Bug 1179879 - (CVE-2020-16587) VUL-1: CVE-2020-16587: openexr: heap-based buffer overflow in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp
(CVE-2020-16587)
VUL-1: CVE-2020-16587: openexr: heap-based buffer overflow in chunkOffsetReco...
Status: RESOLVED FIXED
: CVE-2020-16588 CVE-2020-16589 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/273025/
CVSSv3.1:SUSE:CVE-2020-16587:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-10 09:19 UTC by Wolfgang Frisch
Modified: 2021-01-11 08:33 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Wolfgang Frisch 2020-12-10 09:23:47 UTC
CVE-2020-16587

A heap-based buffer overflow vulnerability exists in Academy Software Foundation
OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can
cause a denial of service via a crafted EXR file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16587
https://github.com/AcademySoftwareFoundation/openexr/issues/491
https://github.com/AcademySoftwareFoundation/openexr/commit/8b5370c688a7362673c3a5256d93695617a4cd9a


CVE-2020-16588

A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR
2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service
via a crafted EXR file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16588
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16588
https://github.com/AcademySoftwareFoundation/openexr/commit/74504503cff86e986bac441213c403b0ba28d58f
https://github.com/AcademySoftwareFoundation/openexr/issues/493


CVE-2020-16589

A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0
in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of service
via a crafted EXR file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16589
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16589
https://github.com/AcademySoftwareFoundation/openexr/commit/6bb36714528a9563dd3b92720c5063a1284b86f8
https://github.com/AcademySoftwareFoundation/openexr/issues/494
Comment 2 Wolfgang Frisch 2020-12-10 10:13:31 UTC
SUSE:SLE-11:Update  OpenEXR  Affected
SUSE:SLE-12:Update  openexr  Affected
SUSE:SLE-15:Update  openexr  Affected
Comment 3 Petr Gajdos 2020-12-11 16:39:19 UTC
Packages submitted. I believe all fixed.
Comment 4 Petr Gajdos 2020-12-11 16:42:33 UTC
This was too early :).
Comment 5 Petr Gajdos 2020-12-15 12:40:42 UTC
Wolfgang, why there is not a bug per CVE?
I am asking because this breaks my workflow.
For example,
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-16587
points here but
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-16588
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-16589
do not.
Comment 6 Wolfgang Frisch 2020-12-15 15:27:58 UTC
(In reply to Petr Gajdos from comment #5)
> Wolfgang, why there is not a bug per CVE?
> I am asking because this breaks my workflow.
> For example,
> https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-16587
> points here but
> https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-16588
> https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-16589
> do not.

Petr, I assumed one bug would be less work to handle. I will open individual bugs in the future, if you prefer that.
Comment 7 Petr Gajdos 2020-12-16 07:28:59 UTC
(In reply to Wolfgang Frisch from comment #6)
> Petr, I assumed one bug would be less work to handle. I will open individual
> bugs in the future, if you prefer that.

I would be glad if that does not mean much more work for you.
Comment 8 Petr Gajdos 2020-12-16 11:11:12 UTC
BEFORE


CVE-2020-16587

15

$ exrheader PoC_hbo_chunkOffsetReconstruction 
Segmentation fault (core dumped)
$

12

$ exrheader PoC_hbo_chunkOffsetReconstruction
Segmentation fault (core dumped)
$

11

$ exrheader PoC_hbo_chunkOffsetReconstruction    
Cannot read image file "PoC_hbo_chunkOffsetReconstruction". The file format version number's flag field contains unrecognized flags.
$

CVE-2020-16588

15

$ exrmakepreview -v PoC_npd_generatePreview /dev/null
generating preview image
Segmentation fault (core dumped)
$

12

$ exrmakepreview -v PoC_npd_generatePreview /dev/null
generating preview image
Segmentation fault (core dumped)
$

11

$ exrmakepreview -v PoC_npd_generatePreview /dev/null
generating preview image
Segmentation fault (core dumped)
$

CVE-2020-16589

15

$ exrmakepreview -v PoC_hbo_writeTileData /dev/null
generating preview image
copying PoC_hbo_writeTileData to /dev/null
Segmentation fault (core dumped)
$

12

$ exrmakepreview -v PoC_hbo_writeTileData /dev/null
generating preview image
copying PoC_hbo_writeTileData to /dev/null
Segmentation fault (core dumped)
$

11

$ exrmakepreview -v PoC_hbo_writeTileData /dev/null
generating preview image
copying PoC_hbo_writeTileData to /dev/null
Segmentation fault (core dumped)
$


PATCH

CVE-2020-16587
https://github.com/AcademySoftwareFoundation/openexr/commit/8b5370c688a7362673c3a5256d93695617a4cd9a
no such code found in 11/OpenEXR
CVE-2020-16588
https://github.com/AcademySoftwareFoundation/openexr/commit/74504503cff86e986bac441213c403b0ba28d58f
CVE-2020-16589
https://github.com/AcademySoftwareFoundation/openexr/commit/6bb36714528a9563dd3b92720c5063a1284b86f8


