Search criteria
122 vulnerabilities found for openexr by openexr
CVE-2025-64183 (GCVE-0-2025-64183)
Vulnerability from nvd – Published: 2025-11-10 21:29 – Updated: 2025-11-14 18:38
VLAI?
Title
OpenEXR has use after free in PyObject_StealAttrString
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue.
Severity ?
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.2.0, < 3.2.5
Affected: >= 3.3.0, < 3.3.6 Affected: >= 3.4.0, < 3.4.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64183",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T18:38:28.928677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T18:38:32.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-57cw-j6vp-2p9m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.5"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.6"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:29:54.234Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-57cw-j6vp-2p9m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-57cw-j6vp-2p9m"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L109-L115",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L109-L115"
}
],
"source": {
"advisory": "GHSA-57cw-j6vp-2p9m",
"discovery": "UNKNOWN"
},
"title": "OpenEXR has use after free in PyObject_StealAttrString"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64183",
"datePublished": "2025-11-10T21:29:54.234Z",
"dateReserved": "2025-10-28T21:07:16.440Z",
"dateUpdated": "2025-11-14T18:38:32.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64182 (GCVE-0-2025-64182)
Vulnerability from nvd – Published: 2025-11-10 21:27 – Updated: 2025-11-14 19:22
VLAI?
Title
OpenEXR has buffer overflow in PyOpenEXR_old's channels() and channel()
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects. Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit). Versions 3.2.5, 3.3.6, and 3.4.3 contain a patch for the issue.
Severity ?
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.2.0, < 3.2.5
Affected: >= 3.3.0, < 3.3.6 Affected: >= 3.4.0, < 3.4.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64182",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T19:22:55.353355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T19:22:58.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.5"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.6"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects. Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit). Versions 3.2.5, 3.3.6, and 3.4.3 contain a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:27:21.176Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L528-L536",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L528-L536"
}
],
"source": {
"advisory": "GHSA-vh63-9mqx-wmjr",
"discovery": "UNKNOWN"
},
"title": "OpenEXR has buffer overflow in PyOpenEXR_old\u0027s channels() and channel()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64182",
"datePublished": "2025-11-10T21:27:21.176Z",
"dateReserved": "2025-10-28T21:07:16.440Z",
"dateUpdated": "2025-11-14T19:22:58.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64181 (GCVE-0-2025-64181)
Vulnerability from nvd – Published: 2025-11-10 21:23 – Updated: 2025-11-12 21:05
VLAI?
Title
OpenEXR Makes Use of Uninitialized Memory
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue.
Severity ?
CWE
- CWE-457 - Use of Uninitialized Variable
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.3.0, < 3.3.6
Affected: >= 3.4.0, < 3.4.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64181",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:36:24.461719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:05:26.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.6"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 2,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457: Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:23:04.248Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq"
},
{
"name": "https://github.com/user-attachments/files/23024726/archive0.zip",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/23024726/archive0.zip"
},
{
"name": "https://github.com/user-attachments/files/23024736/archive1.zip",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/23024736/archive1.zip"
},
{
"name": "https://github.com/user-attachments/files/23024740/archive2.zip",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/23024740/archive2.zip"
},
{
"name": "https://github.com/user-attachments/files/23024744/archive3.zip",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/23024744/archive3.zip"
},
{
"name": "https://github.com/user-attachments/files/23024746/archive4.zip",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/23024746/archive4.zip"
}
],
"source": {
"advisory": "GHSA-3h9h-qfvw-98hq",
"discovery": "UNKNOWN"
},
"title": "OpenEXR Makes Use of Uninitialized Memory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64181",
"datePublished": "2025-11-10T21:23:04.248Z",
"dateReserved": "2025-10-28T21:07:16.440Z",
"dateUpdated": "2025-11-12T21:05:26.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48074 (GCVE-0-2025-48074)
Vulnerability from nvd – Published: 2025-08-01 16:32 – Updated: 2025-08-01 17:09
VLAI?
Title
OpenEXR's Unbounded File Header Values can Lead to Out-Of-Memory Errors
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.3.2, < 3.3.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48074",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-01T17:07:14.465806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T17:09:00.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.2, \u003c 3.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T16:32:54.595Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-x22w-82jp-8rvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-x22w-82jp-8rvf"
},
{
"name": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-48074",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-48074"
}
],
"source": {
"advisory": "GHSA-x22w-82jp-8rvf",
"discovery": "UNKNOWN"
},
"title": "OpenEXR\u0027s Unbounded File Header Values can Lead to Out-Of-Memory Errors"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48074",
"datePublished": "2025-08-01T16:32:54.595Z",
"dateReserved": "2025-05-15T16:06:40.942Z",
"dateUpdated": "2025-08-01T17:09:00.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48073 (GCVE-0-2025-48073)
Vulnerability from nvd – Published: 2025-07-31 20:25 – Updated: 2025-07-31 20:36
VLAI?
Title
OpenEXR ScanLineProcess::run_fill NULL Pointer Write In "reduceMemory" Mode
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer dereference in a write operation. This is fixed in version 3.3.3.
Severity ?
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.3.2, < 3.3.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48073",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T20:36:29.115716Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:36:41.060Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.2, \u003c 3.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer dereference in a write operation. This is fixed in version 3.3.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:25:51.545Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-qhpm-86v7-phmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-qhpm-86v7-phmm"
},
{
"name": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-48073",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-48073"
}
],
"source": {
"advisory": "GHSA-qhpm-86v7-phmm",
"discovery": "UNKNOWN"
},
"title": "OpenEXR ScanLineProcess::run_fill NULL Pointer Write In \"reduceMemory\" Mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48073",
"datePublished": "2025-07-31T20:25:51.545Z",
"dateReserved": "2025-05-15T16:06:40.942Z",
"dateUpdated": "2025-07-31T20:36:41.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48072 (GCVE-0-2025-48072)
Vulnerability from nvd – Published: 2025-07-31 20:18 – Updated: 2025-07-31 20:37
VLAI?
Title
OpenEXR's Inaccurate Pointer Arithmetic can Cause an Out of Bounds Heap
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.3.2, < 3.3.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48072",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T20:37:11.233759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:37:21.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.2, \u003c 3.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:18:40.598Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3"
}
],
"source": {
"advisory": "GHSA-4r7w-q3jg-ff43",
"discovery": "UNKNOWN"
},
"title": "OpenEXR\u0027s Inaccurate Pointer Arithmetic can Cause an Out of Bounds Heap"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48072",
"datePublished": "2025-07-31T20:18:40.598Z",
"dateReserved": "2025-05-15T16:06:40.942Z",
"dateUpdated": "2025-07-31T20:37:21.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48071 (GCVE-0-2025-48071)
Vulnerability from nvd – Published: 2025-07-31 20:13 – Updated: 2025-07-31 20:22
VLAI?
Title
OpenEXR's Forged Unpacked Size can Lead to Heap-Based Buffer Overflow in Deep Scanline Parsing
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3.
Severity ?
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.3.0, < 3.3.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48071",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T20:22:12.430398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:22:23.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:13:14.436Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3"
}
],
"source": {
"advisory": "GHSA-h45x-qhg2-q375",
"discovery": "UNKNOWN"
},
"title": "OpenEXR\u0027s Forged Unpacked Size can Lead to Heap-Based Buffer Overflow in Deep Scanline Parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48071",
"datePublished": "2025-07-31T20:13:14.436Z",
"dateReserved": "2025-05-15T16:06:40.941Z",
"dateUpdated": "2025-07-31T20:22:23.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31047 (GCVE-0-2024-31047)
Vulnerability from nvd – Published: 2024-04-08 00:00 – Updated: 2024-08-02 01:46
VLAI?
Summary
An issue in Academy Software Foundation openexr v.3.2.3 and before allows a local attacker to cause a denial of service (DoS) via the convert function of exrmultipart.cpp.
Severity ?
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openexr:openexr:3.2.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openexr",
"vendor": "openexr",
"versions": [
{
"status": "affected",
"version": "3.2.3"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31047",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T15:15:59.913143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T19:12:26.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/issues/1680"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Academy Software Foundation openexr v.3.2.3 and before allows a local attacker to cause a denial of service (DoS) via the convert function of exrmultipart.cpp."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-08T22:54:26.791143",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/AcademySoftwareFoundation/openexr/issues/1680"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-31047",
"datePublished": "2024-04-08T00:00:00",
"dateReserved": "2024-03-27T00:00:00",
"dateUpdated": "2024-08-02T01:46:04.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5841 (GCVE-0-2023-5841)
Vulnerability from nvd – Published: 2024-02-01 18:28 – Updated: 2025-11-04 16:10
VLAI?
Title
OpenEXR Heap Overflow in Scanline Deep Data Parsing
Summary
Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.
Severity ?
9.1 (Critical)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Academy Software Foundation | OpenEXR |
Affected:
0 , ≤ 3.2.1
(semver)
Unaffected: 3.2.2 Unaffected: 3.1.12 |
Credits
zenofex
WanderingGlitch
Austin Hackers Anonymous!
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:10:52.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://takeonme.org/cves/CVE-2023-5841.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSB6DB5LAKGPLRXEF5HDNGUMT7GIFT2C/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWMINVKQLSUHECXBSQMZFCSDRIHFOJJI/"
},
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/36"
},
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/34"
},
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/32"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-5841",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T15:17:50.765495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T15:18:17.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenEXR",
"vendor": "Academy Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.2.2"
},
{
"status": "unaffected",
"version": "3.1.12"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "zenofex"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "WanderingGlitch"
},
{
"lang": "en",
"type": "coordinator",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Austin Hackers Anonymous!"
}
],
"datePublic": "2024-01-31T22:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX\u0026nbsp;image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ev3.2.2 and v3.1.12 of the affected library.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX\u00a0image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions\u00a0v3.2.2 and v3.1.12 of the affected library."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-25T02:06:23.585Z",
"orgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
"shortName": "AHA"
},
"references": [
{
"url": "https://takeonme.org/cves/CVE-2023-5841.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSB6DB5LAKGPLRXEF5HDNGUMT7GIFT2C/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWMINVKQLSUHECXBSQMZFCSDRIHFOJJI/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OpenEXR Heap Overflow in Scanline Deep Data Parsing",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
"assignerShortName": "AHA",
"cveId": "CVE-2023-5841",
"datePublished": "2024-02-01T18:28:05.892Z",
"dateReserved": "2023-10-29T23:41:19.153Z",
"dateUpdated": "2025-11-04T16:10:52.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-20304 (GCVE-0-2021-20304)
Vulnerability from nvd – Published: 2022-08-23 00:00 – Updated: 2024-08-03 17:37
VLAI?
Summary
A flaw was found in OpenEXR's hufDecode functionality. This flaw allows an attacker who can pass a crafted file to be processed by OpenEXR, to trigger an undefined right shift error. The highest threat from this vulnerability is to system availability.
Severity ?
No CVSS data available.
CWE
- CWE-190 - - Integer Overflow or Wraparound
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:37:23.947Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26229"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/pull/849"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939157"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-20304"
},
{
"name": "GLSA-202210-31",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-31"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenEXR",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in OpenEXR 3.0.0-beta"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in OpenEXR\u0027s hufDecode functionality. This flaw allows an attacker who can pass a crafted file to be processed by OpenEXR, to trigger an undefined right shift error. The highest threat from this vulnerability is to system availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 - Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26229"
},
{
"url": "https://github.com/AcademySoftwareFoundation/openexr/pull/849"
},
{
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939157"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2021-20304"
},
{
"name": "GLSA-202210-31",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-31"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-20304",
"datePublished": "2022-08-23T00:00:00",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:37:23.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20298 (GCVE-0-2021-20298)
Vulnerability from nvd – Published: 2022-08-23 00:00 – Updated: 2024-08-03 17:37
VLAI?
