Bug 1169579 - (CVE-2020-11759) VUL-1: CVE-2020-11759: OpenEXR,openexr: integer overflows in CompositeDeepScanLine:Data:handleDeepFrameBuffer and readSampleCountForLineBlock
(CVE-2020-11759)
VUL-1: CVE-2020-11759: OpenEXR,openexr: integer overflows in CompositeDeepSca...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/257099/
CVSSv3.1:SUSE:CVE-2020-11759:3.3:(AV...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-04-15 17:21 UTC by Alexandros Toptsoglou
Modified: 2020-10-21 09:26 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-04-15 17:21:02 UTC
CVE-2020-11759

An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in
CompositeDeepScanLine::Data::handleDeepFrameBuffer and
readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer.

References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11759
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1
https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11759
Comment 1 Petr Gajdos 2020-04-21 11:05:05 UTC
Testcases:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1987#c1
See the description of the bug for bugN -> CVE-N mapping.

Tested with 2.4.0:

$ valgrind  -q exrmakepreview crash.exr /tmp/out
==777== Invalid write of size 4
==777==    at 0x48B1A72: Imf_2_4::DeepScanLineInputFile::readPixelSampleCounts(int, int) (ImfDeepScanLineInputFile.cpp:1895)
==777==    by 0x48A0C44: Imf_2_4::CompositeDeepScanLine::readPixels(int, int) (ImfCompositeDeepScanLine.cpp:460)
==777==    by 0x48FF903: Imf_2_4::InputFile::readPixels(int, int) (ImfInputFile.cpp:808)
==777==    by 0x10A55F: UnknownInlinedFun (makePreview.cpp:114)
==777==    by 0x10A55F: UnknownInlinedFun (makePreview.cpp:158)
==777==    by 0x10A55F: main (main.cpp:185)
==777==  Address 0x2b35b3040 is not stack'd, malloc'd or (recently) free'd
==777== 
==777== 
==777== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==777==  Access not within mapped region at address 0x2B35B3040
==777==    at 0x48B1A72: Imf_2_4::DeepScanLineInputFile::readPixelSampleCounts(int, int) (ImfDeepScanLineInputFile.cpp:1895)
==777==    by 0x48A0C44: Imf_2_4::CompositeDeepScanLine::readPixels(int, int) (ImfCompositeDeepScanLine.cpp:460)
==777==    by 0x48FF903: Imf_2_4::InputFile::readPixels(int, int) (ImfInputFile.cpp:808)
==777==    by 0x10A55F: UnknownInlinedFun (makePreview.cpp:114)
==777==    by 0x10A55F: UnknownInlinedFun (makePreview.cpp:158)
==777==    by 0x10A55F: main (main.cpp:185)
==777==  If you believe this happened as a result of a stack
==777==  overflow in your program's main thread (unlikely but
==777==  possible), you can try to increase the size of the
==777==  main thread stack using the --main-stacksize= flag.
==777==  The main thread stack size used in this run was 8388608.
/root/bin/vgq: line 25:   777 Segmentation fault      (core dumped) valgrind -q $@
$

Tested with 2.4.1:

$ valgrind  -q exrmakepreview crash.exr /tmp/out
==32149== Conditional jump or move depends on uninitialised value(s)
==32149==    at 0x48B1990: Imf_2_4::DeepScanLineInputFile::readPixelSampleCounts(int, int) (ImfDeepScanLineInputFile.cpp:1921)
==32149==    by 0x48A1194: Imf_2_4::CompositeDeepScanLine::readPixels(int, int) (ImfCompositeDeepScanLine.cpp:461)
==32149==    by 0x48FF7E3: Imf_2_4::InputFile::readPixels(int, int) (ImfInputFile.cpp:816)
==32149==    by 0x10A55F: UnknownInlinedFun (makePreview.cpp:114)
==32149==    by 0x10A55F: UnknownInlinedFun (makePreview.cpp:158)
==32149==    by 0x10A55F: main (main.cpp:185)
==32149== 
==32149== Conditional jump or move depends on uninitialised value(s)
==32149==    at 0x48B1C80: Imf_2_4::DeepScanLineInputFile::readPixelSampleCounts(int, int) (ImfDeepScanLineInputFile.cpp:1938)
==32149==    by 0x48A1194: Imf_2_4::CompositeDeepScanLine::readPixels(int, int) (ImfCompositeDeepScanLine.cpp:461)
==32149==    by 0x48FF7E3: Imf_2_4::InputFile::readPixels(int, int) (ImfInputFile.cpp:816)
==32149==    by 0x10A55F: UnknownInlinedFun (makePreview.cpp:114)
==32149==    by 0x10A55F: UnknownInlinedFun (makePreview.cpp:158)
==32149==    by 0x10A55F: main (main.cpp:185)
==32149== 
Error reading sample count data from image file "crash.exr". Deep scanline sampleCount data corrupt at chunk 1 (negative sample count detected)
$
Comment 2 Petr Gajdos 2020-04-21 12:24:41 UTC
Tested with 15/openexr:

BEFORE

$ valgrind  -q exrmakepreview crash.exr /tmp/out
Invalid data window in image header.
$

AFTER

$ valgrind  -q exrmakepreview crash.exr /tmp/out
Invalid data window in image header.
$

Probably not affected by this CVE.
Comment 4 Petr Gajdos 2020-04-21 14:28:52 UTC
Tested with 12/openexr:

BEFORE

$ valgrind  -q exrmakepreview crash.exr /tmp/out
Invalid data window in image header.
$

AFTER

$ valgrind  -q exrmakepreview crash.exr /tmp/out
Invalid data window in image header.
$

Considering not affected.
Comment 5 Petr Gajdos 2020-04-22 09:32:20 UTC
Tested with 11/OpenEXR:

BEFORE

$ valgrind  -q exrmakepreview crash.exr /tmp/out
Cannot read image file "crash.exr". The file format version number's flag field contains unrecognized flags.
$

AFTER

$ valgrind  -q exrmakepreview crash.exr /tmp/out
Cannot read image file "crash.exr". The file format version number's flag field contains unrecognized flags.
$

Considering not affected.
Comment 6 Petr Gajdos 2020-04-22 10:00:27 UTC
Already fixed in TW.
Comment 7 Alexandros Toptsoglou 2020-07-23 07:06:03 UTC
Closing