[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2017-9114/openexr: clarify fixed versions

Sylvain Beucler (@beuc) beuc at debian.org
Wed Jun 23 17:10:45 BST 2021 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
eab805e1 by Sylvain Beucler at 2021-06-23T18:07:37+02:00
CVE-2017-9114/openexr: clarify fixed versions
Follow-up to d2433469e14f4e07b77e28e5b20085391450260d

- - - - -
10c9155e by Sylvain Beucler at 2021-06-23T18:07:47+02:00
CVE-2018-18444/openexr: clarify fixed versions
While CVE-2018-18444 is unimportant, it's fixed by the same patchset as CVE-2017-9111/9113/9115,
hence detailing whether and how we fixed it in Debian clarifies the complex CVE-2017-911x status.
Verified using PoC from reference link:
$ ../openexr-2.2.0/exrmultiview/exrmultiview left id:000001,sig:06,src:000522,op:ext_AO,pos:109 right AllHalfValues.exr 12.exr

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -177789,6 +177789,7 @@ CVE-2018-18446
 	RESERVED
 CVE-2018-18444 (makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bound ...)
 	- openexr 2.5.3-2 (unimportant)
+	[jessie] - openexr <not-affected> (exrmultiview code not present in tarball)
 	NOTE: Issue in exrmultiview which is not installed in the binary package.
 	NOTE: https://github.com/openexr/openexr/issues/351
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/401#issuecomment-513721310 (v2.4.0)
@@ -253997,10 +253998,10 @@ CVE-2017-9115 (In OpenEXR 2.2.0, an invalid write of size 2 in the = operator fu
 	NOTE: https://github.com/openexr/openexr/issues/232
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/401#issuecomment-513721310 (v2.4.0)
 CVE-2017-9114 (In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in  ...)
-	{DSA-4755-1 DLA-2358-1}
-	- openexr 2.2.0-11.1 (bug #873885)
-	[jessie] - openexr <no-dsa> (Minor issue)
-	[wheezy] - openexr <no-dsa> (Minor issue)
+	{DLA-2358-1}
+	- openexr 2.2.0-11.1 (bug #864078)
+	[jessie] - openexr <not-affected> (ImfFastHuf.cpp / DWA compressor introduced v2.2)
+	[wheezy] - openexr <not-affected> (ImfFastHuf.cpp / DWA compressor introduced v2.2)
 	NOTE: https://www.openwall.com/lists/oss-security/2017/05/12/5
 	NOTE: https://github.com/openexr/openexr/issues/232
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/49db4a4192482eec9c27669f75db144cf5434804 (v2.2.1)


=====================================
data/DLA/list
=====================================
@@ -1015,7 +1015,7 @@
 	{CVE-2020-14345 CVE-2020-14346 CVE-2020-14347 CVE-2020-14361 CVE-2020-14362}
 	[stretch] - xorg-server 2:1.19.2-1+deb9u6
 [30 Aug 2020] DLA-2358-1 openexr - security update
-	{CVE-2017-9110 CVE-2017-9111 CVE-2017-9112 CVE-2017-9113 CVE-2017-9114 CVE-2017-9115 CVE-2017-9116 CVE-2017-12596 CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 CVE-2020-15305 CVE-2020-15306}
+	{CVE-2017-9110 CVE-2017-9111 CVE-2017-9112 CVE-2017-9113 CVE-2017-9114 CVE-2017-9115 CVE-2017-9116 CVE-2017-12596 CVE-2018-18444 CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 CVE-2020-15305 CVE-2020-15306}
 	[stretch] - openexr 2.2.0-11+deb9u1
 [30 Aug 2020] DLA-2357-1 ros-actionlib - security update
 	{CVE-2020-10289}
@@ -4917,7 +4917,7 @@
 	{CVE-2017-14062}
 	[wheezy] - libidn 1.25-2+deb7u3
 [31 Aug 2017] DLA-1083-1 openexr - security update
-	{CVE-2017-9110 CVE-2017-9112 CVE-2017-9116}
+	{CVE-2017-9110 CVE-2017-9112 CVE-2017-9114 CVE-2017-9116}
 	[wheezy] - openexr 1.6.1-6+deb7u1
 [31 Aug 2017] DLA-1082-1 graphicsmagick - security update
 	{CVE-2017-12935 CVE-2017-12936 CVE-2017-12937 CVE-2017-13063 CVE-2017-13064 CVE-2017-13065 CVE-2017-13776 CVE-2017-13777}


=====================================
data/DSA/list
=====================================
@@ -543,7 +543,7 @@
 	{CVE-2020-17353}
 	[buster] - lilypond 2.19.81+really-2.18.2-13+deb10u1
 [29 Aug 2020] DSA-4755-1 openexr - security update
-	{CVE-2017-9111 CVE-2017-9113 CVE-2017-9114 CVE-2017-9115 CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 CVE-2020-15305 CVE-2020-15306}
+	{CVE-2017-9111 CVE-2017-9113 CVE-2017-9115 CVE-2018-18444 CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 CVE-2020-15305 CVE-2020-15306}
 	[buster] - openexr 2.2.1-4.1+deb10u1
 [29 Aug 2020] DSA-4754-1 thunderbird - security update
 	{CVE-2020-15664 CVE-2020-15669}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/500cc7819958863a691bb4bf524a987eb4e6718e...10c9155e3a0b76bcb061a87f2759918e542e06b0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/500cc7819958863a691bb4bf524a987eb4e6718e...10c9155e3a0b76bcb061a87f2759918e542e06b0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210623/e3ff4c7e/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list