Bug 1169576 - (CVE-2020-11763) VUL-1: CVE-2020-11763: OpenEXR,openexr: out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp
(CVE-2020-11763)
VUL-1: CVE-2020-11763: OpenEXR,openexr: out-of-bounds read and write, as demo...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/257103/
CVSSv2:NVD:CVE-2020-11763:4.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-04-15 17:17 UTC by Alexandros Toptsoglou
Modified: 2020-10-21 09:26 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Petr Gajdos 2020-04-21 11:04:49 UTC
Testcases:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1987#c1
See the description of the bug for bugN -> CVE-N mapping.

Tested with 2.4.0:

$ valgrind  -q exrmakepreview crash.exr /tmp/out
==743== Use of uninitialised value of size 8
==743==    at 0x10AC7E: (anonymous namespace)::gamma(half, float) (makePreview.cpp:83)
==743==    by 0x10A747: UnknownInlinedFun (makePreview.cpp:136)
==743==    by 0x10A747: UnknownInlinedFun (makePreview.cpp:158)
==743==    by 0x10A747: main (main.cpp:185)
==743== 
==743== Use of uninitialised value of size 8
==743==    at 0x10AC7E: (anonymous namespace)::gamma(half, float) (makePreview.cpp:83)
==743==    by 0x10A722: UnknownInlinedFun (makePreview.cpp:134)
==743==    by 0x10A722: UnknownInlinedFun (makePreview.cpp:158)
==743==    by 0x10A722: main (main.cpp:185)
==743== 
==743== Use of uninitialised value of size 8
==743==    at 0x10AC7E: (anonymous namespace)::gamma(half, float) (makePreview.cpp:83)
==743==    by 0x10A734: UnknownInlinedFun (makePreview.cpp:135)
==743==    by 0x10A734: UnknownInlinedFun (makePreview.cpp:158)
==743==    by 0x10A734: main (main.cpp:185)
==743== 
==743== Invalid read of size 8
==743==    at 0x48C3404: Imf_2_4::TileOffsets::operator()(int, int, int, int) (stl_vector.h:1043)
==743==    by 0x48C34D7: Imf_2_4::(anonymous namespace)::writeTileData(Imf_2_4::OutputStreamMutex*, Imf_2_4::TiledOutputFile::Data*, int, int, int, int, char const*, int) [clone .isra.0] (ImfTiledOutputFile.cpp:457)
==743==    by 0x48C948B: Imf_2_4::TiledOutputFile::copyPixels(Imf_2_4::TiledInputFile&) (ImfTiledOutputFile.cpp:1533)
==743==    by 0x10A8B6: UnknownInlinedFun (makePreview.cpp:176)
==743==    by 0x10A8B6: main (main.cpp:185)
==743==  Address 0x53f0a50 is 16 bytes after a block of size 80 in arena "client"
==743== 
==743== Invalid write of size 8
==743==    at 0x48C34DC: Imf_2_4::(anonymous namespace)::writeTileData(Imf_2_4::OutputStreamMutex*, Imf_2_4::TiledOutputFile::Data*, int, int, int, int, char const*, int) [clone .isra.0] (ImfTiledOutputFile.cpp:457)
==743==    by 0x48C948B: Imf_2_4::TiledOutputFile::copyPixels(Imf_2_4::TiledInputFile&) (ImfTiledOutputFile.cpp:1533)
==743==    by 0x10A8B6: UnknownInlinedFun (makePreview.cpp:176)
==743==    by 0x10A8B6: main (main.cpp:185)
==743==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==743== 
==743== 
==743== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==743==  Access not within mapped region at address 0x10
==743==    at 0x48C34DC: Imf_2_4::(anonymous namespace)::writeTileData(Imf_2_4::OutputStreamMutex*, Imf_2_4::TiledOutputFile::Data*, int, int, int, int, char const*, int) [clone .isra.0] (ImfTiledOutputFile.cpp:457)
==743==    by 0x48C948B: Imf_2_4::TiledOutputFile::copyPixels(Imf_2_4::TiledInputFile&) (ImfTiledOutputFile.cpp:1533)
==743==    by 0x10A8B6: UnknownInlinedFun (makePreview.cpp:176)
==743==    by 0x10A8B6: main (main.cpp:185)
==743==  If you believe this happened as a result of a stack
==743==  overflow in your program's main thread (unlikely but
==743==  possible), you can try to increase the size of the
==743==  main thread stack using the --main-stacksize= flag.
==743==  The main thread stack size used in this run was 8388608.
/root/bin/vgq: line 25:   743 Segmentation fault      (core dumped) valgrind -q $@
$