Summary
A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.
Severity ?
No CVSS data available.
CWE
- CWE-400 - - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:37:23.785Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/pull/843"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939156"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-20298"
},
{
"name": "[debian-lts-announce] 20221211 [SECURITY] [DLA 3236-1] openexr security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenEXR",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in OpenEXR 3.0.0-beta"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in OpenEXR\u0027s B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 - Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-12T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913"
},
{
"url": "https://github.com/AcademySoftwareFoundation/openexr/pull/843"
},
{
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939156"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2021-20298"
},
{
"name": "[debian-lts-announce] 20221211 [SECURITY] [DLA 3236-1] openexr security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-20298",
"datePublished": "2022-08-23T00:00:00",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:37:23.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-64183 (GCVE-0-2025-64183)
Vulnerability from cvelistv5 – Published: 2025-11-10 21:29 – Updated: 2025-11-14 18:38
VLAI?
Title
OpenEXR has use after free in PyObject_StealAttrString
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue.
Severity ?
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.2.0, < 3.2.5
Affected: >= 3.3.0, < 3.3.6 Affected: >= 3.4.0, < 3.4.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64183",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T18:38:28.928677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T18:38:32.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-57cw-j6vp-2p9m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.5"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.6"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:29:54.234Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-57cw-j6vp-2p9m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-57cw-j6vp-2p9m"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L109-L115",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L109-L115"
}
],
"source": {
"advisory": "GHSA-57cw-j6vp-2p9m",
"discovery": "UNKNOWN"
},
"title": "OpenEXR has use after free in PyObject_StealAttrString"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64183",
"datePublished": "2025-11-10T21:29:54.234Z",
"dateReserved": "2025-10-28T21:07:16.440Z",
"dateUpdated": "2025-11-14T18:38:32.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64182 (GCVE-0-2025-64182)
Vulnerability from cvelistv5 – Published: 2025-11-10 21:27 – Updated: 2025-11-14 19:22
VLAI?
Title
OpenEXR has buffer overflow in PyOpenEXR_old's channels() and channel()
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects. Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit). Versions 3.2.5, 3.3.6, and 3.4.3 contain a patch for the issue.
Severity ?
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.2.0, < 3.2.5
Affected: >= 3.3.0, < 3.3.6 Affected: >= 3.4.0, < 3.4.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64182",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T19:22:55.353355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T19:22:58.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.5"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.6"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects. Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit). Versions 3.2.5, 3.3.6, and 3.4.3 contain a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:27:21.176Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L528-L536",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L528-L536"
}
],
"source": {
"advisory": "GHSA-vh63-9mqx-wmjr",
"discovery": "UNKNOWN"
},
"title": "OpenEXR has buffer overflow in PyOpenEXR_old\u0027s channels() and channel()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64182",
"datePublished": "2025-11-10T21:27:21.176Z",
"dateReserved": "2025-10-28T21:07:16.440Z",
"dateUpdated": "2025-11-14T19:22:58.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64181 (GCVE-0-2025-64181)
Vulnerability from cvelistv5 – Published: 2025-11-10 21:23 – Updated: 2025-11-12 21:05
VLAI?
Title
OpenEXR Makes Use of Uninitialized Memory
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue.
Severity ?
CWE
- CWE-457 - Use of Uninitialized Variable
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.3.0, < 3.3.6
Affected: >= 3.4.0, < 3.4.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64181",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:36:24.461719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:05:26.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.6"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 2,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457: Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:23:04.248Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq"
},
{
"name": "https://github.com/user-attachments/files/23024726/archive0.zip",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/23024726/archive0.zip"
},
{
"name": "https://github.com/user-attachments/files/23024736/archive1.zip",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/23024736/archive1.zip"
},
{
"name": "https://github.com/user-attachments/files/23024740/archive2.zip",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/23024740/archive2.zip"
},
{
"name": "https://github.com/user-attachments/files/23024744/archive3.zip",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/23024744/archive3.zip"
},
{
"name": "https://github.com/user-attachments/files/23024746/archive4.zip",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/23024746/archive4.zip"
}
],
"source": {
"advisory": "GHSA-3h9h-qfvw-98hq",
"discovery": "UNKNOWN"
},
"title": "OpenEXR Makes Use of Uninitialized Memory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64181",
"datePublished": "2025-11-10T21:23:04.248Z",
"dateReserved": "2025-10-28T21:07:16.440Z",
"dateUpdated": "2025-11-12T21:05:26.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48074 (GCVE-0-2025-48074)
Vulnerability from cvelistv5 – Published: 2025-08-01 16:32 – Updated: 2025-08-01 17:09
VLAI?
Title
OpenEXR's Unbounded File Header Values can Lead to Out-Of-Memory Errors
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.3.2, < 3.3.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48074",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-01T17:07:14.465806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T17:09:00.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.2, \u003c 3.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T16:32:54.595Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-x22w-82jp-8rvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-x22w-82jp-8rvf"
},
{
"name": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-48074",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-48074"
}
],
"source": {
"advisory": "GHSA-x22w-82jp-8rvf",
"discovery": "UNKNOWN"
},
"title": "OpenEXR\u0027s Unbounded File Header Values can Lead to Out-Of-Memory Errors"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48074",
"datePublished": "2025-08-01T16:32:54.595Z",
"dateReserved": "2025-05-15T16:06:40.942Z",
"dateUpdated": "2025-08-01T17:09:00.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48073 (GCVE-0-2025-48073)
Vulnerability from cvelistv5 – Published: 2025-07-31 20:25 – Updated: 2025-07-31 20:36
VLAI?
Title
OpenEXR ScanLineProcess::run_fill NULL Pointer Write In "reduceMemory" Mode
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer dereference in a write operation. This is fixed in version 3.3.3.
Severity ?
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.3.2, < 3.3.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48073",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T20:36:29.115716Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:36:41.060Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.2, \u003c 3.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer dereference in a write operation. This is fixed in version 3.3.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:25:51.545Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-qhpm-86v7-phmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-qhpm-86v7-phmm"
},
{
"name": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-48073",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-48073"
}
],
"source": {
"advisory": "GHSA-qhpm-86v7-phmm",
"discovery": "UNKNOWN"
},
"title": "OpenEXR ScanLineProcess::run_fill NULL Pointer Write In \"reduceMemory\" Mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48073",
"datePublished": "2025-07-31T20:25:51.545Z",
"dateReserved": "2025-05-15T16:06:40.942Z",
"dateUpdated": "2025-07-31T20:36:41.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48072 (GCVE-0-2025-48072)
Vulnerability from cvelistv5 – Published: 2025-07-31 20:18 – Updated: 2025-07-31 20:37
VLAI?
Title
OpenEXR's Inaccurate Pointer Arithmetic can Cause an Out of Bounds Heap
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.3.2, < 3.3.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48072",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T20:37:11.233759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:37:21.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.2, \u003c 3.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:18:40.598Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3"
}
],
"source": {
"advisory": "GHSA-4r7w-q3jg-ff43",
"discovery": "UNKNOWN"
},
"title": "OpenEXR\u0027s Inaccurate Pointer Arithmetic can Cause an Out of Bounds Heap"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48072",
"datePublished": "2025-07-31T20:18:40.598Z",
"dateReserved": "2025-05-15T16:06:40.942Z",
"dateUpdated": "2025-07-31T20:37:21.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48071 (GCVE-0-2025-48071)
Vulnerability from cvelistv5 – Published: 2025-07-31 20:13 – Updated: 2025-07-31 20:22
VLAI?
Title
OpenEXR's Forged Unpacked Size can Lead to Heap-Based Buffer Overflow in Deep Scanline Parsing
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3.
Severity ?
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.3.0, < 3.3.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48071",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T20:22:12.430398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:22:23.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:13:14.436Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3"
}
],
"source": {
"advisory": "GHSA-h45x-qhg2-q375",
"discovery": "UNKNOWN"
},
"title": "OpenEXR\u0027s Forged Unpacked Size can Lead to Heap-Based Buffer Overflow in Deep Scanline Parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48071",
"datePublished": "2025-07-31T20:13:14.436Z",
"dateReserved": "2025-05-15T16:06:40.941Z",
"dateUpdated": "2025-07-31T20:22:23.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31047 (GCVE-0-2024-31047)
Vulnerability from cvelistv5 – Published: 2024-04-08 00:00 – Updated: 2024-08-02 01:46
VLAI?
Summary
An issue in Academy Software Foundation openexr v.3.2.3 and before allows a local attacker to cause a denial of service (DoS) via the convert function of exrmultipart.cpp.
Severity ?
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openexr:openexr:3.2.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openexr",
"vendor": "openexr",
"versions": [
{
"status": "affected",
"version": "3.2.3"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31047",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T15:15:59.913143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T19:12:26.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/issues/1680"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Academy Software Foundation openexr v.3.2.3 and before allows a local attacker to cause a denial of service (DoS) via the convert function of exrmultipart.cpp."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-08T22:54:26.791143",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/AcademySoftwareFoundation/openexr/issues/1680"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-31047",
"datePublished": "2024-04-08T00:00:00",
"dateReserved": "2024-03-27T00:00:00",
"dateUpdated": "2024-08-02T01:46:04.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5841 (GCVE-0-2023-5841)
Vulnerability from cvelistv5 – Published: 2024-02-01 18:28 – Updated: 2025-11-04 16:10
VLAI?
Title
OpenEXR Heap Overflow in Scanline Deep Data Parsing
Summary
Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.
Severity ?
9.1 (Critical)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Academy Software Foundation | OpenEXR |
Affected:
0 , ≤ 3.2.1
(semver)
Unaffected: 3.2.2 Unaffected: 3.1.12 |
Credits
zenofex
WanderingGlitch
Austin Hackers Anonymous!
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:10:52.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://takeonme.org/cves/CVE-2023-5841.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSB6DB5LAKGPLRXEF5HDNGUMT7GIFT2C/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWMINVKQLSUHECXBSQMZFCSDRIHFOJJI/"
},
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/36"
},
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/34"
},
{
"url": "http://seclists.org/fulldisclosure/2024/Sep/32"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-5841",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T15:17:50.765495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T15:18:17.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenEXR",
"vendor": "Academy Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.2.2"
},
{
"status": "unaffected",
"version": "3.1.12"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "zenofex"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "WanderingGlitch"
},
{
"lang": "en",
"type": "coordinator",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Austin Hackers Anonymous!"
}
],
"datePublic": "2024-01-31T22:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX\u0026nbsp;image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ev3.2.2 and v3.1.12 of the affected library.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX\u00a0image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions\u00a0v3.2.2 and v3.1.12 of the affected library."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-25T02:06:23.585Z",
"orgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
"shortName": "AHA"
},
"references": [
{
"url": "https://takeonme.org/cves/CVE-2023-5841.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSB6DB5LAKGPLRXEF5HDNGUMT7GIFT2C/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWMINVKQLSUHECXBSQMZFCSDRIHFOJJI/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OpenEXR Heap Overflow in Scanline Deep Data Parsing",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
"assignerShortName": "AHA",
"cveId": "CVE-2023-5841",
"datePublished": "2024-02-01T18:28:05.892Z",
"dateReserved": "2023-10-29T23:41:19.153Z",
"dateUpdated": "2025-11-04T16:10:52.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-20298 (GCVE-0-2021-20298)
Vulnerability from cvelistv5 – Published: 2022-08-23 00:00 – Updated: 2024-08-03 17:37
VLAI?
