Bug 1113454 - (CVE-2018-18443) VUL-1: CVE-2018-18443: OpenEXR, openexr: Memory leak in ThreadPool in in IlmBase/IlmThread/IlmThreadPool.cpp
(CVE-2018-18443)
VUL-1: CVE-2018-18443: OpenEXR, openexr: Memory leak in ThreadPool in in IlmB...
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Petr Gajdos
Security Team bot
https://smash.suse.de/issue/217541/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-26 07:42 UTC by Karol Babioch
Modified: 2018-12-16 15:54 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-10-26 07:42:19 UTC
OpenEXR 2.3.0 has a memory leak in ThreadPool in
IlmBase/IlmThread/IlmThreadPool.cpp, as demonstrated by exrmultiview.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1643093
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18443
https://github.com/openexr/openexr/issues/350
Comment 1 Petr Gajdos 2018-11-06 15:08:57 UTC
Do you see the buffer overflow in the valgrind output in the upstream issue?
Comment 2 Karol Babioch 2018-11-06 15:14:47 UTC
No, it seems to me more like a memory leak and not like a heap-buffer overflow as indicated in the title. Not even sure if this is worthwhile to fix :-).
Comment 4 Petr Gajdos 2018-11-06 15:44:54 UTC
TW/openexr

$ valgrind -q --leak-check=full exrmultiview left poc right AllHalfValues.exr 12.exr
Error reading pixel data from image file "poc". Error decompressing data (input data are shorter than expected).
==658== 8 bytes in 1 blocks are definitely lost in loss record 1 of 1
==658==    at 0x4030DEF: operator new(unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==658==    by 0x546BC50: IlmThread_2_3::ThreadPool::ThreadPool(unsigned int) (IlmThreadPool.cpp:758)
==658==    by 0x546C164: IlmThread_2_3::ThreadPool::globalThreadPool() (IlmThreadPool.cpp:838)
==658==    by 0x4B39B53: Imf_2_3::globalThreadCount() (ImfThreading.cpp:51)
==658==    by 0x118B09: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:83)
==658==    by 0x113D37: main (main.cpp:251)
==658== 
$

with ASAN:

exrmultiview left poc right AllHalfValues.exr 12.exr
Error reading pixel data from image file "poc". Error decompressing data (input data are shorter than expected).

=================================================================
==22955==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7f2d58b2c900 in operator new(unsigned long) (/usr/lib64/libasan.so.5+0xed900)
    #1 0x7f2d59846c86 in IlmThread_2_3::ThreadPool::ThreadPool(unsigned int) /usr/src/debug/ilmbase-2.3.0-0.x86_64/IlmThread/IlmThreadPool.cpp:758
    #2 0x7f2d5984a043  (/usr/lib64/libIlmThread-2_3.so.24+0xc043)

SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s).

15/openexr

$ valgrind -q --leak-check=full exrmultiview left poc right AllHalfValues.exr 12.exr
Error reading pixel data from image file "poc". Error decompressing data (input data are shorter than expected).
$

with ASAN:

$ exrmultiview left poc right AllHalfValues.exr 12.exr
Error reading pixel data from image file "poc". Error decompressing data (input data are shorter than expected).
$

12/openexr

$ valgrind -q --leak-check=full exrmultiview left poc right AllHalfValues.exr 12.exr
Error reading pixel data from image file "poc". Error decompressing data (input data are shorter than expected).
$

11,10sp3/OpenEXR

exrmultiview not available, testcase not applicable


From testing, it seems only 2.3.0 is affected.