Bug 1194333 - (CVE-2021-45942) VUL-0: CVE-2021-45942: OpenEXR,openexr: heap-based buffer overflow in Imf_3_1:LineCompositeTask:execute
(CVE-2021-45942)
VUL-0: CVE-2021-45942: OpenEXR,openexr: heap-based buffer overflow in Imf_3_1...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/319364/
CVSSv3.1:SUSE:CVE-2021-45942:6.6:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-05 09:41 UTC by Carlos López
Modified: 2022-12-07 13:40 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-01-05 09:41:02 UTC
CVE-2021-45942

OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in
Imf_3_1::LineCompositeTask::execute (called from
IlmThread_3_1::NullThreadPoolProvider::addTask and
IlmThread_3_1::ThreadPool::addGlobalTask).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45942
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/openexr/OSV-2021-1627.yaml
https://github.com/AcademySoftwareFoundation/openexr/commit/db217f29dfb24f6b4b5100c24ac5e7490e1c57d0
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45942
http://www.cvedetails.com/cve/CVE-2021-45942/
Comment 1 Carlos López 2022-01-05 09:45:54 UTC
Affected:
 - SUSE:SLE-12:Update/openexr
 - SUSE:SLE-15:Update/openexr
 - openSUSE:Factory/openexr
Comment 2 Petr Gajdos 2022-01-05 13:48:36 UTC
Unsure how to manifest the issue via the testcase.

Submitted for TW,15,12/openexr.

I believe all fixed.
Comment 3 OBSbugzilla Bot 2022-01-05 14:20:03 UTC
This is an autogenerated message for OBS integration:
This bug (1194333) was mentioned in
https://build.opensuse.org/request/show/944051 Factory / openexr
Comment 5 Swamp Workflow Management 2022-01-12 17:16:22 UTC
openSUSE-SU-2022:0062-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1194333
CVE References: CVE-2021-45942
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    openexr-2.2.1-3.41.1
Comment 6 Swamp Workflow Management 2022-01-12 17:17:36 UTC
SUSE-SU-2022:0062-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1194333
CVE References: CVE-2021-45942
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    openexr-2.2.1-3.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-01-12 17:20:01 UTC
SUSE-SU-2022:0061-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1194333
CVE References: CVE-2021-45942
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    openexr-2.1.0-6.45.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    openexr-2.1.0-6.45.1
SUSE Linux Enterprise Server 12-SP5 (src):    openexr-2.1.0-6.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-02-14 14:19:20 UTC
openSUSE-SU-2022:0062-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1194333
CVE References: CVE-2021-45942
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    openexr-2.2.1-3.41.1
Comment 9 Swamp Workflow Management 2022-02-14 14:32:55 UTC
SUSE-SU-2022:0062-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1194333
CVE References: CVE-2021-45942
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    openexr-2.2.1-3.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 OBSbugzilla Bot 2022-02-15 07:40:03 UTC
This is an autogenerated message for OBS integration:
This bug (1194333) was mentioned in
https://build.opensuse.org/request/show/954468 Factory / openexr
Comment 11 Swamp Workflow Management 2022-03-01 20:20:54 UTC
openSUSE-SU-2022:0062-1: An update that solves 6 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1184561,1185679,1186124,1189458,1193671,1193673,1193675,1193676,1193678,1194333,1195906,1195918
CVE References: CVE-2021-40323,CVE-2021-40324,CVE-2021-40325,CVE-2021-45082,CVE-2021-45083,CVE-2021-45942
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    openexr-2.2.1-3.41.1
openSUSE Backports SLE-15-SP3 (src):    cobbler-3.1.2-bp153.2.3.1