Bug 1040107 - (CVE-2017-9110) VUL-1: CVE-2017-9110: openexr,OpenEXR: invalid read of size 2 in the hufDecode function inImfHuf.cpp
(CVE-2017-9110)
VUL-1: CVE-2017-9110: openexr,OpenEXR: invalid read of size 2 in the hufDecod...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/185570/
CVSSv3:RedHat:CVE-2017-9110:3.3:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-22 09:08 UTC by Alexander Bergmann
Modified: 2020-02-11 09:20 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
id:000012,sig:11,src:000328+001154,op:splice,rep:16 (3.07 KB, image/x-exr)
2017-05-22 09:10 UTC, Alexander Bergmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-05-22 09:08:08 UTC
CVE-2017-9110

In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in
ImfHuf.cpp could cause the application to crash.

Valgrind reproducer:
# valgrind exr2aces id:000012,sig:11,src:000328+001154,op:splice,rep:16 /dev/null

This issue is currently unfixed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9110
http://www.openwall.com/lists/oss-security/2017/05/12/5
Comment 1 Alexander Bergmann 2017-05-22 09:10:00 UTC
Created attachment 725858 [details]
id:000012,sig:11,src:000328+001154,op:splice,rep:16
Comment 2 Petr Gajdos 2017-05-23 09:59:04 UTC
https://github.com/openexr/openexr/issues/232

We do not have 2.2.0 anywhere. The issue referenced above contains testcases and valgrind outputs. I will go trough for 11/OpenEXR and will see I get the same results.
Comment 3 Petr Gajdos 2017-05-24 07:19:17 UTC
I see, there is OpenEXR was renamed to openexr.
Comment 4 Petr Gajdos 2017-05-24 07:32:29 UTC
Tumbleweed/openexr, 12/openexr, 11/OpenEXR affected:

$ exrmakepreview id:000012,sig:11,src:000328+001154,op:splice,rep:16 foo
[..]
==818== Invalid read of size 2
==818==    at 0x4E9F777: hufDecode (ImfHuf.cpp:898)
==818==    by 0x4E9F777: Imf_2_2::hufUncompress(char const*, int, unsigned short*, int) (ImfHuf.cpp:1101)
==818==    by 0x4EA1D9B: Imf_2_2::PizCompressor::uncompress(char const*, int, Imath_2_2::Box<Imath_2_2::Vec2<int> >, char const*&) (ImfPizCompressor.cpp:576)
==818==    by 0x4EA21E6: Imf_2_2::PizCompressor::uncompress(char const*, int, int, char const*&) (ImfPizCompressor.cpp:288)
==818==    by 0x4EC1FBA: Imf_2_2::(anonymous namespace)::LineBufferTask::execute() (ImfScanLineInputFile.cpp:541)
==818==    by 0x65E2AAE: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (in /usr/lib64/libIlmThread-2_2.so.12.0.0)
==818==    by 0x4EC5129: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1617)
==818==    by 0x4E94720: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815)
==818==    by 0x40209D: generatePreview (makePreview.cpp:114)
==818==    by 0x40209D: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:162)
==818==    by 0x401BE8: main (main.cpp:185)
==818==  Address 0x6e0403e is 2 bytes before a block of size 8,356,352 alloc'd
==818==    at 0x4C2CE3F: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==818==    by 0x4EA123B: Imf_2_2::PizCompressor::PizCompressor(Imf_2_2::Header const&, unsigned long, unsigned long) (ImfPizCompressor.cpp:194)
==818==    by 0x4EA071F: Imf_2_2::newCompressor(Imf_2_2::Compression, unsigned long, Imf_2_2::Header const&) (ImfCompressor.cpp:148)
==818==    by 0x4EC4840: Imf_2_2::ScanLineInputFile::initialize(Imf_2_2::Header const&) (ImfScanLineInputFile.cpp:1118)
==818==    by 0x4EC5C06: Imf_2_2::ScanLineInputFile::ScanLineInputFile(Imf_2_2::Header const&, Imf_2_2::IStream*, int) (ImfScanLineInputFile.cpp:1190)
==818==    by 0x4E9370A: Imf_2_2::InputFile::initialize() (ImfInputFile.cpp:555)
==818==    by 0x4E93BDA: Imf_2_2::InputFile::InputFile(char const*, int) (ImfInputFile.cpp:382)
==818==    by 0x4E9C1CB: Imf_2_2::RgbaInputFile::RgbaInputFile(char const*, int) (ImfRgbaFile.cpp:1166)
==818==    by 0x401FDA: generatePreview (makePreview.cpp:105)
==818==    by 0x401FDA: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:162)
==818==    by 0x401BE8: main (main.cpp:185)
[..]
$
Comment 5 Petr Gajdos 2017-05-24 08:10:53 UTC
http://www.openwall.com/lists/oss-security/2017/05/12/5

