Bug#864078: CVE-2017-9110 CVE-2017-9111 CVE-2017-9112 CVE-2017-9113 CVE-2017-9114 CVE-2017-9115 CVE-2017-9116 CVE-2017-9117

Thu, 31 Aug 2017 15:21:26 -0700 

clone 864078 -1
severity -1 important
thanks

I have prepared a security update for openexr which I am going to upload
in due course. The upload will fix CVE-2017-9110, CVE-2017-9112 and
CVE-2017-9116. The other CVE are not considered being critical by
upstream. In fact it looks more like they are just normal bugs in the
exr2aces test program which is not built by default. I'm going to clone
this bug report because of the outstanding issues but will lower the
severity to important.

Regards,

Markus

diff -Nru openexr-2.2.0/debian/changelog openexr-2.2.0/debian/changelog
--- openexr-2.2.0/debian/changelog      2016-07-19 08:53:33.000000000 +0200
+++ openexr-2.2.0/debian/changelog      2017-08-31 23:52:03.000000000 +0200
@@ -1,3 +1,14 @@
+openexr (2.2.0-11.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2017-9110, CVE-2017-9112 and CVE-2017-9116.
+    Brandon Perry discovered that openexr was affected by an integer overflow
+    vulnerability and missing boundary checks that would allow a remote
+    attacker to cause a denial of service (application crash) via specially
+    crafted image files. (Closes: #864078)
+
+ -- Markus Koschany <a...@debian.org>  Thu, 31 Aug 2017 23:52:03 +0200
+
 openexr (2.2.0-11) unstable; urgency=medium
 
   * Remove symbols files. Closes: #807079
diff -Nru openexr-2.2.0/debian/patches/CVE-2017-911x.patch 
openexr-2.2.0/debian/patches/CVE-2017-911x.patch
--- openexr-2.2.0/debian/patches/CVE-2017-911x.patch    1970-01-01 
01:00:00.000000000 +0100
+++ openexr-2.2.0/debian/patches/CVE-2017-911x.patch    2017-08-31 
23:52:03.000000000 +0200
@@ -0,0 +1,97 @@
+From: Markus Koschany <a...@debian.org>
+Date: Thu, 31 Aug 2017 23:31:42 +0200
+Subject: CVE-2017-911x
+
+Bug-Upstream: https://github.com/openexr/openexr/issues/232
+Bug-Debian: https://bugs.debian.org/864078
+Origin: 
https://github.com/binarycrusader/openexr/commit/cc603afc7857b99c55360be75a9549422991c1e9
+---
+ IlmImf/ImfDwaCompressor.cpp |  7 ++++++-
+ IlmImf/ImfHuf.cpp           | 10 ++++++----
+ IlmImf/ImfPizCompressor.cpp |  6 ++++++
+ 3 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/IlmImf/ImfDwaCompressor.cpp b/IlmImf/ImfDwaCompressor.cpp
+index 1c1bd45..2ef8878 100644
+--- a/IlmImf/ImfDwaCompressor.cpp
++++ b/IlmImf/ImfDwaCompressor.cpp
+@@ -2377,7 +2377,12 @@ DwaCompressor::uncompress
+ 
+     const char *dataPtr            = inPtr + NUM_SIZES_SINGLE * sizeof(Int64);
+ 
+-    if (inSize < headerSize + compressedSize) 
++    /* Both the sum and individual sizes are checked in case of overflow. */
++    if (inSize < (headerSize + compressedSize) ||
++        inSize < unknownCompressedSize ||
++        inSize < acCompressedSize ||
++        inSize < dcCompressedSize ||
++        inSize < rleCompressedSize)
+     {
+         throw Iex::InputExc("Error uncompressing DWA data"
+                             "(truncated file).");
+diff --git a/IlmImf/ImfHuf.cpp b/IlmImf/ImfHuf.cpp
+index a375d05..97909a5 100644
+--- a/IlmImf/ImfHuf.cpp
++++ b/IlmImf/ImfHuf.cpp
+@@ -822,7 +822,7 @@ hufEncode                          // return: output size 
(in bits)
+ }
+ 
+ 
+-#define getCode(po, rlc, c, lc, in, out, oe)  \
++#define getCode(po, rlc, c, lc, in, out, ob, oe)\
+ {                                             \
+     if (po == rlc)                            \
+     {                                         \
+@@ -835,6 +835,8 @@ hufEncode                          // return: output size 
(in bits)
+                                               \
+       if (out + cs > oe)                      \
+           tooMuchData();                      \
++      else if (out - 1 < ob)                  \
++          notEnoughData();                    \
+                                               \
+       unsigned short s = out[-1];             \
+                                               \
+@@ -895,7 +897,7 @@ hufDecode
+               //
+ 
+               lc -= pl.len;
+-              getCode (pl.lit, rlc, c, lc, in, out, oe);
++              getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
+           }
+           else
+           {
+@@ -925,7 +927,7 @@ hufDecode
+                           //
+ 
+                           lc -= l;
+-                          getCode (pl.p[j], rlc, c, lc, in, out, oe);
++                          getCode (pl.p[j], rlc, c, lc, in, out, outb, oe);
+                           break;
+                       }
+                   }
+@@ -952,7 +954,7 @@ hufDecode
+       if (pl.len)
+       {
+           lc -= pl.len;
+-          getCode (pl.lit, rlc, c, lc, in, out, oe);
++          getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
+       }
+       else
+       {
+diff --git a/IlmImf/ImfPizCompressor.cpp b/IlmImf/ImfPizCompressor.cpp
+index 46c6fba..8b3ee38 100644
+--- a/IlmImf/ImfPizCompressor.cpp
++++ b/IlmImf/ImfPizCompressor.cpp
+@@ -573,6 +573,12 @@ PizCompressor::uncompress (const char *inPtr,
+     int length;
+     Xdr::read <CharPtrIO> (inPtr, length);
+ 
++    if (length > inSize)
++    {
++      throw InputExc ("Error in header for PIZ-compressed data "
++                      "(invalid array length).");
++    }
++
+     hufUncompress (inPtr, length, _tmpBuffer, tmpBufferEnd - _tmpBuffer);
+ 
+     //
diff -Nru openexr-2.2.0/debian/patches/series 
openexr-2.2.0/debian/patches/series
--- openexr-2.2.0/debian/patches/series 2016-07-19 08:51:39.000000000 +0200
+++ openexr-2.2.0/debian/patches/series 2017-08-31 23:52:03.000000000 +0200
@@ -8,3 +8,4 @@
 openexr-2.1.0-bigendian.patch
 bigendian_step2.patch
 bug815594.patch
+CVE-2017-911x.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to