Summary
A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.
Severity ?
No CVSS data available.
CWE
- CWE-400 - - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:37:23.785Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/pull/843"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939156"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-20298"
},
{
"name": "[debian-lts-announce] 20221211 [SECURITY] [DLA 3236-1] openexr security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenEXR",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in OpenEXR 3.0.0-beta"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in OpenEXR\u0027s B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 - Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-12T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913"
},
{
"url": "https://github.com/AcademySoftwareFoundation/openexr/pull/843"
},
{
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939156"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2021-20298"
},
{
"name": "[debian-lts-announce] 20221211 [SECURITY] [DLA 3236-1] openexr security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-20298",
"datePublished": "2022-08-23T00:00:00",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:37:23.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20304 (GCVE-0-2021-20304)
Vulnerability from cvelistv5 – Published: 2022-08-23 00:00 – Updated: 2024-08-03 17:37
VLAI?
Summary
A flaw was found in OpenEXR's hufDecode functionality. This flaw allows an attacker who can pass a crafted file to be processed by OpenEXR, to trigger an undefined right shift error. The highest threat from this vulnerability is to system availability.
Severity ?
No CVSS data available.
CWE
- CWE-190 - - Integer Overflow or Wraparound
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:37:23.947Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26229"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/pull/849"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939157"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-20304"
},
{
"name": "GLSA-202210-31",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-31"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenEXR",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in OpenEXR 3.0.0-beta"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in OpenEXR\u0027s hufDecode functionality. This flaw allows an attacker who can pass a crafted file to be processed by OpenEXR, to trigger an undefined right shift error. The highest threat from this vulnerability is to system availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 - Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26229"
},
{
"url": "https://github.com/AcademySoftwareFoundation/openexr/pull/849"
},
{
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939157"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2021-20304"
},
{
"name": "GLSA-202210-31",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-31"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-20304",
"datePublished": "2022-08-23T00:00:00",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:37:23.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
VAR-202004-0475
Vulnerability from variot - Updated: 2024-11-23 21:01An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read. OpenEXR There is a vulnerability in determining boundary conditions.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A security vulnerability exists in LIM OpenEXR versions prior to 2.4.1. An attacker could exploit this vulnerability to crash the application or obtain information. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-27
https://security.gentoo.org/
Severity: Normal Title: OpenEXR: Multiple vulnerabilities Date: July 11, 2021 Bugs: #717474, #746794, #762862, #770229, #776808 ID: 202107-27
Synopsis
Multiple vulnerabilities have been found in OpenEXR, the worst of which could result in the arbitrary execution of code.
Background
OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/openexr < 2.5.6 >= 2.5.6
Description
Multiple vulnerabilities have been discovered in OpenEXR. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All OpenEXR users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/openexr-2.5.6"
References
[ 1 ] CVE-2020-11758 https://nvd.nist.gov/vuln/detail/CVE-2020-11758 [ 2 ] CVE-2020-11759 https://nvd.nist.gov/vuln/detail/CVE-2020-11759 [ 3 ] CVE-2020-11760 https://nvd.nist.gov/vuln/detail/CVE-2020-11760 [ 4 ] CVE-2020-11761 https://nvd.nist.gov/vuln/detail/CVE-2020-11761 [ 5 ] CVE-2020-11762 https://nvd.nist.gov/vuln/detail/CVE-2020-11762 [ 6 ] CVE-2020-11763 https://nvd.nist.gov/vuln/detail/CVE-2020-11763 [ 7 ] CVE-2020-11764 https://nvd.nist.gov/vuln/detail/CVE-2020-11764 [ 8 ] CVE-2020-11765 https://nvd.nist.gov/vuln/detail/CVE-2020-11765 [ 9 ] CVE-2020-15304 https://nvd.nist.gov/vuln/detail/CVE-2020-15304 [ 10 ] CVE-2020-15305 https://nvd.nist.gov/vuln/detail/CVE-2020-15305 [ 11 ] CVE-2020-15306 https://nvd.nist.gov/vuln/detail/CVE-2020-15306 [ 12 ] CVE-2021-20296 https://nvd.nist.gov/vuln/detail/CVE-2021-20296 [ 13 ] CVE-2021-3474 https://nvd.nist.gov/vuln/detail/CVE-2021-3474 [ 14 ] CVE-2021-3475 https://nvd.nist.gov/vuln/detail/CVE-2021-3475 [ 15 ] CVE-2021-3476 https://nvd.nist.gov/vuln/detail/CVE-2021-3476 [ 16 ] CVE-2021-3477 https://nvd.nist.gov/vuln/detail/CVE-2021-3477 [ 17 ] CVE-2021-3478 https://nvd.nist.gov/vuln/detail/CVE-2021-3478 [ 18 ] CVE-2021-3479 https://nvd.nist.gov/vuln/detail/CVE-2021-3479
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202107-27
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
. ========================================================================== Ubuntu Security Notice USN-4339-1 April 27, 2020
openexr vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenEXR.
Software Description: - openexr: tools for the OpenEXR image format
Details:
Brandon Perry discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)
Tan Jie discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2018-18444)
Samuel Groß discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764)
It was discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service. (CVE-2020-11765)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04: libopenexr24 2.3.0-6ubuntu0.1 openexr 2.3.0-6ubuntu0.1
Ubuntu 19.10: libopenexr23 2.2.1-4.1ubuntu1.1 openexr 2.2.1-4.1ubuntu1.1
Ubuntu 18.04 LTS: libopenexr22 2.2.0-11.1ubuntu1.2 openexr 2.2.0-11.1ubuntu1.2
Ubuntu 16.04 LTS: libopenexr22 2.2.0-10ubuntu2.2 openexr 2.2.0-10ubuntu2.2
In general, a standard system update will make all the necessary changes.
References: https://usn.ubuntu.com/4339-1 CVE-2017-9111, CVE-2017-9113, CVE-2017-9115, CVE-2018-18444, CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764, CVE-2020-11765
Package Information: https://launchpad.net/ubuntu/+source/openexr/2.3.0-6ubuntu0.1 https://launchpad.net/ubuntu/+source/openexr/2.2.1-4.1ubuntu1.1 https://launchpad.net/ubuntu/+source/openexr/2.2.0-11.1ubuntu1.2 https://launchpad.net/ubuntu/+source/openexr/2.2.0-10ubuntu2.2
.
For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1.
We recommend that you upgrade your openexr packages.
For the detailed security status of openexr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openexr
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8 TjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG G6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW vn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx ANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo W7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY l+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg zKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK 3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c R2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ UgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD djd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY= =FDcC -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202004-0475",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "itunes",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.10.8"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "7.20"
},
{
"model": "tvos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.4.8"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.15.6"
},
{
"model": "openexr",
"scope": "lt",
"trust": 1.0,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.04"
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "ipados",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.15"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "20.04"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "19.10"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "icloud",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.1"
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "6.2.8"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.3"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.8,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.0.4"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.0.7"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.1.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.1.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.2.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.2.2"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.2"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.4.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.7.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.7.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.0.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.0.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.1.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.2.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.2.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.3.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.4.0"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11765"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004075"
},
{
"db": "NVD",
"id": "CVE-2020-11765"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:openexr:openexr",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004075"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ubuntu",
"sources": [
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-965"
}
],
"trust": 0.7
},
"cve": "CVE-2020-11765",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2020-11765",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004075",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-164376",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"id": "CVE-2020-11765",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004075",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-11765",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2020-004075",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202004-965",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-164376",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-11765",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164376"
},
{
"db": "VULMON",
"id": "CVE-2020-11765"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004075"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-965"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11765"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read. OpenEXR There is a vulnerability in determining boundary conditions.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A security vulnerability exists in LIM OpenEXR versions prior to 2.4.1. An attacker could exploit this vulnerability to crash the application or obtain information. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202107-27\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenEXR: Multiple vulnerabilities\n Date: July 11, 2021\n Bugs: #717474, #746794, #762862, #770229, #776808\n ID: 202107-27\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in OpenEXR, the worst of which\ncould result in the arbitrary execution of code. \n\nBackground\n==========\n\nOpenEXR is a high dynamic-range (HDR) image file format developed by\nIndustrial Light \u0026 Magic for use in computer imaging applications. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 media-libs/openexr \u003c 2.5.6 \u003e= 2.5.6 \n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in OpenEXR. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenEXR users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=media-libs/openexr-2.5.6\"\n\nReferences\n==========\n\n[ 1 ] CVE-2020-11758\n https://nvd.nist.gov/vuln/detail/CVE-2020-11758\n[ 2 ] CVE-2020-11759\n https://nvd.nist.gov/vuln/detail/CVE-2020-11759\n[ 3 ] CVE-2020-11760\n https://nvd.nist.gov/vuln/detail/CVE-2020-11760\n[ 4 ] CVE-2020-11761\n https://nvd.nist.gov/vuln/detail/CVE-2020-11761\n[ 5 ] CVE-2020-11762\n https://nvd.nist.gov/vuln/detail/CVE-2020-11762\n[ 6 ] CVE-2020-11763\n https://nvd.nist.gov/vuln/detail/CVE-2020-11763\n[ 7 ] CVE-2020-11764\n https://nvd.nist.gov/vuln/detail/CVE-2020-11764\n[ 8 ] CVE-2020-11765\n https://nvd.nist.gov/vuln/detail/CVE-2020-11765\n[ 9 ] CVE-2020-15304\n https://nvd.nist.gov/vuln/detail/CVE-2020-15304\n[ 10 ] CVE-2020-15305\n https://nvd.nist.gov/vuln/detail/CVE-2020-15305\n[ 11 ] CVE-2020-15306\n https://nvd.nist.gov/vuln/detail/CVE-2020-15306\n[ 12 ] CVE-2021-20296\n https://nvd.nist.gov/vuln/detail/CVE-2021-20296\n[ 13 ] CVE-2021-3474\n https://nvd.nist.gov/vuln/detail/CVE-2021-3474\n[ 14 ] CVE-2021-3475\n https://nvd.nist.gov/vuln/detail/CVE-2021-3475\n[ 15 ] CVE-2021-3476\n https://nvd.nist.gov/vuln/detail/CVE-2021-3476\n[ 16 ] CVE-2021-3477\n https://nvd.nist.gov/vuln/detail/CVE-2021-3477\n[ 17 ] CVE-2021-3478\n https://nvd.nist.gov/vuln/detail/CVE-2021-3478\n[ 18 ] CVE-2021-3479\n https://nvd.nist.gov/vuln/detail/CVE-2021-3479\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202107-27\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2021 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n\n. ==========================================================================\nUbuntu Security Notice USN-4339-1\nApril 27, 2020\n\nopenexr vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 20.04\n- Ubuntu 19.10\n- Ubuntu 18.04 LTS\n- Ubuntu 16.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in OpenEXR. \n\nSoftware Description:\n- openexr: tools for the OpenEXR image format\n\nDetails:\n\nBrandon Perry discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service, or possibly\nexecute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. \n(CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)\n\nTan Jie discovered that OpenEXR incorrectly handled certain malformed EXR\nimage files. If a user were tricked into opening a crafted EXR image file,\na remote attacker could cause a denial of service, or possibly execute\narbitrary code. This issue only applied to Ubuntu 20.04 LTS. \n(CVE-2018-18444)\n\nSamuel Gro\u00df discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service, or possibly\nexecute arbitrary code. (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760,\nCVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764)\n\nIt was discovered that OpenEXR incorrectly handled certain malformed EXR\nimage files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service. (CVE-2020-11765)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 20.04:\n libopenexr24 2.3.0-6ubuntu0.1\n openexr 2.3.0-6ubuntu0.1\n\nUbuntu 19.10:\n libopenexr23 2.2.1-4.1ubuntu1.1\n openexr 2.2.1-4.1ubuntu1.1\n\nUbuntu 18.04 LTS:\n libopenexr22 2.2.0-11.1ubuntu1.2\n openexr 2.2.0-11.1ubuntu1.2\n\nUbuntu 16.04 LTS:\n libopenexr22 2.2.0-10ubuntu2.2\n openexr 2.2.0-10ubuntu2.2\n\nIn general, a standard system update will make all the necessary changes. \n\nReferences:\n https://usn.ubuntu.com/4339-1\n CVE-2017-9111, CVE-2017-9113, CVE-2017-9115, CVE-2018-18444,\n CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761,\n CVE-2020-11762, CVE-2020-11763, CVE-2020-11764, CVE-2020-11765\n\nPackage Information:\n https://launchpad.net/ubuntu/+source/openexr/2.3.0-6ubuntu0.1\n https://launchpad.net/ubuntu/+source/openexr/2.2.1-4.1ubuntu1.1\n https://launchpad.net/ubuntu/+source/openexr/2.2.0-11.1ubuntu1.2\n https://launchpad.net/ubuntu/+source/openexr/2.2.0-10ubuntu2.2\n\n. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.2.1-4.1+deb10u1. \n\nWe recommend that you upgrade your openexr packages. \n\nFor the detailed security status of openexr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openexr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8\nTjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG\nG6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW\nvn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx\nANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo\nW7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY\nl+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg\nzKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK\n3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c\nR2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ\nUgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD\ndjd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY=\n=FDcC\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-11765"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004075"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "VULHUB",
