Bug 1180109 (CVE-2020-16589)

Summary: VUL-1: CVE-2020-16589: openexr: heap-based buffer overflow in writeTileData in ImfTiledOutputFile.cpp
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: pgajdos
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/273578/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1179879
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-12-16 12:56:52 UTC 
CVE-2020-16589

A heap-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0
in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of service
via a crafted EXR file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16589
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16589
https://github.com/AcademySoftwareFoundation/openexr/commit/6bb36714528a9563dd3b92720c5063a1284b86f8
https://github.com/AcademySoftwareFoundation/openexr/issues/494
Comment 1 Wolfgang Frisch 2020-12-16 13:00:48 UTC 
See also: https://bugzilla.suse.com/show_bug.cgi?id=1179879
Comment 2 Wolfgang Frisch 2020-12-16 13:12:51 UTC 
Tracked in https://bugzilla.suse.com/show_bug.cgi?id=1179879

*** This bug has been marked as a duplicate of bug 1179879 ***