Tested with 2.4.1:

$ valgrind  -q exrmakepreview crash.exr /tmp/out
Error reading pixel data from image file "crash.exr". Data decoding (rle) failed.
$
Comment 2 Petr Gajdos 2020-04-21 12:24:04 UTC
Testing with 15/openexr:

BEFORE

$ valgrind  -q exrmakepreview crash.exr /tmp/out
==30700== Use of uninitialised value of size 8
==30700==    at 0x10A59E: (anonymous namespace)::gamma(half, float) (makePreview.cpp:83)
==30700==    by 0x10A979: generatePreview (makePreview.cpp:139)
==30700==    by 0x10A979: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:161)
==30700==    by 0x10A26B: main (main.cpp:185)
==30700== 
==30700== Use of uninitialised value of size 8
==30700==    at 0x10A59E: (anonymous namespace)::gamma(half, float) (makePreview.cpp:83)
==30700==    by 0x10A954: generatePreview (makePreview.cpp:137)
==30700==    by 0x10A954: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:161)
==30700==    by 0x10A26B: main (main.cpp:185)
==30700== 
==30700== Use of uninitialised value of size 8
==30700==    at 0x10A59E: (anonymous namespace)::gamma(half, float) (makePreview.cpp:83)
==30700==    by 0x10A966: generatePreview (makePreview.cpp:138)
==30700==    by 0x10A966: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:161)
==30700==    by 0x10A26B: main (main.cpp:185)
==30700== 
==30700== Invalid read of size 8
==30700==    at 0x4ED7F56: operator[] (stl_vector.h:798)
==30700==    by 0x4ED7F56: Imf_2_2::TileOffsets::operator()(int, int, int, int) (ImfTileOffsets.cpp:489)
==30700==    by 0x4ECEAAB: Imf_2_2::(anonymous namespace)::writeTileData(Imf_2_2::OutputStreamMutex*, Imf_2_2::TiledOutputFile::Data*, int, int, int, int, char const*, int) [clone .isra.103] (ImfTiledOutputFile.cpp:458)
==30700==    by 0x4ED00AF: Imf_2_2::TiledOutputFile::copyPixels(Imf_2_2::TiledInputFile&) (ImfTiledOutputFile.cpp:1532)
==30700==    by 0x10AB62: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:179)
==30700==    by 0x10A26B: main (main.cpp:185)
==30700==  Address 0x6d84a20 is 16 bytes after a block of size 80 in arena "client"
==30700== 
==30700== Invalid write of size 8
==30700==    at 0x4ECEAB1: Imf_2_2::(anonymous namespace)::writeTileData(Imf_2_2::OutputStreamMutex*, Imf_2_2::TiledOutputFile::Data*, int, int, int, int, char const*, int) [clone .isra.103] (ImfTiledOutputFile.cpp:458)
==30700==    by 0x4ED00AF: Imf_2_2::TiledOutputFile::copyPixels(Imf_2_2::TiledInputFile&) (ImfTiledOutputFile.cpp:1532)
==30700==    by 0x10AB62: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:179)
==30700==    by 0x10A26B: main (main.cpp:185)
==30700==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==30700== 
==30700== 
==30700== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==30700==  Access not within mapped region at address 0x10
==30700==    at 0x4ECEAB1: Imf_2_2::(anonymous namespace)::writeTileData(Imf_2_2::OutputStreamMutex*, Imf_2_2::TiledOutputFile::Data*, int, int, int, int, char const*, int) [clone .isra.103] (ImfTiledOutputFile.cpp:458)
==30700==    by 0x4ED00AF: Imf_2_2::TiledOutputFile::copyPixels(Imf_2_2::TiledInputFile&) (ImfTiledOutputFile.cpp:1532)
==30700==    by 0x10AB62: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:179)
==30700==    by 0x10A26B: main (main.cpp:185)
==30700==  If you believe this happened as a result of a stack
==30700==  overflow in your program's main thread (unlikely but
==30700==  possible), you can try to increase the size of the
==30700==  main thread stack using the --main-stacksize= flag.
==30700==  The main thread stack size used in this run was 8388608.
/root/bin/vgq: line 25: 30700 Segmentation fault      (core dumped) valgrind -q $@
$