"id": "VHN-164376"
},
{
"db": "VULMON",
"id": "CVE-2020-11765"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-11765",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "163465",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004075",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202004-965",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "157403",
"trust": 0.7
},
{
"db": "CS-HELP",
"id": "SB2021071101",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1816",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1448",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2985",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "50000",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2020-24158",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-164376",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-11765",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "168903",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164376"
},
{
"db": "VULMON",
"id": "CVE-2020-11765"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004075"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-965"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11765"
}
]
},
"id": "VAR-202004-0475",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-164376"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T21:01:33.688000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "OpenEXR Release Notes",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020"
},
{
"title": "AcademySoftwareFoundation/openexr",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1"
},
{
"title": "Industrial Light and Magic OpenEXR Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=115984"
},
{
"title": "Debian CVElist Bug Report Logs: openexr: CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=c611c9f78ad3458919de1d9728e6b32b"
},
{
"title": "Ubuntu Security Notice: openexr vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-4339-1"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11765"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004075"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-965"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-193",
"trust": 1.9
},
{
"problemtype": "CWE-125",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164376"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004075"
},
{
"db": "NVD",
"id": "CVE-2020-11765"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://usn.ubuntu.com/4339-1/"
},
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/202107-27"
},
{
"trust": 1.8,
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1987"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/blob/master/changes.md#version-241-february-11-2020"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/releases/tag/v2.4.1"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211288"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211289"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211290"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211291"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211293"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211294"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211295"
},
{
"trust": 1.7,
"url": "https://www.debian.org/security/2020/dsa-4755"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00056.html"
},
{
"trust": 1.7,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00051.html"
},
{
"trust": 1.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11765"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11765"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2985/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211291"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/157403/ubuntu-security-notice-usn-4339-1.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1448/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211295"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1816/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163465/gentoo-linux-security-advisory-202107-27.html"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/50000"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/openexr-multiple-vulnerabilities-32108"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021071101"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11761"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11758"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11762"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15305"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11763"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15306"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11764"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11759"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11760"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9111"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/193.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959444"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3476"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3478"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20296"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3479"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15304"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3474"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3475"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3477"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-18444"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.3.0-6ubuntu0.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.2.0-10ubuntu2.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.2.1-4.1ubuntu1.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.2.0-11.1ubuntu1.2"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/4339-1"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/openexr"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9115"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9113"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9114"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164376"
},
{
"db": "VULMON",
"id": "CVE-2020-11765"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004075"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-965"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11765"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-164376"
},
{
"db": "VULMON",
"id": "CVE-2020-11765"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004075"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-965"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11765"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-14T00:00:00",
"db": "VULHUB",
"id": "VHN-164376"
},
{
"date": "2020-04-14T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11765"
},
{
"date": "2020-05-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004075"
},
{
"date": "2021-07-12T15:22:22",
"db": "PACKETSTORM",
"id": "163465"
},
{
"date": "2020-04-27T15:19:30",
"db": "PACKETSTORM",
"id": "157403"
},
{
"date": "2020-08-28T19:12:00",
"db": "PACKETSTORM",
"id": "168903"
},
{
"date": "2020-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-965"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2020-04-14T23:15:12.560000",
"db": "NVD",
"id": "CVE-2020-11765"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-09T00:00:00",
"db": "VULHUB",
"id": "VHN-164376"
},
{
"date": "2020-09-09T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11765"
},
{
"date": "2020-05-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004075"
},
{
"date": "2022-04-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-965"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2024-11-21T04:58:33.867000",
"db": "NVD",
"id": "CVE-2020-11765"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-965"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenEXR Vulnerability in determining boundary conditions in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004075"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-965"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
}
],
"trust": 1.2
}
}
VAR-202004-0471
Vulnerability from variot - Updated: 2024-11-23 20:59An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp. OpenEXR Exists in an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the 'FastHufDecoder::refill' function of the ImfFastHuf.cpp file in LIM OpenEXR versions prior to 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-27
https://security.gentoo.org/
Severity: Normal Title: OpenEXR: Multiple vulnerabilities Date: July 11, 2021 Bugs: #717474, #746794, #762862, #770229, #776808 ID: 202107-27
Synopsis
Multiple vulnerabilities have been found in OpenEXR, the worst of which could result in the arbitrary execution of code.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/openexr < 2.5.6 >= 2.5.6
Description
Multiple vulnerabilities have been discovered in OpenEXR. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All OpenEXR users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/openexr-2.5.6"
References
[ 1 ] CVE-2020-11758 https://nvd.nist.gov/vuln/detail/CVE-2020-11758 [ 2 ] CVE-2020-11759 https://nvd.nist.gov/vuln/detail/CVE-2020-11759 [ 3 ] CVE-2020-11760 https://nvd.nist.gov/vuln/detail/CVE-2020-11760 [ 4 ] CVE-2020-11761 https://nvd.nist.gov/vuln/detail/CVE-2020-11761 [ 5 ] CVE-2020-11762 https://nvd.nist.gov/vuln/detail/CVE-2020-11762 [ 6 ] CVE-2020-11763 https://nvd.nist.gov/vuln/detail/CVE-2020-11763 [ 7 ] CVE-2020-11764 https://nvd.nist.gov/vuln/detail/CVE-2020-11764 [ 8 ] CVE-2020-11765 https://nvd.nist.gov/vuln/detail/CVE-2020-11765 [ 9 ] CVE-2020-15304 https://nvd.nist.gov/vuln/detail/CVE-2020-15304 [ 10 ] CVE-2020-15305 https://nvd.nist.gov/vuln/detail/CVE-2020-15305 [ 11 ] CVE-2020-15306 https://nvd.nist.gov/vuln/detail/CVE-2020-15306 [ 12 ] CVE-2021-20296 https://nvd.nist.gov/vuln/detail/CVE-2021-20296 [ 13 ] CVE-2021-3474 https://nvd.nist.gov/vuln/detail/CVE-2021-3474 [ 14 ] CVE-2021-3475 https://nvd.nist.gov/vuln/detail/CVE-2021-3475 [ 15 ] CVE-2021-3476 https://nvd.nist.gov/vuln/detail/CVE-2021-3476 [ 16 ] CVE-2021-3477 https://nvd.nist.gov/vuln/detail/CVE-2021-3477 [ 17 ] CVE-2021-3478 https://nvd.nist.gov/vuln/detail/CVE-2021-3478 [ 18 ] CVE-2021-3479 https://nvd.nist.gov/vuln/detail/CVE-2021-3479
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202107-27
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenEXR security update Advisory ID: RHSA-2020:4039-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4039 Issue date: 2020-09-29 CVE Names: CVE-2020-11761 CVE-2020-11763 CVE-2020-11764 ==================================================================== 1. Summary:
An update for OpenEXR is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format.
Security Fix(es):
-
OpenEXR: out-of-bounds read during Huffman uncompression (CVE-2020-11761)
-
OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp (CVE-2020-11763)
-
OpenEXR: out-of-bounds write in copyIntoFrameBuffer function in ImfMisc.cpp (CVE-2020-11764)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: OpenEXR-1.7.1-8.el7.src.rpm
x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: OpenEXR-1.7.1-8.el7.src.rpm
x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: OpenEXR-1.7.1-8.el7.src.rpm
ppc64: OpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm OpenEXR-libs-1.7.1-8.el7.ppc.rpm OpenEXR-libs-1.7.1-8.el7.ppc64.rpm
ppc64le: OpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm OpenEXR-libs-1.7.1-8.el7.ppc64le.rpm
s390x: OpenEXR-debuginfo-1.7.1-8.el7.s390.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm OpenEXR-libs-1.7.1-8.el7.s390.rpm OpenEXR-libs-1.7.1-8.el7.s390x.rpm
x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: OpenEXR-1.7.1-8.el7.ppc64.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm OpenEXR-devel-1.7.1-8.el7.ppc.rpm OpenEXR-devel-1.7.1-8.el7.ppc64.rpm
ppc64le: OpenEXR-1.7.1-8.el7.ppc64le.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm OpenEXR-devel-1.7.1-8.el7.ppc64le.rpm
s390x: OpenEXR-1.7.1-8.el7.s390x.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm OpenEXR-devel-1.7.1-8.el7.s390.rpm OpenEXR-devel-1.7.1-8.el7.s390x.rpm
x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: OpenEXR-1.7.1-8.el7.src.rpm
x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2020-11761 https://access.redhat.com/security/cve/CVE-2020-11763 https://access.redhat.com/security/cve/CVE-2020-11764 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBX3OhUtzjgjWX9erEAQhyFQ/+J5Ul3SoJTvzk/7rqW/WA4GkT5/I6owm1 BnhvO6tELbBul8250MCo/jaUukdjQ3bJ/ZdjmPFrPgNR7UrmIN0LQdAiDlMtnhIF 7Ppw7RDniUBtv3Q2471W4FQxpeXKf+n5sqkq+blxZbeYLXI7Nya/2qKirO0dJ4M1 bAl1exBJ4cSp+kuUOn8oBsGQi6L2oM6ldPf4KklMswOU69qDexywZNtvQVfANmur mNIx/9bmQG+WRlj941A1BFTsAdXsCyTc3qaBecC5iEFxKPkVlpfBhQJ+N6zxdKwj CtVftLiGpcuiWck6THkpPbQg9HWqtJI3tQyW5NUZFHhUnwvOw3SGKgN3ufsnS/tF 9MsnwovV+6kuR/k1UWiDXuSZrdjEIOSz0We8oT5VhOKNkXcE0OY4yxLKpVTlP1HN aM2OGkf3DiUdKEysSQ7yPa2tfimLYQS/XJo6w4FZPKapmOvF926/R7NgIIucvG4J U51DVzqGpkt40pK790wQLrwUZ/E+HYyeZpPJC8QrmJmPNXsXFEm4iYxjCIyaecKf hOlBFwy7mU6fuOLynrrfxeStoS0+zJFfYqdiKOfTpRoLozBqaA8Vt8VasOfOwGeY Ar+nuTxwoQn3KCSGvHk533UkNyqKqpNDIfyqk3M8y8S5HjXvoMx9zxaN0ujT4/pB vySbS8H4PEI=P3yT -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-4339-1 April 27, 2020
openexr vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenEXR.
