[Git][security-tracker-team/security-tracker][master] CVE-2021-20298/openexr: fix is partial

Sylvain Beucler (@beuc) beuc at debian.org
Fri Jul 30 16:40:32 BST 2021 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a2342e79 by Sylvain Beucler at 2021-07-30T17:38:43+02:00
CVE-2021-20298/openexr: fix is partial

- CVE-2021-20298 is a OOM, but the current fix only divides the memory
  usage by 2, hence below oss-fuzz' 2560 MB detection threshold.

- https://github.com/AcademySoftwareFoundation/openexr/pull/843
  acknowledges that the PR "partially addresses out-of-memory issue"

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -42876,8 +42876,8 @@ CVE-2021-20298 [Out-of-memory in B44Compressor]
 	- openexr 2.5.4-1
 	[buster] - openexr <ignored> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913
-	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97 (master)
-	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/0c2b46f630a3b5f2f561c2849d047ee39f899179 (2.5.x)
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97 (master) (partial fix)
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/0c2b46f630a3b5f2f561c2849d047ee39f899179 (2.5.x) (partial fix)
 CVE-2021-20297 (A flaw was found in NetworkManager in versions before 1.30.0. Setting  ...)
 	- network-manager 1.30.0-2 (bug #986809)
 	[buster] - network-manager <not-affected> (Vulnerable code introduced later)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2342e79022c5adb858b7b9cff41fbd870b0ae1f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2342e79022c5adb858b7b9cff41fbd870b0ae1f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210730/50ec9c06/attachment.htm>

More information about the debian-security-tracker-commits mailing list