AFTER

$ valgrind  -q exrmakepreview crash.exr /tmp/out
Error reading pixel data from image file "crash.exr". Data decoding (rle) failed.
$
Comment 4 Petr Gajdos 2020-04-21 14:29:03 UTC
Tested with 12/openexr:

BEFORE

$ valgrind  -q exrmakepreview crash.exr /tmp/out
==4874== Use of uninitialised value of size 8
==4874==    at 0x402216: (anonymous namespace)::gamma(half, float) (makePreview.cpp:83)
==4874==    by 0x4025E0: generatePreview (makePreview.cpp:139)
==4874==    by 0x4025E0: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:165)
==4874==    by 0x401F63: main (main.cpp:185)
==4874== 
==4874== Use of uninitialised value of size 8
==4874==    at 0x402216: (anonymous namespace)::gamma(half, float) (makePreview.cpp:83)
==4874==    by 0x4025BB: generatePreview (makePreview.cpp:137)
==4874==    by 0x4025BB: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:165)
==4874==    by 0x401F63: main (main.cpp:185)
==4874== 
==4874== Use of uninitialised value of size 8
==4874==    at 0x402216: (anonymous namespace)::gamma(half, float) (makePreview.cpp:83)
==4874==    by 0x4025CD: generatePreview (makePreview.cpp:138)
==4874==    by 0x4025CD: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:165)
==4874==    by 0x401F63: main (main.cpp:185)
==4874== 
==4874== Invalid read of size 8
==4874==    at 0x4EB8B80: operator[] (stl_vector.h:771)
==4874==    by 0x4EB8B80: Imf_2_1::TileOffsets::operator()(int, int, int, int) (ImfTileOffsets.cpp:489)
==4874==    by 0x4EB0FE0: Imf_2_1::(anonymous namespace)::writeTileData(Imf_2_1::OutputStreamMutex*, Imf_2_1::TiledOutputFile::Data*, int, int, int, int, char const*, int) [clone .isra.96] (ImfTiledOutputFile.cpp:457)
==4874==    by 0x4EB26CF: Imf_2_1::TiledOutputFile::copyPixels(Imf_2_1::TiledInputFile&) (ImfTiledOutputFile.cpp:1531)
==4874==    by 0x4027C9: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:179)
==4874==    by 0x401F63: main (main.cpp:185)
==4874==  Address 0x6b7d9a0 is 16 bytes after a block of size 80 in arena "client"
==4874== 
==4874== Invalid write of size 8
==4874==    at 0x4EB0FE7: Imf_2_1::(anonymous namespace)::writeTileData(Imf_2_1::OutputStreamMutex*, Imf_2_1::TiledOutputFile::Data*, int, int, int, int, char const*, int) [clone .isra.96] (ImfTiledOutputFile.cpp:457)
==4874==    by 0x4EB26CF: Imf_2_1::TiledOutputFile::copyPixels(Imf_2_1::TiledInputFile&) (ImfTiledOutputFile.cpp:1531)
==4874==    by 0x4027C9: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:179)
==4874==    by 0x401F63: main (main.cpp:185)
==4874==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==4874== 
==4874== 
==4874== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==4874==  Access not within mapped region at address 0x10
==4874==    at 0x4EB0FE7: Imf_2_1::(anonymous namespace)::writeTileData(Imf_2_1::OutputStreamMutex*, Imf_2_1::TiledOutputFile::Data*, int, int, int, int, char const*, int) [clone .isra.96] (ImfTiledOutputFile.cpp:457)
==4874==    by 0x4EB26CF: Imf_2_1::TiledOutputFile::copyPixels(Imf_2_1::TiledInputFile&) (ImfTiledOutputFile.cpp:1531)
==4874==    by 0x4027C9: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:179)
==4874==    by 0x401F63: main (main.cpp:185)
==4874==  If you believe this happened as a result of a stack
==4874==  overflow in your program's main thread (unlikely but
==4874==  possible), you can try to increase the size of the
==4874==  main thread stack using the --main-stacksize= flag.
==4874==  The main thread stack size used in this run was 8388608.
/root/bin/vgq: line 25:  4874 Segmentation fault      (core dumped) valgrind -q $@
$