Software Description: - openexr: tools for the OpenEXR image format
Details:
Brandon Perry discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)
Tan Jie discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2018-18444)
Samuel Groß discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764)
It was discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service. (CVE-2020-11765)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04: libopenexr24 2.3.0-6ubuntu0.1 openexr 2.3.0-6ubuntu0.1
Ubuntu 19.10: libopenexr23 2.2.1-4.1ubuntu1.1 openexr 2.2.1-4.1ubuntu1.1
Ubuntu 18.04 LTS: libopenexr22 2.2.0-11.1ubuntu1.2 openexr 2.2.0-11.1ubuntu1.2
Ubuntu 16.04 LTS: libopenexr22 2.2.0-10ubuntu2.2 openexr 2.2.0-10ubuntu2.2
In general, a standard system update will make all the necessary changes.
For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1.
We recommend that you upgrade your openexr packages.
For the detailed security status of openexr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openexr
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8 TjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG G6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW vn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx ANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo W7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY l+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg zKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK 3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c R2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ UgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD djd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY= =FDcC -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202004-0471",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "itunes",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.10.8"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "7.20"
},
{
"model": "tvos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.4.8"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.15.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.04"
},
{
"model": "openexr",
"scope": "lt",
"trust": 1.0,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "ipados",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "20.04"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "19.10"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "icloud",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.0"
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "6.2.8"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.3"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.8,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.0.4"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.0.7"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.1.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.1.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.2.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.2.2"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.2"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.4.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.7.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.7.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.0.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.0.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.1.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.2.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.2.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.3.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.4.0"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11761"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004071"
},
{
"db": "NVD",
"id": "CVE-2020-11761"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:openexr:openexr",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004071"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-952"
}
],
"trust": 0.7
},
"cve": "CVE-2020-11761",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2020-11761",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004071",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-164372",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"id": "CVE-2020-11761",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004071",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-11761",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2020-004071",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202004-952",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-164372",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-11761",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164372"
},
{
"db": "VULMON",
"id": "CVE-2020-11761"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004071"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-952"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11761"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp. OpenEXR Exists in an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the \u0027FastHufDecoder::refill\u0027 function of the ImfFastHuf.cpp file in LIM OpenEXR versions prior to 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202107-27\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenEXR: Multiple vulnerabilities\n Date: July 11, 2021\n Bugs: #717474, #746794, #762862, #770229, #776808\n ID: 202107-27\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in OpenEXR, the worst of which\ncould result in the arbitrary execution of code. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 media-libs/openexr \u003c 2.5.6 \u003e= 2.5.6 \n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in OpenEXR. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenEXR users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=media-libs/openexr-2.5.6\"\n\nReferences\n==========\n\n[ 1 ] CVE-2020-11758\n https://nvd.nist.gov/vuln/detail/CVE-2020-11758\n[ 2 ] CVE-2020-11759\n https://nvd.nist.gov/vuln/detail/CVE-2020-11759\n[ 3 ] CVE-2020-11760\n https://nvd.nist.gov/vuln/detail/CVE-2020-11760\n[ 4 ] CVE-2020-11761\n https://nvd.nist.gov/vuln/detail/CVE-2020-11761\n[ 5 ] CVE-2020-11762\n https://nvd.nist.gov/vuln/detail/CVE-2020-11762\n[ 6 ] CVE-2020-11763\n https://nvd.nist.gov/vuln/detail/CVE-2020-11763\n[ 7 ] CVE-2020-11764\n https://nvd.nist.gov/vuln/detail/CVE-2020-11764\n[ 8 ] CVE-2020-11765\n https://nvd.nist.gov/vuln/detail/CVE-2020-11765\n[ 9 ] CVE-2020-15304\n https://nvd.nist.gov/vuln/detail/CVE-2020-15304\n[ 10 ] CVE-2020-15305\n https://nvd.nist.gov/vuln/detail/CVE-2020-15305\n[ 11 ] CVE-2020-15306\n https://nvd.nist.gov/vuln/detail/CVE-2020-15306\n[ 12 ] CVE-2021-20296\n https://nvd.nist.gov/vuln/detail/CVE-2021-20296\n[ 13 ] CVE-2021-3474\n https://nvd.nist.gov/vuln/detail/CVE-2021-3474\n[ 14 ] CVE-2021-3475\n https://nvd.nist.gov/vuln/detail/CVE-2021-3475\n[ 15 ] CVE-2021-3476\n https://nvd.nist.gov/vuln/detail/CVE-2021-3476\n[ 16 ] CVE-2021-3477\n https://nvd.nist.gov/vuln/detail/CVE-2021-3477\n[ 17 ] CVE-2021-3478\n https://nvd.nist.gov/vuln/detail/CVE-2021-3478\n[ 18 ] CVE-2021-3479\n https://nvd.nist.gov/vuln/detail/CVE-2021-3479\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202107-27\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2021 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: OpenEXR security update\nAdvisory ID: RHSA-2020:4039-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:4039\nIssue date: 2020-09-29\nCVE Names: CVE-2020-11761 CVE-2020-11763 CVE-2020-11764\n====================================================================\n1. Summary:\n\nAn update for OpenEXR is now available for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nOpenEXR is a high dynamic-range (HDR) image file format developed by\nIndustrial Light \u0026 Magic for use in computer imaging applications. This\npackage contains libraries and sample applications for handling the format. \n\nSecurity Fix(es):\n\n* OpenEXR: out-of-bounds read during Huffman uncompression (CVE-2020-11761)\n\n* OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp\n(CVE-2020-11763)\n\n* OpenEXR: out-of-bounds write in copyIntoFrameBuffer function in\nImfMisc.cpp (CVE-2020-11764)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.9 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nOpenEXR-1.7.1-8.el7.src.rpm\n\nx86_64:\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-libs-1.7.1-8.el7.i686.rpm\nOpenEXR-libs-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\nOpenEXR-1.7.1-8.el7.x86_64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-devel-1.7.1-8.el7.i686.rpm\nOpenEXR-devel-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nOpenEXR-1.7.1-8.el7.src.rpm\n\nx86_64:\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-libs-1.7.1-8.el7.i686.rpm\nOpenEXR-libs-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\nOpenEXR-1.7.1-8.el7.x86_64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-devel-1.7.1-8.el7.i686.rpm\nOpenEXR-devel-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nOpenEXR-1.7.1-8.el7.src.rpm\n\nppc64:\nOpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm\nOpenEXR-libs-1.7.1-8.el7.ppc.rpm\nOpenEXR-libs-1.7.1-8.el7.ppc64.rpm\n\nppc64le:\nOpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm\nOpenEXR-libs-1.7.1-8.el7.ppc64le.rpm\n\ns390x:\nOpenEXR-debuginfo-1.7.1-8.el7.s390.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm\nOpenEXR-libs-1.7.1-8.el7.s390.rpm\nOpenEXR-libs-1.7.1-8.el7.s390x.rpm\n\nx86_64:\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-libs-1.7.1-8.el7.i686.rpm\nOpenEXR-libs-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nOpenEXR-1.7.1-8.el7.ppc64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm\nOpenEXR-devel-1.7.1-8.el7.ppc.rpm\nOpenEXR-devel-1.7.1-8.el7.ppc64.rpm\n\nppc64le:\nOpenEXR-1.7.1-8.el7.ppc64le.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm\nOpenEXR-devel-1.7.1-8.el7.ppc64le.rpm\n\ns390x:\nOpenEXR-1.7.1-8.el7.s390x.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.s390.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm\nOpenEXR-devel-1.7.1-8.el7.s390.rpm\nOpenEXR-devel-1.7.1-8.el7.s390x.rpm\n\nx86_64:\nOpenEXR-1.7.1-8.el7.x86_64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-devel-1.7.1-8.el7.i686.rpm\nOpenEXR-devel-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nOpenEXR-1.7.1-8.el7.src.rpm\n\nx86_64:\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-libs-1.7.1-8.el7.i686.rpm\nOpenEXR-libs-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nOpenEXR-1.7.1-8.el7.x86_64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-devel-1.7.1-8.el7.i686.rpm\nOpenEXR-devel-1.7.1-8.el7.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-11761\nhttps://access.redhat.com/security/cve/CVE-2020-11763\nhttps://access.redhat.com/security/cve/CVE-2020-11764\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBX3OhUtzjgjWX9erEAQhyFQ/+J5Ul3SoJTvzk/7rqW/WA4GkT5/I6owm1\nBnhvO6tELbBul8250MCo/jaUukdjQ3bJ/ZdjmPFrPgNR7UrmIN0LQdAiDlMtnhIF\n7Ppw7RDniUBtv3Q2471W4FQxpeXKf+n5sqkq+blxZbeYLXI7Nya/2qKirO0dJ4M1\nbAl1exBJ4cSp+kuUOn8oBsGQi6L2oM6ldPf4KklMswOU69qDexywZNtvQVfANmur\nmNIx/9bmQG+WRlj941A1BFTsAdXsCyTc3qaBecC5iEFxKPkVlpfBhQJ+N6zxdKwj\nCtVftLiGpcuiWck6THkpPbQg9HWqtJI3tQyW5NUZFHhUnwvOw3SGKgN3ufsnS/tF\n9MsnwovV+6kuR/k1UWiDXuSZrdjEIOSz0We8oT5VhOKNkXcE0OY4yxLKpVTlP1HN\naM2OGkf3DiUdKEysSQ7yPa2tfimLYQS/XJo6w4FZPKapmOvF926/R7NgIIucvG4J\nU51DVzqGpkt40pK790wQLrwUZ/E+HYyeZpPJC8QrmJmPNXsXFEm4iYxjCIyaecKf\nhOlBFwy7mU6fuOLynrrfxeStoS0+zJFfYqdiKOfTpRoLozBqaA8Vt8VasOfOwGeY\nAr+nuTxwoQn3KCSGvHk533UkNyqKqpNDIfyqk3M8y8S5HjXvoMx9zxaN0ujT4/pB\nvySbS8H4PEI=P3yT\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. ==========================================================================\nUbuntu Security Notice USN-4339-1\nApril 27, 2020\n\nopenexr vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 20.04\n- Ubuntu 19.10\n- Ubuntu 18.04 LTS\n- Ubuntu 16.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in OpenEXR. \n\nSoftware Description:\n- openexr: tools for the OpenEXR image format\n\nDetails:\n\nBrandon Perry discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service, or possibly\nexecute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. \n(CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)\n\nTan Jie discovered that OpenEXR incorrectly handled certain malformed EXR\nimage files. If a user were tricked into opening a crafted EXR image file,\na remote attacker could cause a denial of service, or possibly execute\narbitrary code. This issue only applied to Ubuntu 20.04 LTS. \n(CVE-2018-18444)\n\nSamuel Gro\u00df discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service, or possibly\nexecute arbitrary code. (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760,\nCVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764)\n\nIt was discovered that OpenEXR incorrectly handled certain malformed EXR\nimage files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service. (CVE-2020-11765)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 20.04:\n libopenexr24 2.3.0-6ubuntu0.1\n openexr 2.3.0-6ubuntu0.1\n\nUbuntu 19.10:\n libopenexr23 2.2.1-4.1ubuntu1.1\n openexr 2.2.1-4.1ubuntu1.1\n\nUbuntu 18.04 LTS:\n libopenexr22 2.2.0-11.1ubuntu1.2\n openexr 2.2.0-11.1ubuntu1.2\n\nUbuntu 16.04 LTS:\n libopenexr22 2.2.0-10ubuntu2.2\n openexr 2.2.0-10ubuntu2.2\n\nIn general, a standard system update will make all the necessary changes. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.2.1-4.1+deb10u1. \n\nWe recommend that you upgrade your openexr packages. \n\nFor the detailed security status of openexr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openexr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8\nTjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG\nG6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW\nvn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx\nANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo\nW7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY\nl+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg\nzKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK\n3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c\nR2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ\nUgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD\ndjd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY=\n=FDcC\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-11761"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004071"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "VULHUB",