This issue is currently unfixed.
Comment 6 Petr Gajdos 2017-05-24 09:26:43 UTC
Note that our packages does not contain exr2aces utility, that's why I am using exrmakepreview.
Comment 7 Swamp Workflow Management 2018-02-12 12:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (1040107) was mentioned in
https://build.opensuse.org/request/show/575614 Factory / openexr
Comment 8 Petr Gajdos 2018-02-12 13:58:30 UTC
BEFORE

12/openexr

$ valgrind -q exrmakepreview 000012 foo
==13679== Invalid read of size 2
==13679==    at 0x4E95970: hufDecode (ImfHuf.cpp:891)
==13679==    by 0x4E95970: Imf_2_1::hufUncompress(char const*, int, unsigned short*, int) (ImfHuf.cpp:1076)
==13679==    by 0x4E97E69: Imf_2_1::PizCompressor::uncompress(char const*, int, Imath_2_1::Box<Imath_2_1::Vec2<int> >, char const*&) (ImfPizCompressor.cpp:576)
==13679==    by 0x4E98321: Imf_2_1::PizCompressor::uncompress(char const*, int, int, char const*&) (ImfPizCompressor.cpp:288)
==13679==    by 0x4EA4B24: Imf_2_1::(anonymous namespace)::LineBufferTask::execute() (ImfScanLineInputFile.cpp:544)
==13679==    by 0x640FB18: IlmThread_2_1::ThreadPool::addTask(IlmThread_2_1::Task*) (in /usr/lib64/libIlmThread-2_1.so.11.0.0)
==13679==    by 0x4EA7FDA: Imf_2_1::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1617)
==13679==    by 0x4E8B5B4: Imf_2_1::InputFile::readPixels(int, int) (ImfInputFile.cpp:815)
==13679==    by 0x401F5A: generatePreview (makePreview.cpp:113)
==13679==    by 0x401F5A: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:161)
==13679==    by 0x401AF3: main (main.cpp:185)
==13679==  Address 0x6c3003e is 2 bytes before a block of size 8,356,352 alloc'd
==13679==    at 0x4C29D90: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13679==    by 0x4E979E7: Imf_2_1::PizCompressor::PizCompressor(Imf_2_1::Header const&, unsigned long, unsigned long) (ImfPizCompressor.cpp:194)
==13679==    by 0x4E96A7F: Imf_2_1::newCompressor(Imf_2_1::Compression, unsigned long, Imf_2_1::Header const&) (ImfCompressor.cpp:145)
==13679==    by 0x4EA8950: Imf_2_1::ScanLineInputFile::initialize(Imf_2_1::Header const&) (ImfScanLineInputFile.cpp:1120)
==13679==    by 0x4EA8D6A: Imf_2_1::ScanLineInputFile::ScanLineInputFile(Imf_2_1::Header const&, Imf_2_1::IStream*, int) (ImfScanLineInputFile.cpp:1190)
==13679==    by 0x4E8A6CA: Imf_2_1::InputFile::initialize() (ImfInputFile.cpp:555)
==13679==    by 0x4E8AB34: Imf_2_1::InputFile::InputFile(char const*, int) (ImfInputFile.cpp:382)
==13679==    by 0x4E928AB: Imf_2_1::RgbaInputFile::RgbaInputFile(char const*, int) (ImfRgbaFile.cpp:1166)
==13679==    by 0x401EA4: generatePreview (makePreview.cpp:104)
==13679==    by 0x401EA4: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:161)
==13679==    by 0x401AF3: main (main.cpp:185)
==13679== 
Error reading pixel data from image file "000012". Error in Huffman-encoded data (decoded data are shorter than expected).
$