AFTER

$ valgrind  -q exrmakepreview crash.exr /tmp/out
Error reading pixel data from image file "crash.exr". Data decoding (rle) failed.
$
Comment 5 Petr Gajdos 2020-04-22 09:32:10 UTC
Tested with 11/OpenEXR:

BEFORE

$ valgrind  -q exrmakepreview crash.exr /tmp/out
==19378== Use of uninitialised value of size 8
==19378==    at 0x402567: (anonymous namespace)::gamma(half, float) (makePreview.cpp:82)
==19378==    by 0x402A10: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:138)
==19378==    by 0x40228C: main (main.cpp:185)
==19378== 
==19378== Use of uninitialised value of size 8
==19378==    at 0x402567: (anonymous namespace)::gamma(half, float) (makePreview.cpp:82)
==19378==    by 0x4029EC: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:136)
==19378==    by 0x40228C: main (main.cpp:185)
==19378== 
==19378== Use of uninitialised value of size 8
==19378==    at 0x402567: (anonymous namespace)::gamma(half, float) (makePreview.cpp:82)
==19378==    by 0x4029FE: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:137)
==19378==    by 0x40228C: main (main.cpp:185)
==19378== 
==19378== Invalid read of size 8
==19378==    at 0x4E8E9F7: Imf::TileOffsets::operator()(int, int, int, int) (stl_vector.h:563)
==19378==  Address 0x6b325b8 is not stack'd, malloc'd or (recently) free'd
==19378== 
==19378== Invalid write of size 8
==19378==    at 0x4E841E5: Imf::(anonymous namespace)::writeTileData(Imf::TiledOutputFile::Data*, int, int, int, int, char const*, int) (ImfTiledOutputFile.cpp:446)
==19378==    by 0x4E8AB9A: Imf::TiledOutputFile::copyPixels(Imf::TiledInputFile&) (ImfTiledOutputFile.cpp:1412)
==19378==    by 0x402C4D: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:178)
==19378==    by 0x40228C: main (main.cpp:185)
==19378==  Address 0x58 is not stack'd, malloc'd or (recently) free'd
==19378== 
==19378== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==19378==  Access not within mapped region at address 0x58
==19378==    at 0x4E841E5: Imf::(anonymous namespace)::writeTileData(Imf::TiledOutputFile::Data*, int, int, int, int, char const*, int) (ImfTiledOutputFile.cpp:446)
==19378==    by 0x4E8AB9A: Imf::TiledOutputFile::copyPixels(Imf::TiledInputFile&) (ImfTiledOutputFile.cpp:1412)
==19378==    by 0x402C4D: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:178)
==19378==    by 0x40228C: main (main.cpp:185)
/root/bin/vgq: line 25: 19378 Segmentation fault      (core dumped) valgrind -q $@
$

AFTER

$ valgrind  -q exrmakepreview crash.exr /tmp/out
Error reading pixel data from image file "crash.exr". Data decoding (rle) failed.
$
Comment 6 Petr Gajdos 2020-04-22 09:58:54 UTC
Packages submitted for 15/openexr, 12/openexr and 11/OpenEXR.
I believe all fixed.
Comment 8 Swamp Workflow Management 2020-05-22 22:32:12 UTC
openSUSE-SU-2020:0682-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1146648,1169549,1169573,1169574,1169575,1169576,1169578,1169580
CVE References: CVE-2020-11758,CVE-2020-11760,CVE-2020-11761,CVE-2020-11762,CVE-2020-11763,CVE-2020-11764,CVE-2020-11765
Sources used:
openSUSE Leap 15.1 (src):    openexr-2.2.1-lp151.4.9.1
Comment 9 Alexandros Toptsoglou 2020-07-10 14:59:28 UTC
Done