AFTER


CVE-2020-16587

15

$ exrheader PoC_hbo_chunkOffsetReconstruction 

file PoC_hbo_chunkOffsetReconstruction (incomplete):

file format version: 2, flags 0x1000
channels (type chlist):
    FLOAT, 32-bit floating-point, sampling 1 1
compression (type compression): zip, multi-scanline blocks
dataWindow (type box2i): (0 0) - (63 63)
displayWindow (type box2i): (0 0) - (196 262)
lineOrder (type lineOrder): increasing y
name (type string): "0"
pixelAspectRatio (type float): 1
screenWindowCenter (type v2f): (0 0)
screenWindowWidth (type float): 1
tataWindow (type box2a)
type (type string): "scanlineimage"

$

12

$ exrheader PoC_hbo_chunkOffsetReconstruction

PoC_hbo_chunkOffsetReconstruction (incomplete file):

file format version: 2, flags 0x1000
channels (type chlist):
    FLOAT, 32-bit floating-point, sampling 1 1
compression (type compression): zip, multi-scanline blocks
dataWindow (type box2i): (0 0) - (63 63)
displayWindow (type box2i): (0 0) - (196 262)
lineOrder (type lineOrder): increasing y
name (type string): "0"
pixelAspectRatio (type float): 1
screenWindowCenter (type v2f): (0 0)
screenWindowWidth (type float): 1
tataWindow (type box2a)
type (type string): "scanlineimage"

$

CVE-2020-16588

15

$ exrmakepreview -v PoC_npd_generatePreview /dev/null
generating preview image
copying PoC_npd_generatePreview to /dev/null
done.
$

12

$ exrmakepreview -v PoC_npd_generatePreview /dev/null
generating preview image
copying PoC_npd_generatePreview to /dev/null
done.
$

11

$ exrmakepreview -v PoC_npd_generatePreview /dev/null
generating preview image
copying PoC_npd_generatePreview to /dev/null
done.
$

CVE-2020-16589

15

$ exrmakepreview -v PoC_hbo_writeTileData /dev/null
generating preview image
copying PoC_hbo_writeTileData to /dev/null
Error reading pixel data from image file "PoC_hbo_writeTileData". rawTileData read an invalid tile
$

12

$ exrmakepreview -v PoC_hbo_writeTileData /dev/null
generating preview image
copying PoC_hbo_writeTileData to /dev/null
Error reading pixel data from image file "PoC_hbo_writeTileData". rawTileData read an invalid tile
$

11

$ exrmakepreview -v PoC_hbo_writeTileData /dev/null
generating preview image
copying PoC_hbo_writeTileData to /dev/null
Error reading pixel data from image file "PoC_hbo_writeTileData". rawTileData read an invalid tile
$
Comment 9 Petr Gajdos 2020-12-16 11:11:56 UTC
Will submit for 15,12/openexr and 11/OpenEXR.
Comment 10 Petr Gajdos 2020-12-16 11:14:47 UTC
Packages submitted, I believe all fixed.
Comment 12 Petr Gajdos 2020-12-16 11:46:15 UTC
(Factory: all fixes are already in 2.5.3)
Comment 14 Wolfgang Frisch 2020-12-16 13:12:47 UTC
*** Bug 1180108 has been marked as a duplicate of this bug. ***
Comment 15 Wolfgang Frisch 2020-12-16 13:12:51 UTC
*** Bug 1180109 has been marked as a duplicate of this bug. ***
Comment 16 Swamp Workflow Management 2020-12-23 23:18:40 UTC
SUSE-SU-2020:3931-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179879
CVE References: CVE-2020-16587,CVE-2020-16588,CVE-2020-16589
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    openexr-2.1.0-6.26.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    openexr-2.1.0-6.26.1
SUSE Linux Enterprise Server 12-SP5 (src):    openexr-2.1.0-6.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-12-24 17:16:33 UTC
SUSE-SU-2020:3934-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179879
CVE References: CVE-2020-16587,CVE-2020-16588,CVE-2020-16589
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    openexr-2.2.1-3.21.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    openexr-2.2.1-3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-12-27 23:18:23 UTC
openSUSE-SU-2020:2349-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179879
CVE References: CVE-2020-16587,CVE-2020-16588,CVE-2020-16589
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    openexr-2.2.1-lp151.4.15.1
Comment 19 Swamp Workflow Management 2020-12-28 11:16:31 UTC
openSUSE-SU-2020:2351-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179879
CVE References: CVE-2020-16587,CVE-2020-16588,CVE-2020-16589
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    openexr-2.2.1-lp152.7.8.1
Comment 20 Wolfgang Frisch 2021-01-11 08:33:17 UTC
Released.