11/OpenEXR

$ valgrind -q exrmakepreview 000012 foo
==13684== Invalid read of size 2
==13684==    at 0x4E6C180: Imf::hufUncompress(char const*, int, unsigned short*, int) (ImfHuf.cpp:877)
==13684==    by 0x4E6F962: Imf::PizCompressor::uncompress(char const*, int, Imath::Box<Imath::Vec2<int> >, char const*&) (ImfPizCompressor.cpp:569)
==13684==    by 0x4E6FD80: Imf::PizCompressor::uncompress(char const*, int, int, char const*&) (ImfPizCompressor.cpp:281)
==13684==    by 0x4E7B8C2: Imf::(anonymous namespace)::LineBufferTask::execute() (ImfScanLineInputFile.cpp:471)
==13684==    by 0x575871F: IlmThread::ThreadPool::addTask(IlmThread::Task*) (in /usr/lib64/libIlmThread.so.6.0.0)
==13684==    by 0x4E7D61F: Imf::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:923)
==13684==    by 0x40229E: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:112)
==13684==    by 0x401E0C: main (main.cpp:185)
==13684==  Address 0x6c6202e is 2 bytes before a block of size 8,356,352 alloc'd
==13684==    at 0x4C2492C: operator new[](unsigned long) (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13684==    by 0x4E6EC53: Imf::PizCompressor::PizCompressor(Imf::Header const&, int, int) (ImfPizCompressor.cpp:188)
==13684==    by 0x4E6DDE6: Imf::newCompressor(Imf::Compression, int, Imf::Header const&) (ImfCompressor.cpp:130)
==13684==    by 0x4E7C02C: Imf::ScanLineInputFile::ScanLineInputFile(Imf::Header const&, Imf::IStream*, int) (ImfScanLineInputFile.cpp:676)
==13684==    by 0x4E6082E: Imf::InputFile::initialize() (ImfInputFile.cpp:386)
==13684==    by 0x4E60CCA: Imf::InputFile::InputFile(char const*, int) (ImfInputFile.cpp:317)
==13684==    by 0x4E68B57: Imf::RgbaInputFile::RgbaInputFile(char const*, int) (ImfRgbaFile.cpp:1113)
==13684==    by 0x4021F4: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:103)
==13684==    by 0x401E0C: main (main.cpp:185)
Error reading pixel data from image file "000012". Error in Huffman-encoded data (decoded data are shorter than expected).
$

10sp2/OpenEXR

$ valgrind -q exrmakepreview 000012 foo
==13709== Invalid read of size 2
==13709==    at 0x4B655F0: Imf::(anonymous namespace)::hufDecode(unsigned long const*, Imf::(anonymous namespace)::HufDec const*, char const*, int, int, int, unsigned short*) (ImfHuf.cpp:726)
==13709==    by 0x4B657D6: Imf::hufUncompress(char const*, int, unsigned short*, int) (ImfHuf.cpp:906)
==13709==    by 0x4B68BDE: Imf::PizCompressor::uncompress(char const*, int, Imath::Box<Imath::Vec2<int> >, char const*&) (ImfPizCompressor.cpp:583)
==13709==    by 0x4B68F80: Imf::PizCompressor::uncompress(char const*, int, int, char const*&) (ImfPizCompressor.cpp:295)
==13709==    by 0x4B70878: Imf::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:573)
==13709==    by 0x401C16: (anonymous namespace)::generatePreview(char const*, float, int, int&, Imf::Array2D<Imf::PreviewRgba>&) (makePreview.cpp:112)
==13709==    by 0x401FD6: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:160)
==13709==    by 0x4018AE: main (main.cpp:185)
==13709==  Address 0x5bb402e is 2 bytes before a block of size 8,356,352 alloc'd
==13709==    at 0x4A202C7: operator new[](unsigned long) (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13709==    by 0x4B68056: Imf::PizCompressor::PizCompressor(Imf::Header const&, int, int) (ImfPizCompressor.cpp:202)
==13709==    by 0x4B66FF4: Imf::newCompressor(Imf::Compression, int, Imf::Header const&) (ImfCompressor.cpp:127)
==13709==    by 0x4B71A9C: Imf::ScanLineInputFile::ScanLineInputFile(Imf::Header const&, Imf::IStream*) (ImfScanLineInputFile.cpp:331)
==13709==    by 0x4B5BA82: Imf::InputFile::initialize() (ImfInputFile.cpp:450)
==13709==    by 0x4B5C4E6: Imf::InputFile::InputFile(char const*) (ImfInputFile.cpp:393)
==13709==    by 0x4B624EE: Imf::RgbaInputFile::RgbaInputFile(char const*) (ImfRgbaFile.cpp:1085)
==13709==    by 0x401B81: (anonymous namespace)::generatePreview(char const*, float, int, int&, Imf::Array2D<Imf::PreviewRgba>&) (makePreview.cpp:103)
==13709==    by 0x401FD6: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:160)
==13709==    by 0x4018AE: main (main.cpp:185)
Error reading pixel data from image file "000012". Error in Huffman-encoded data (decoded data are shorter than expected).
$
Comment 9 Petr Gajdos 2018-02-12 14:03:26 UTC
2.2.1:

$ valgrind -q exrmakepreview 000012 foo
Error reading pixel data from image file "000012". Error in header for PIZ-compressed data (invalid array length).
$

Seem to be fixed.
Comment 10 Petr Gajdos 2018-02-12 14:22:23 UTC
https://github.com/openexr/openexr/commit/49db4a4192482eec9c27669f75db144cf5434804

But it does not fix all openexr issues, unfortunately (four of nine currently reported to me).
Comment 12 Petr Gajdos 2018-02-12 14:51:49 UTC
AFTER

12/openexr

$ valgrind -q exrmakepreview 000012 foo
Error reading pixel data from image file "000012". Error in header for PIZ-compressed data (invalid array length).
$

11/OpenEXR

$ valgrind -q exrmakepreview 000012 foo
Error reading pixel data from image file "000012". Error in header for PIZ-compressed data (invalid array length).
$

10sp2/OpenEXR

$ valgrind -q exrmakepreview 000012 foo
Error reading pixel data from image file "000012". Error in header for PIZ-compressed data (invalid array length).
$
Comment 13 Petr Gajdos 2018-02-12 15:06:49 UTC
I believe all fixed.
Comment 14 Swamp Workflow Management 2018-02-12 15:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1040107) was mentioned in
https://build.opensuse.org/request/show/575815 Factory / openexr
Comment 16 Swamp Workflow Management 2018-02-13 16:59:41 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-02-27.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63972
Comment 17 Swamp Workflow Management 2018-03-02 14:08:59 UTC
SUSE-SU-2018:0585-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1040107,1040114,1052522
CVE References: CVE-2017-12596,CVE-2017-9110,CVE-2017-9114
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    openexr-2.1.0-6.3.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    openexr-2.1.0-6.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    openexr-2.1.0-6.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    openexr-2.1.0-6.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    openexr-2.1.0-6.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    openexr-2.1.0-6.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    openexr-2.1.0-6.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    openexr-2.1.0-6.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    openexr-2.1.0-6.3.1
Comment 18 Swamp Workflow Management 2018-03-02 14:10:33 UTC
SUSE-SU-2018:0587-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1040107,1040114,1052522
CVE References: CVE-2017-12596,CVE-2017-9110,CVE-2017-9114
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    OpenEXR-1.6.1-83.17.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    OpenEXR-1.6.1-83.17.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    OpenEXR-1.6.1-83.17.3.1
Comment 19 Swamp Workflow Management 2018-03-06 23:12:10 UTC
openSUSE-SU-2018:0619-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1040107,1040114,1052522
CVE References: CVE-2017-12596,CVE-2017-9110,CVE-2017-9114
Sources used:
openSUSE Leap 42.3 (src):    openexr-2.1.0-10.3.1
Comment 20 Marcus Meissner 2019-07-10 05:54:39 UTC
released
Comment 21 Swamp Workflow Management 2020-02-11 09:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1040107) was mentioned in
https://build.opensuse.org/request/show/773383 Factory / openexr