"id": "VHN-164372"
},
{
"db": "VULMON",
"id": "CVE-2020-11761"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-11761",
"trust": 3.0
},
{
"db": "PACKETSTORM",
"id": "163465",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "159359",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004071",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202004-952",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "157403",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2020.2985",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1448",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1816",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3401",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021071101",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "50012",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2020-24154",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-164372",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-11761",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "168903",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164372"
},
{
"db": "VULMON",
"id": "CVE-2020-11761"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004071"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-952"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11761"
}
]
},
"id": "VAR-202004-0471",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-164372"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T20:59:07.730000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "OpenEXR Release Notes",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020"
},
{
"title": "AcademySoftwareFoundation/openexr",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1"
},
{
"title": "Industrial Light and Magic OpenEXR Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=116439"
},
{
"title": "Debian CVElist Bug Report Logs: openexr: CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=c611c9f78ad3458919de1d9728e6b32b"
},
{
"title": "Ubuntu Security Notice: openexr vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-4339-1"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11761"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004071"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-952"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-125",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164372"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004071"
},
{
"db": "NVD",
"id": "CVE-2020-11761"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://usn.ubuntu.com/4339-1/"
},
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/202107-27"
},
{
"trust": 1.8,
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1987"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/blob/master/changes.md#version-241-february-11-2020"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/releases/tag/v2.4.1"
},
{
"trust": 1.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11761"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211288"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211289"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211290"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211291"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211293"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211294"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211295"
},
{
"trust": 1.7,
"url": "https://www.debian.org/security/2020/dsa-4755"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00056.html"
},
{
"trust": 1.7,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00051.html"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11761"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1448/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163465/gentoo-linux-security-advisory-202107-27.html"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/50012"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/openexr-multiple-vulnerabilities-32108"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021071101"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2985/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211291"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/157403/ubuntu-security-notice-usn-4339-1.html"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211295"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1816/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/159359/red-hat-security-advisory-2020-4039-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3401/"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11765"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11763"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11758"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11762"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11764"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15305"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15306"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11759"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11760"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9111"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959444"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3476"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3478"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20296"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3479"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15304"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3474"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3475"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3477"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11764"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:4039"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11763"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11761"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-18444"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.3.0-6ubuntu0.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.2.0-10ubuntu2.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.2.1-4.1ubuntu1.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.2.0-11.1ubuntu1.2"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/4339-1"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/openexr"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9115"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9113"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9114"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164372"
},
{
"db": "VULMON",
"id": "CVE-2020-11761"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004071"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-952"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11761"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-164372"
},
{
"db": "VULMON",
"id": "CVE-2020-11761"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004071"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-952"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11761"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-14T00:00:00",
"db": "VULHUB",
"id": "VHN-164372"
},
{
"date": "2020-04-14T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11761"
},
{
"date": "2020-05-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004071"
},
{
"date": "2021-07-12T15:22:22",
"db": "PACKETSTORM",
"id": "163465"
},
{
"date": "2020-09-30T15:45:11",
"db": "PACKETSTORM",
"id": "159359"
},
{
"date": "2020-04-27T15:19:30",
"db": "PACKETSTORM",
"id": "157403"
},
{
"date": "2020-08-28T19:12:00",
"db": "PACKETSTORM",
"id": "168903"
},
{
"date": "2020-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-952"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2020-04-14T23:15:12.327000",
"db": "NVD",
"id": "CVE-2020-11761"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-09T00:00:00",
"db": "VULHUB",
"id": "VHN-164372"
},
{
"date": "2020-09-09T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11761"
},
{
"date": "2020-05-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004071"
},
{
"date": "2022-11-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-952"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2024-11-21T04:58:33.050000",
"db": "NVD",
"id": "CVE-2020-11761"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-952"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenEXR Out-of-bounds read vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004071"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-952"
}
],
"trust": 0.6
}
}
VAR-202004-0474
Vulnerability from variot - Updated: 2024-11-23 20:35An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp. OpenEXR Is vulnerable to out-of-bounds writes.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the 'copyIntoFrameBuffer' function of the ImfMisc.cpp file in LIM OpenEXR versions prior to 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-27
https://security.gentoo.org/
Severity: Normal Title: OpenEXR: Multiple vulnerabilities Date: July 11, 2021 Bugs: #717474, #746794, #762862, #770229, #776808 ID: 202107-27
Synopsis
Multiple vulnerabilities have been found in OpenEXR, the worst of which could result in the arbitrary execution of code.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/openexr < 2.5.6 >= 2.5.6
Description
Multiple vulnerabilities have been discovered in OpenEXR. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All OpenEXR users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/openexr-2.5.6"
References
[ 1 ] CVE-2020-11758 https://nvd.nist.gov/vuln/detail/CVE-2020-11758 [ 2 ] CVE-2020-11759 https://nvd.nist.gov/vuln/detail/CVE-2020-11759 [ 3 ] CVE-2020-11760 https://nvd.nist.gov/vuln/detail/CVE-2020-11760 [ 4 ] CVE-2020-11761 https://nvd.nist.gov/vuln/detail/CVE-2020-11761 [ 5 ] CVE-2020-11762 https://nvd.nist.gov/vuln/detail/CVE-2020-11762 [ 6 ] CVE-2020-11763 https://nvd.nist.gov/vuln/detail/CVE-2020-11763 [ 7 ] CVE-2020-11764 https://nvd.nist.gov/vuln/detail/CVE-2020-11764 [ 8 ] CVE-2020-11765 https://nvd.nist.gov/vuln/detail/CVE-2020-11765 [ 9 ] CVE-2020-15304 https://nvd.nist.gov/vuln/detail/CVE-2020-15304 [ 10 ] CVE-2020-15305 https://nvd.nist.gov/vuln/detail/CVE-2020-15305 [ 11 ] CVE-2020-15306 https://nvd.nist.gov/vuln/detail/CVE-2020-15306 [ 12 ] CVE-2021-20296 https://nvd.nist.gov/vuln/detail/CVE-2021-20296 [ 13 ] CVE-2021-3474 https://nvd.nist.gov/vuln/detail/CVE-2021-3474 [ 14 ] CVE-2021-3475 https://nvd.nist.gov/vuln/detail/CVE-2021-3475 [ 15 ] CVE-2021-3476 https://nvd.nist.gov/vuln/detail/CVE-2021-3476 [ 16 ] CVE-2021-3477 https://nvd.nist.gov/vuln/detail/CVE-2021-3477 [ 17 ] CVE-2021-3478 https://nvd.nist.gov/vuln/detail/CVE-2021-3478 [ 18 ] CVE-2021-3479 https://nvd.nist.gov/vuln/detail/CVE-2021-3479
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202107-27
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenEXR security update Advisory ID: RHSA-2020:4039-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4039 Issue date: 2020-09-29 CVE Names: CVE-2020-11761 CVE-2020-11763 CVE-2020-11764 ==================================================================== 1. Summary:
An update for OpenEXR is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format.
Security Fix(es):
-
OpenEXR: out-of-bounds read during Huffman uncompression (CVE-2020-11761)
-
OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp (CVE-2020-11763)
-
OpenEXR: out-of-bounds write in copyIntoFrameBuffer function in ImfMisc.cpp (CVE-2020-11764)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: OpenEXR-1.7.1-8.el7.src.rpm
x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: OpenEXR-1.7.1-8.el7.src.rpm
x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: OpenEXR-1.7.1-8.el7.src.rpm
ppc64: OpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm OpenEXR-libs-1.7.1-8.el7.ppc.rpm OpenEXR-libs-1.7.1-8.el7.ppc64.rpm
ppc64le: OpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm OpenEXR-libs-1.7.1-8.el7.ppc64le.rpm
s390x: OpenEXR-debuginfo-1.7.1-8.el7.s390.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm OpenEXR-libs-1.7.1-8.el7.s390.rpm OpenEXR-libs-1.7.1-8.el7.s390x.rpm
x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: OpenEXR-1.7.1-8.el7.ppc64.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm OpenEXR-devel-1.7.1-8.el7.ppc.rpm OpenEXR-devel-1.7.1-8.el7.ppc64.rpm
ppc64le: OpenEXR-1.7.1-8.el7.ppc64le.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm OpenEXR-devel-1.7.1-8.el7.ppc64le.rpm
s390x: OpenEXR-1.7.1-8.el7.s390x.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm OpenEXR-devel-1.7.1-8.el7.s390.rpm OpenEXR-devel-1.7.1-8.el7.s390x.rpm
x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: OpenEXR-1.7.1-8.el7.src.rpm
x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2020-11761 https://access.redhat.com/security/cve/CVE-2020-11763 https://access.redhat.com/security/cve/CVE-2020-11764 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBX3OhUtzjgjWX9erEAQhyFQ/+J5Ul3SoJTvzk/7rqW/WA4GkT5/I6owm1 BnhvO6tELbBul8250MCo/jaUukdjQ3bJ/ZdjmPFrPgNR7UrmIN0LQdAiDlMtnhIF 7Ppw7RDniUBtv3Q2471W4FQxpeXKf+n5sqkq+blxZbeYLXI7Nya/2qKirO0dJ4M1 bAl1exBJ4cSp+kuUOn8oBsGQi6L2oM6ldPf4KklMswOU69qDexywZNtvQVfANmur mNIx/9bmQG+WRlj941A1BFTsAdXsCyTc3qaBecC5iEFxKPkVlpfBhQJ+N6zxdKwj CtVftLiGpcuiWck6THkpPbQg9HWqtJI3tQyW5NUZFHhUnwvOw3SGKgN3ufsnS/tF 9MsnwovV+6kuR/k1UWiDXuSZrdjEIOSz0We8oT5VhOKNkXcE0OY4yxLKpVTlP1HN aM2OGkf3DiUdKEysSQ7yPa2tfimLYQS/XJo6w4FZPKapmOvF926/R7NgIIucvG4J U51DVzqGpkt40pK790wQLrwUZ/E+HYyeZpPJC8QrmJmPNXsXFEm4iYxjCIyaecKf hOlBFwy7mU6fuOLynrrfxeStoS0+zJFfYqdiKOfTpRoLozBqaA8Vt8VasOfOwGeY Ar+nuTxwoQn3KCSGvHk533UkNyqKqpNDIfyqk3M8y8S5HjXvoMx9zxaN0ujT4/pB vySbS8H4PEI=P3yT -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce .
For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1.
We recommend that you upgrade your openexr packages.
For the detailed security status of openexr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openexr
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8 TjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG G6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW vn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx ANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo W7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY l+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg zKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK 3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c R2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ UgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD djd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY= =FDcC -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202004-0474",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "itunes",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.10.8"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "7.20"
},
{
"model": "tvos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.4.8"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.15.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.04"
},
{
"model": "openexr",
"scope": "lt",
"trust": 1.0,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "ipados",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.15"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "20.04"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "19.10"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "icloud",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.1"
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "6.2.8"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.3"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.8,
"vendor": "openexr",
"version": "2.4.1"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004074"
},
{
"db": "NVD",
"id": "CVE-2020-11764"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:openexr:openexr",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004074"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-961"
}
],
"trust": 0.7
},
"cve": "CVE-2020-11764",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2020-11764",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004074",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-164375",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"id": "CVE-2020-11764",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004074",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-11764",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2020-004074",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202004-961",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-164375",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-11764",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164375"
},
{
"db": "VULMON",
"id": "CVE-2020-11764"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004074"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-961"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11764"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp. OpenEXR Is vulnerable to out-of-bounds writes.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the \u0027copyIntoFrameBuffer\u0027 function of the ImfMisc.cpp file in LIM OpenEXR versions prior to 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202107-27\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenEXR: Multiple vulnerabilities\n Date: July 11, 2021\n Bugs: #717474, #746794, #762862, #770229, #776808\n ID: 202107-27\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in OpenEXR, the worst of which\ncould result in the arbitrary execution of code. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 media-libs/openexr \u003c 2.5.6 \u003e= 2.5.6 \n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in OpenEXR. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenEXR users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=media-libs/openexr-2.5.6\"\n\nReferences\n==========\n\n[ 1 ] CVE-2020-11758\n https://nvd.nist.gov/vuln/detail/CVE-2020-11758\n[ 2 ] CVE-2020-11759\n https://nvd.nist.gov/vuln/detail/CVE-2020-11759\n[ 3 ] CVE-2020-11760\n https://nvd.nist.gov/vuln/detail/CVE-2020-11760\n[ 4 ] CVE-2020-11761\n https://nvd.nist.gov/vuln/detail/CVE-2020-11761\n[ 5 ] CVE-2020-11762\n https://nvd.nist.gov/vuln/detail/CVE-2020-11762\n[ 6 ] CVE-2020-11763\n https://nvd.nist.gov/vuln/detail/CVE-2020-11763\n[ 7 ] CVE-2020-11764\n https://nvd.nist.gov/vuln/detail/CVE-2020-11764\n[ 8 ] CVE-2020-11765\n https://nvd.nist.gov/vuln/detail/CVE-2020-11765\n[ 9 ] CVE-2020-15304\n https://nvd.nist.gov/vuln/detail/CVE-2020-15304\n[ 10 ] CVE-2020-15305\n https://nvd.nist.gov/vuln/detail/CVE-2020-15305\n[ 11 ] CVE-2020-15306\n https://nvd.nist.gov/vuln/detail/CVE-2020-15306\n[ 12 ] CVE-2021-20296\n https://nvd.nist.gov/vuln/detail/CVE-2021-20296\n[ 13 ] CVE-2021-3474\n https://nvd.nist.gov/vuln/detail/CVE-2021-3474\n[ 14 ] CVE-2021-3475\n https://nvd.nist.gov/vuln/detail/CVE-2021-3475\n[ 15 ] CVE-2021-3476\n https://nvd.nist.gov/vuln/detail/CVE-2021-3476\n[ 16 ] CVE-2021-3477\n https://nvd.nist.gov/vuln/detail/CVE-2021-3477\n[ 17 ] CVE-2021-3478\n https://nvd.nist.gov/vuln/detail/CVE-2021-3478\n[ 18 ] CVE-2021-3479\n https://nvd.nist.gov/vuln/detail/CVE-2021-3479\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202107-27\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2021 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: OpenEXR security update\nAdvisory ID: RHSA-2020:4039-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:4039\nIssue date: 2020-09-29\nCVE Names: CVE-2020-11761 CVE-2020-11763 CVE-2020-11764\n====================================================================\n1. Summary:\n\nAn update for OpenEXR is now available for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nOpenEXR is a high dynamic-range (HDR) image file format developed by\nIndustrial Light \u0026 Magic for use in computer imaging applications. This\npackage contains libraries and sample applications for handling the format. \n\nSecurity Fix(es):\n\n* OpenEXR: out-of-bounds read during Huffman uncompression (CVE-2020-11761)\n\n* OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp\n(CVE-2020-11763)\n\n* OpenEXR: out-of-bounds write in copyIntoFrameBuffer function in\nImfMisc.cpp (CVE-2020-11764)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.9 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nOpenEXR-1.7.1-8.el7.src.rpm\n\nx86_64:\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-libs-1.7.1-8.el7.i686.rpm\nOpenEXR-libs-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\nOpenEXR-1.7.1-8.el7.x86_64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-devel-1.7.1-8.el7.i686.rpm\nOpenEXR-devel-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nOpenEXR-1.7.1-8.el7.src.rpm\n\nx86_64:\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-libs-1.7.1-8.el7.i686.rpm\nOpenEXR-libs-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\nOpenEXR-1.7.1-8.el7.x86_64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-devel-1.7.1-8.el7.i686.rpm\nOpenEXR-devel-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nOpenEXR-1.7.1-8.el7.src.rpm\n\nppc64:\nOpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm\nOpenEXR-libs-1.7.1-8.el7.ppc.rpm\nOpenEXR-libs-1.7.1-8.el7.ppc64.rpm\n\nppc64le:\nOpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm\nOpenEXR-libs-1.7.1-8.el7.ppc64le.rpm\n\ns390x:\nOpenEXR-debuginfo-1.7.1-8.el7.s390.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm\nOpenEXR-libs-1.7.1-8.el7.s390.rpm\nOpenEXR-libs-1.7.1-8.el7.s390x.rpm\n\nx86_64:\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-libs-1.7.1-8.el7.i686.rpm\nOpenEXR-libs-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nOpenEXR-1.7.1-8.el7.ppc64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm\nOpenEXR-devel-1.7.1-8.el7.ppc.rpm\nOpenEXR-devel-1.7.1-8.el7.ppc64.rpm\n\nppc64le:\nOpenEXR-1.7.1-8.el7.ppc64le.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm\nOpenEXR-devel-1.7.1-8.el7.ppc64le.rpm\n\ns390x:\nOpenEXR-1.7.1-8.el7.s390x.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.s390.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm\nOpenEXR-devel-1.7.1-8.el7.s390.rpm\nOpenEXR-devel-1.7.1-8.el7.s390x.rpm\n\nx86_64:\nOpenEXR-1.7.1-8.el7.x86_64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-devel-1.7.1-8.el7.i686.rpm\nOpenEXR-devel-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nOpenEXR-1.7.1-8.el7.src.rpm\n\nx86_64:\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-libs-1.7.1-8.el7.i686.rpm\nOpenEXR-libs-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nOpenEXR-1.7.1-8.el7.x86_64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-devel-1.7.1-8.el7.i686.rpm\nOpenEXR-devel-1.7.1-8.el7.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-11761\nhttps://access.redhat.com/security/cve/CVE-2020-11763\nhttps://access.redhat.com/security/cve/CVE-2020-11764\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBX3OhUtzjgjWX9erEAQhyFQ/+J5Ul3SoJTvzk/7rqW/WA4GkT5/I6owm1\nBnhvO6tELbBul8250MCo/jaUukdjQ3bJ/ZdjmPFrPgNR7UrmIN0LQdAiDlMtnhIF\n7Ppw7RDniUBtv3Q2471W4FQxpeXKf+n5sqkq+blxZbeYLXI7Nya/2qKirO0dJ4M1\nbAl1exBJ4cSp+kuUOn8oBsGQi6L2oM6ldPf4KklMswOU69qDexywZNtvQVfANmur\nmNIx/9bmQG+WRlj941A1BFTsAdXsCyTc3qaBecC5iEFxKPkVlpfBhQJ+N6zxdKwj\nCtVftLiGpcuiWck6THkpPbQg9HWqtJI3tQyW5NUZFHhUnwvOw3SGKgN3ufsnS/tF\n9MsnwovV+6kuR/k1UWiDXuSZrdjEIOSz0We8oT5VhOKNkXcE0OY4yxLKpVTlP1HN\naM2OGkf3DiUdKEysSQ7yPa2tfimLYQS/XJo6w4FZPKapmOvF926/R7NgIIucvG4J\nU51DVzqGpkt40pK790wQLrwUZ/E+HYyeZpPJC8QrmJmPNXsXFEm4iYxjCIyaecKf\nhOlBFwy7mU6fuOLynrrfxeStoS0+zJFfYqdiKOfTpRoLozBqaA8Vt8VasOfOwGeY\nAr+nuTxwoQn3KCSGvHk533UkNyqKqpNDIfyqk3M8y8S5HjXvoMx9zxaN0ujT4/pB\nvySbS8H4PEI=P3yT\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.2.1-4.1+deb10u1. \n\nWe recommend that you upgrade your openexr packages. \n\nFor the detailed security status of openexr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openexr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8\nTjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG\nG6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW\nvn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx\nANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo\nW7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY\nl+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg\nzKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK\n3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c\nR2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ\nUgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD\ndjd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY=\n=FDcC\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-11764"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004074"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "VULHUB",
"id": "VHN-164375"
},
{
"db": "VULMON",
"id": "CVE-2020-11764"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "PACKETSTORM",
"id": "168903"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-11764",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "163465",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "159359",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004074",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202004-961",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2020.2985",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1448",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1816",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3401",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "50010",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021071101",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2020-24157",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-164375",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-11764",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "168903",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164375"
},
{
"db": "VULMON",
"id": "CVE-2020-11764"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004074"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-961"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11764"
}
]
},
"id": "VAR-202004-0474",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-164375"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T20:35:44.160000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "OpenEXR Release Notes",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020"
},
{
"title": "AcademySoftwareFoundation/openexr",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1"
},
{
"title": "Industrial Light and Magic OpenEXR Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=116442"
},
{
"title": "Red Hat: Moderate: OpenEXR security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20204039 - Security Advisory"
},
{
"title": "Debian CVElist Bug Report Logs: openexr: CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=c611c9f78ad3458919de1d9728e6b32b"
},
{
"title": "Ubuntu Security Notice: openexr vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-4339-1"
},
{
"title": "Debian Security Advisories: DSA-4755-1 openexr -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=9325b22b993ac0e61f53dccb8f346da4"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11764"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004074"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-961"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-787",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164375"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004074"
},
{
"db": "NVD",
"id": "CVE-2020-11764"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://security.gentoo.org/glsa/202107-27"
},
{
"trust": 1.9,
"url": "https://usn.ubuntu.com/4339-1/"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211288"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211289"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211290"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211291"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211293"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211294"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211295"
},
{
"trust": 1.8,
"url": "https://www.debian.org/security/2020/dsa-4755"
},
{
"trust": 1.8,
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1987"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/blob/master/changes.md#version-241-february-11-2020"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/releases/tag/v2.4.1"
},
{
"trust": 1.8,
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00056.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00051.html"
},
{
