[Git][security-tracker-team/security-tracker][master] Reserve DLA-3236-1 for openexr

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
432e5017 by Markus Koschany at 2022-12-12T00:50:31+01:00
Reserve DLA-3236-1 for openexr

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -74108,7 +74108,6 @@ CVE-2021-45942 (OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in I
 	{DSA-5299-1}
 	[experimental] - openexr 3.1.4-1
 	- openexr 3.1.5-2 (bug #1014828)
-	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1209
@@ -108269,7 +108268,6 @@ CVE-2021-34696 (A vulnerability in the access control list (ACL) programming of
 CVE-2021-3605 (There's a flaw in OpenEXR's rleUncompress functionality in versions pr ...)
 	{DSA-5299-1 DLA-2732-1}
 	- openexr 2.5.7-1 (bug #990899)
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1036
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/25259a84827234a283f6f9db72978198c7a3f268 (master)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/3204008c0bd4c8d7599a052b304d1b44c4511283 (v2.5)
@@ -108348,7 +108346,6 @@ CVE-2021-34675 (Basix NEX-Forms through 7.8.7 allows authentication bypass for s
 CVE-2021-3598 (There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in  ...)
 	{DSA-5299-1 DLA-2701-1}
 	- openexr 2.5.7-1 (bug #990450)
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1033
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1037
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/566f5241edd87445373885d5f7a904dc81e866c1 (master)
@@ -116543,7 +116540,6 @@ CVE-2021-26945 (An integer overflow leading to a heap-buffer overflow was found
 CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found in the ...)
 	{DSA-5299-1 DLA-2701-1}
 	- openexr 2.5.7-1 (bug #992703)
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947582
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29423
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/894
@@ -116552,7 +116548,6 @@ CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found
 CVE-2021-23215 (An integer overflow leading to a heap-buffer overflow was found in the ...)
 	{DSA-5299-1 DLA-2701-1}
 	- openexr 2.5.7-1
-	[buster] - openexr <ignored> (Minor issue, might change ABI)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947586
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29653
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/901
@@ -121634,14 +121629,12 @@ CVE-2021-3480 (A flaw was found in slapi-nis in versions before 0.56.7. A NULL p
 CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in versions bef ...)
 	{DLA-2701-1}
 	- openexr 2.5.4-1 (bug #986796)
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830
 CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in versi ...)
 	{DLA-2701-1}
 	- openexr 2.5.4-1 (bug #986796)
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939160
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a (master)
@@ -121650,7 +121643,6 @@ CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in
 CVE-2021-3477 (There's a flaw in OpenEXR's deep tile sample size calculations in vers ...)
 	{DLA-2701-1}
 	- openexr 2.5.4-1 (bug #986796)
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26956
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939159
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1
@@ -122248,19 +122240,16 @@ CVE-2021-29425 (In Apache Commons IO before 2.7, When invoking the method FileNa
 CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality in versi ...)
 	{DLA-2701-1}
 	- openexr 2.5.4-1 (bug #986796)
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9
 CVE-2021-3475 (There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker  ...)
 	{DLA-2701-1}
 	- openexr 2.5.4-1 (bug #986796)
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25297
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753
 CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted inp ...)
 	{DLA-2701-1}
 	- openexr 2.5.4-1 (bug #986796)
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24831
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f
 	NOTE: Introduced by https://github.com/AcademySoftwareFoundation/openexr/commit/7f0c9e256f34cac5a31e9d9cce00ccc898f49f3b (v2.2.0)
@@ -146021,7 +146010,6 @@ CVE-2021-20303 (A flaw found in function dataWindowForTile() of IlmImf/ImfTiledM
 CVE-2021-20302 (A flaw was found in OpenEXR's TiledInputFile functionality. This flaw  ...)
 	{DLA-2732-1}
 	- openexr 2.5.4-1
-	[buster] - openexr <ignored> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25894
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/842
 CVE-2021-20301
@@ -146040,7 +146028,6 @@ CVE-2021-20299 (A flaw was found in OpenEXR's Multipart input file functionality
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/25e9515b06a6bc293d871622b8cafaee7af84e0f
 CVE-2021-20298 (A flaw was found in OpenEXR's B44Compressor. This flaw allows an attac ...)
 	- openexr 2.5.4-1
-	[buster] - openexr <ignored> (Minor issue)
 	[stretch] - openexr <postponed> (Minor issue, OOM, revisit when there's a full fix upstream)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97 (master) (partial fix)
@@ -146055,7 +146042,6 @@ CVE-2021-20297 (A flaw was found in NetworkManager in versions before 1.30.0. Se
 CVE-2021-20296 (A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted i ...)
 	{DLA-2701-1}
 	- openexr 2.5.4-1 (bug #986796)
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24854
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/b0c63c0b96eb9b0d3998f603e12f9f414fb0d44a
 CVE-2021-20295 (It was discovered that the update for the virt:rhel module in the RHSA ...)
@@ -183138,19 +183124,16 @@ CVE-2020-16590 (A double free vulnerability exists in the Binary File Descriptor
 CVE-2020-16589 (A head-based buffer overflow exists in Academy Software Foundation Ope ...)
 	{DLA-2491-1}
 	- openexr 2.5.3-2
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/6bb36714528a9563dd3b92720c5063a1284b86f8 (v2.4.0-beta.1)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/494
 CVE-2020-16588 (A Null Pointer Deference issue exists in Academy Software Foundation O ...)
 	{DLA-2491-1}
 	- openexr 2.5.3-2
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/74504503cff86e986bac441213c403b0ba28d58f (v2.4.0-beta.1)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/493
 CVE-2020-16587 (A heap-based buffer overflow vulnerability exists in Academy Software  ...)
 	{DLA-2701-1}
 	- openexr 2.5.3-2
-	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/8b5370c688a7362673c3a5256d93695617a4cd9a (v2.4.0-beta.1)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/491
 CVE-2020-16586


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[12 Dec 2022] DLA-3236-1 openexr - security update
+	{CVE-2020-16587 CVE-2020-16588 CVE-2020-16589 CVE-2021-3474 CVE-2021-3475 CVE-2021-3476 CVE-2021-3477 CVE-2021-3478 CVE-2021-3479 CVE-2021-3598 CVE-2021-3605 CVE-2021-3933 CVE-2021-3941 CVE-2021-20296 CVE-2021-20298 CVE-2021-20299 CVE-2021-20300 CVE-2021-20302 CVE-2021-20303 CVE-2021-23215 CVE-2021-26260 CVE-2021-45942}
+	[buster] - openexr 2.2.1-4.1+deb10u2
 [11 Dec 2022] DLA-3235-1 node-eventsource - security update
 	{CVE-2022-1650}
 	[buster] - node-eventsource 0.2.1-1+deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -213,11 +213,6 @@ nodejs
   NOTE: 20221105: Source code not checked. It may be so that the vulnerability is not present in buster.
   NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/nodejs.html
 --
-openexr (Markus Koschany)
-  NOTE: 20220904: Programming language: C++.
-  NOTE: 20220904: Should be synced with Stretch. (apo)
-  NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/openexr.html
---
 php-cas
   NOTE: 20221105: Programming language: PHP.
   NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/432e5017235bb67b8bd5ec117e3ffacd02e3d5e5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/432e5017235bb67b8bd5ec117e3ffacd02e3d5e5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221211/fa2c4272/attachment-0001.htm>