Mageia: MGASA-2021-0016 High: OpenEXR Resource Exhaustion Vulnerability

mageia

January 10, 2021

An issue was discovered in OpenEXR before 2.5.2

Summary

An issue was discovered in OpenEXR before 2.5.2. An invalid tiled input file could cause invalid memory access in TiledInputFile::TiledInputFile() in IlmImf/ImfTiledInputFile.cpp, as demonstrated by a NULL pointer dereference (CVE-2020-15304).
An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp (CVE-2020-15305).
An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp (CVE-2020-15306).
A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file (CVE-2020-16587).
A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a den...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=26914

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LKDRVXORM2VLNHRLFKS3JHRABSHZ5W5M/

- https://ubuntu.com/security/notices/USN-4418-1

- https://ubuntu.com/security/notices/USN-4676-1

- https://www.cve.org/CVERecord?id=CVE-2020-15304

- https://www.cve.org/CVERecord?id=CVE-2020-15305

- https://www.cve.org/CVERecord?id=CVE-2020-15306

- https://www.cve.org/CVERecord?id=CVE-2020-16587

- https://www.cve.org/CVERecord?id=CVE-2020-16588

- https://www.cve.org/CVERecord?id=CVE-2020-16589

Topics Covered

security advisory critical issue denial service security fix memory access Denial of Service OpenEXR Mageia

Resolution

SRPMS

- 7/core/openexr-2.3.0-2.3.mga7

Publication date: 10 Jan 2021

URL: https://advisories.mageia.org/MGASA-2021-0015.html

Type: security

CVE: CVE-2020-15304, CVE-2020-15305, CVE-2020-15306, CVE-2020-16587, CVE-2020-16588, CVE-2020-16589

Topics Covered

security advisory critical issue denial service security fix memory access Denial of Service OpenEXR Mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Mageia: MGASA-2021-0016 High: OpenEXR Resource Exhaustion Vulnerability

Summary

References

Topics Covered

Resolution

SRPMS

Topics Covered

Get the latest News and Insights

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Mageia: MGASA-2021-0016 High: OpenEXR Resource Exhaustion Vulnerability

Summary

References

Topics Covered

Resolution

SRPMS

Topics Covered

Get the latest News and Insights

Related Articles

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!