- openexr-2.2.0/debian/changelog	2016-07-19 08:53:33.000000000 +0200
+++ openexr-2.2.0/debian/changelog	2017-08-31 23:52:03.000000000 +0200
@@ -1,3 +1,14 @@
+openexr (2.2.0-11.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2017-9110, CVE-2017-9112 and CVE-2017-9116.
+    Brandon Perry discovered that openexr was affected by an integer overflow
+    vulnerability and missing boundary checks that would allow a remote
+    attacker to cause a denial of service (application crash) via specially
+    crafted image files. (Closes: #864078)
+
+ -- Markus Koschany <apo at debian.org>  Thu, 31 Aug 2017 23:52:03 +0200
+
 openexr (2.2.0-11) unstable; urgency=medium
 
   * Remove symbols files. Closes: #807079
diff -Nru openexr-2.2.0/debian/patches/CVE-2017-911x.patch openexr-2.2.0/debian/patches/CVE-2017-911x.patch
--- openexr-2.2.0/debian/patches/CVE-2017-911x.patch	1970-01-01 01:00:00.000000000 +0100
+++ openexr-2.2.0/debian/patches/CVE-2017-911x.patch	2017-08-31 23:52:03.000000000 +0200
@@ -0,0 +1,97 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 31 Aug 2017 23:31:42 +0200
+Subject: CVE-2017-911x
+
+Bug-Upstream: https://github.com/openexr/openexr/issues/232
+Bug-Debian: https://bugs.debian.org/864078
+Origin: https://github.com/binarycrusader/openexr/commit/cc603afc7857b99c55360be75a9549422991c1e9
+---
+ IlmImf/ImfDwaCompressor.cpp |  7 ++++++-
+ IlmImf/ImfHuf.cpp           | 10 ++++++----
+ IlmImf/ImfPizCompressor.cpp |  6 ++++++
+ 3 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/IlmImf/ImfDwaCompressor.cpp b/IlmImf/ImfDwaCompressor.cpp
+index 1c1bd45..2ef8878 100644
+--- a/IlmImf/ImfDwaCompressor.cpp
++++ b/IlmImf/ImfDwaCompressor.cpp
+@@ -2377,7 +2377,12 @@ DwaCompressor::uncompress
+ 
+     const char *dataPtr            = inPtr + NUM_SIZES_SINGLE * sizeof(Int64);
+ 
+-    if (inSize < headerSize + compressedSize) 
++    /* Both the sum and individual sizes are checked in case of overflow. */
++    if (inSize < (headerSize + compressedSize) ||
++        inSize < unknownCompressedSize ||
++        inSize < acCompressedSize ||
++        inSize < dcCompressedSize ||
++        inSize < rleCompressedSize)
+     {
+         throw Iex::InputExc("Error uncompressing DWA data"
+                             "(truncated file).");
+diff --git a/IlmImf/ImfHuf.cpp b/IlmImf/ImfHuf.cpp
+index a375d05..97909a5 100644
+--- a/IlmImf/ImfHuf.cpp
++++ b/IlmImf/ImfHuf.cpp
+@@ -822,7 +822,7 @@ hufEncode				// return: output size (in bits)
+ }
+ 
+ 
+-#define getCode(po, rlc, c, lc, in, out, oe)	\
++#define getCode(po, rlc, c, lc, in, out, ob, oe)\
+ {						\
+     if (po == rlc)				\
+     {						\
+@@ -835,6 +835,8 @@ hufEncode				// return: output size (in bits)
+ 						\
+ 	if (out + cs > oe)			\
+ 	    tooMuchData();			\
++	else if (out - 1 < ob)			\
++	    notEnoughData();			\
+ 						\
+ 	unsigned short s = out[-1];		\
+ 						\
+@@ -895,7 +897,7 @@ hufDecode
+ 		//
+ 
+ 		lc -= pl.len;
+-		getCode (pl.lit, rlc, c, lc, in, out, oe);
++		getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
+ 	    }
+ 	    else
+ 	    {
+@@ -925,7 +927,7 @@ hufDecode
+ 			    //
+ 
+ 			    lc -= l;
+-			    getCode (pl.p[j], rlc, c, lc, in, out, oe);
++			    getCode (pl.p[j], rlc, c, lc, in, out, outb, oe);
+ 			    break;
+ 			}
+ 		    }
+@@ -952,7 +954,7 @@ hufDecode
+ 	if (pl.len)
+ 	{
+ 	    lc -= pl.len;
+-	    getCode (pl.lit, rlc, c, lc, in, out, oe);
++	    getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
+ 	}
+ 	else
+ 	{
+diff --git a/IlmImf/ImfPizCompressor.cpp b/IlmImf/ImfPizCompressor.cpp
+index 46c6fba..8b3ee38 100644
+--- a/IlmImf/ImfPizCompressor.cpp
++++ b/IlmImf/ImfPizCompressor.cpp
+@@ -573,6 +573,12 @@ PizCompressor::uncompress (const char *inPtr,
+     int length;
+     Xdr::read <CharPtrIO> (inPtr, length);
+ 
++    if (length > inSize)
++    {
++	throw InputExc ("Error in header for PIZ-compressed data "
++			"(invalid array length).");
++    }
++
+     hufUncompress (inPtr, length, _tmpBuffer, tmpBufferEnd - _tmpBuffer);
+ 
+     //
diff -Nru openexr-2.2.0/debian/patches/series openexr-2.2.0/debian/patches/series
--- openexr-2.2.0/debian/patches/series	2016-07-19 08:51:39.000000000 +0200
+++ openexr-2.2.0/debian/patches/series	2017-08-31 23:52:03.000000000 +0200
@@ -8,3 +8,4 @@
 openexr-2.1.0-bigendian.patch
 bigendian_step2.patch
 bug815594.patch
+CVE-2017-911x.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-phototools-devel/attachments/20170901/51893d90/attachment.sig>


More information about the Pkg-phototools-devel mailing list