Bug 1203278 (CVE-2022-38529)

Summary:	VUL-0: CVE-2022-38529: godot: heap-buffer overflow via the component rleUncompress.
Product:	[openSUSE] openSUSE Tumbleweed	Reporter:	Carlos López <carlos.lopez>
Component:	Security	Assignee:	c unix <cunix>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Minor
Priority:	P3 - Medium	CC:	maxmitschke
Version:	Current
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/341670/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Carlos López 2022-09-09 08:28:46 UTC

rh#2124778

tinyexr commit 0647fb3 was discovered to contain a heap-buffer overflow via the component rleUncompress.

https://github.com/syoyo/tinyexr/issues/169

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2124778
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38529
https://www.cve.org/CVERecord?id=CVE-2022-38529
https://github.com/syoyo/tinyexr/issues/169
http://www.cvedetails.com/cve/CVE-2022-38529/

Comment 1 Carlos López 2022-09-09 08:29:50 UTC

Godot embeds tinyexr under the thirdparty/tinyexr/ path.

Comment 2 OBSbugzilla Bot 2022-09-16 18:25:03 UTC

This is an autogenerated message for OBS integration:
This bug (1203278) was mentioned in
https://build.opensuse.org/request/show/1004169 Factory / godot

Comment 3 c unix 2022-09-22 17:21:29 UTC

(In reply to OBSbugzilla Bot from comment #2)
> https://build.opensuse.org/request/show/1004169 Factory / godot

with this accepted it is fixed?

Comment 4 Carlos López 2022-09-27 07:44:26 UTC

(In reply to c unix from comment #3)
> (In reply to OBSbugzilla Bot from comment #2)
> > https://build.opensuse.org/request/show/1004169 Factory / godot
> 
> with this accepted it is fixed?

Correct