"trust": 1.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11764"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11764"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2985/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211291"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1448/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211295"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1816/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163465/gentoo-linux-security-advisory-202107-27.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/159359/red-hat-security-advisory-2020-4039-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3401/"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/openexr-multiple-vulnerabilities-32108"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021071101"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/50010"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11761"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11763"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/errata/rhsa-2020:4039"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15305"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11765"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11758"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15306"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11762"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11759"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11760"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/787.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3476"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3478"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20296"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3479"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15304"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3474"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3475"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3477"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11764"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11763"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11761"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/openexr"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9115"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9113"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9111"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9114"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164375"
},
{
"db": "VULMON",
"id": "CVE-2020-11764"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004074"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-961"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11764"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-164375"
},
{
"db": "VULMON",
"id": "CVE-2020-11764"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004074"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-961"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11764"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-14T00:00:00",
"db": "VULHUB",
"id": "VHN-164375"
},
{
"date": "2020-04-14T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11764"
},
{
"date": "2020-05-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004074"
},
{
"date": "2021-07-12T15:22:22",
"db": "PACKETSTORM",
"id": "163465"
},
{
"date": "2020-09-30T15:45:11",
"db": "PACKETSTORM",
"id": "159359"
},
{
"date": "2020-08-28T19:12:00",
"db": "PACKETSTORM",
"id": "168903"
},
{
"date": "2020-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-961"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2020-04-14T23:15:12.480000",
"db": "NVD",
"id": "CVE-2020-11764"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-09T00:00:00",
"db": "VULHUB",
"id": "VHN-164375"
},
{
"date": "2021-07-11T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11764"
},
{
"date": "2020-05-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004074"
},
{
"date": "2022-11-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-961"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2024-11-21T04:58:33.673000",
"db": "NVD",
"id": "CVE-2020-11764"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-961"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenEXR Out-of-bounds write vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004074"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-961"
}
],
"trust": 0.6
}
}
VAR-202004-0473
Vulnerability from variot - Updated: 2024-11-23 20:20An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the ImfTileOffsets.cpp file in LIM OpenEXR versions prior to 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-27
https://security.gentoo.org/
Severity: Normal Title: OpenEXR: Multiple vulnerabilities Date: July 11, 2021 Bugs: #717474, #746794, #762862, #770229, #776808 ID: 202107-27
Synopsis
Multiple vulnerabilities have been found in OpenEXR, the worst of which could result in the arbitrary execution of code.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/openexr < 2.5.6 >= 2.5.6
Description
Multiple vulnerabilities have been discovered in OpenEXR. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All OpenEXR users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/openexr-2.5.6"
References
[ 1 ] CVE-2020-11758 https://nvd.nist.gov/vuln/detail/CVE-2020-11758 [ 2 ] CVE-2020-11759 https://nvd.nist.gov/vuln/detail/CVE-2020-11759 [ 3 ] CVE-2020-11760 https://nvd.nist.gov/vuln/detail/CVE-2020-11760 [ 4 ] CVE-2020-11761 https://nvd.nist.gov/vuln/detail/CVE-2020-11761 [ 5 ] CVE-2020-11762 https://nvd.nist.gov/vuln/detail/CVE-2020-11762 [ 6 ] CVE-2020-11763 https://nvd.nist.gov/vuln/detail/CVE-2020-11763 [ 7 ] CVE-2020-11764 https://nvd.nist.gov/vuln/detail/CVE-2020-11764 [ 8 ] CVE-2020-11765 https://nvd.nist.gov/vuln/detail/CVE-2020-11765 [ 9 ] CVE-2020-15304 https://nvd.nist.gov/vuln/detail/CVE-2020-15304 [ 10 ] CVE-2020-15305 https://nvd.nist.gov/vuln/detail/CVE-2020-15305 [ 11 ] CVE-2020-15306 https://nvd.nist.gov/vuln/detail/CVE-2020-15306 [ 12 ] CVE-2021-20296 https://nvd.nist.gov/vuln/detail/CVE-2021-20296 [ 13 ] CVE-2021-3474 https://nvd.nist.gov/vuln/detail/CVE-2021-3474 [ 14 ] CVE-2021-3475 https://nvd.nist.gov/vuln/detail/CVE-2021-3475 [ 15 ] CVE-2021-3476 https://nvd.nist.gov/vuln/detail/CVE-2021-3476 [ 16 ] CVE-2021-3477 https://nvd.nist.gov/vuln/detail/CVE-2021-3477 [ 17 ] CVE-2021-3478 https://nvd.nist.gov/vuln/detail/CVE-2021-3478 [ 18 ] CVE-2021-3479 https://nvd.nist.gov/vuln/detail/CVE-2021-3479
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202107-27
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenEXR security update Advisory ID: RHSA-2020:4039-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4039 Issue date: 2020-09-29 CVE Names: CVE-2020-11761 CVE-2020-11763 CVE-2020-11764 ==================================================================== 1. Summary:
An update for OpenEXR is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: OpenEXR-1.7.1-8.el7.src.rpm
x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: OpenEXR-1.7.1-8.el7.src.rpm
x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: OpenEXR-1.7.1-8.el7.src.rpm
ppc64: OpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm OpenEXR-libs-1.7.1-8.el7.ppc.rpm OpenEXR-libs-1.7.1-8.el7.ppc64.rpm
ppc64le: OpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm OpenEXR-libs-1.7.1-8.el7.ppc64le.rpm
s390x: OpenEXR-debuginfo-1.7.1-8.el7.s390.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm OpenEXR-libs-1.7.1-8.el7.s390.rpm OpenEXR-libs-1.7.1-8.el7.s390x.rpm
x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: OpenEXR-1.7.1-8.el7.ppc64.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm OpenEXR-devel-1.7.1-8.el7.ppc.rpm OpenEXR-devel-1.7.1-8.el7.ppc64.rpm
ppc64le: OpenEXR-1.7.1-8.el7.ppc64le.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm OpenEXR-devel-1.7.1-8.el7.ppc64le.rpm
s390x: OpenEXR-1.7.1-8.el7.s390x.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm OpenEXR-devel-1.7.1-8.el7.s390.rpm OpenEXR-devel-1.7.1-8.el7.s390x.rpm
x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: OpenEXR-1.7.1-8.el7.src.rpm
x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2020-11761 https://access.redhat.com/security/cve/CVE-2020-11763 https://access.redhat.com/security/cve/CVE-2020-11764 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBX3OhUtzjgjWX9erEAQhyFQ/+J5Ul3SoJTvzk/7rqW/WA4GkT5/I6owm1 BnhvO6tELbBul8250MCo/jaUukdjQ3bJ/ZdjmPFrPgNR7UrmIN0LQdAiDlMtnhIF 7Ppw7RDniUBtv3Q2471W4FQxpeXKf+n5sqkq+blxZbeYLXI7Nya/2qKirO0dJ4M1 bAl1exBJ4cSp+kuUOn8oBsGQi6L2oM6ldPf4KklMswOU69qDexywZNtvQVfANmur mNIx/9bmQG+WRlj941A1BFTsAdXsCyTc3qaBecC5iEFxKPkVlpfBhQJ+N6zxdKwj CtVftLiGpcuiWck6THkpPbQg9HWqtJI3tQyW5NUZFHhUnwvOw3SGKgN3ufsnS/tF 9MsnwovV+6kuR/k1UWiDXuSZrdjEIOSz0We8oT5VhOKNkXcE0OY4yxLKpVTlP1HN aM2OGkf3DiUdKEysSQ7yPa2tfimLYQS/XJo6w4FZPKapmOvF926/R7NgIIucvG4J U51DVzqGpkt40pK790wQLrwUZ/E+HYyeZpPJC8QrmJmPNXsXFEm4iYxjCIyaecKf hOlBFwy7mU6fuOLynrrfxeStoS0+zJFfYqdiKOfTpRoLozBqaA8Vt8VasOfOwGeY Ar+nuTxwoQn3KCSGvHk533UkNyqKqpNDIfyqk3M8y8S5HjXvoMx9zxaN0ujT4/pB vySbS8H4PEI=P3yT -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce .
For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1.
We recommend that you upgrade your openexr packages.
For the detailed security status of openexr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openexr
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8 TjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG G6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW vn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx ANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo W7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY l+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg zKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK 3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c R2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ UgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD djd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY= =FDcC -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202004-0473",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "itunes",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.10.8"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "7.20"
},
{
"model": "tvos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.4.8"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.15.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.04"
},
{
"model": "openexr",
"scope": "lt",
"trust": 1.0,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "ipados",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.15"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "20.04"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "19.10"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "icloud",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.1"
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "6.2.8"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.3"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.8,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.0.4"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.0.7"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.1.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.1.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.2.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.2.2"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.2"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.4.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.7.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.7.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.0.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.0.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.1.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.2.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.2.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.3.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.4.0"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11763"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004073"
},
{
"db": "NVD",
"id": "CVE-2020-11763"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:openexr:openexr",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004073"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-959"
}
],
"trust": 0.7
},
"cve": "CVE-2020-11763",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2020-11763",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004073",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-164374",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"id": "CVE-2020-11763",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004073",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-11763",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2020-004073",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202004-959",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-164374",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-11763",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164374"
},
{
"db": "VULMON",
"id": "CVE-2020-11763"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004073"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-959"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11763"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the ImfTileOffsets.cpp file in LIM OpenEXR versions prior to 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202107-27\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenEXR: Multiple vulnerabilities\n Date: July 11, 2021\n Bugs: #717474, #746794, #762862, #770229, #776808\n ID: 202107-27\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in OpenEXR, the worst of which\ncould result in the arbitrary execution of code. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 media-libs/openexr \u003c 2.5.6 \u003e= 2.5.6 \n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in OpenEXR. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenEXR users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=media-libs/openexr-2.5.6\"\n\nReferences\n==========\n\n[ 1 ] CVE-2020-11758\n https://nvd.nist.gov/vuln/detail/CVE-2020-11758\n[ 2 ] CVE-2020-11759\n https://nvd.nist.gov/vuln/detail/CVE-2020-11759\n[ 3 ] CVE-2020-11760\n https://nvd.nist.gov/vuln/detail/CVE-2020-11760\n[ 4 ] CVE-2020-11761\n https://nvd.nist.gov/vuln/detail/CVE-2020-11761\n[ 5 ] CVE-2020-11762\n https://nvd.nist.gov/vuln/detail/CVE-2020-11762\n[ 6 ] CVE-2020-11763\n https://nvd.nist.gov/vuln/detail/CVE-2020-11763\n[ 7 ] CVE-2020-11764\n https://nvd.nist.gov/vuln/detail/CVE-2020-11764\n[ 8 ] CVE-2020-11765\n https://nvd.nist.gov/vuln/detail/CVE-2020-11765\n[ 9 ] CVE-2020-15304\n https://nvd.nist.gov/vuln/detail/CVE-2020-15304\n[ 10 ] CVE-2020-15305\n https://nvd.nist.gov/vuln/detail/CVE-2020-15305\n[ 11 ] CVE-2020-15306\n https://nvd.nist.gov/vuln/detail/CVE-2020-15306\n[ 12 ] CVE-2021-20296\n https://nvd.nist.gov/vuln/detail/CVE-2021-20296\n[ 13 ] CVE-2021-3474\n https://nvd.nist.gov/vuln/detail/CVE-2021-3474\n[ 14 ] CVE-2021-3475\n https://nvd.nist.gov/vuln/detail/CVE-2021-3475\n[ 15 ] CVE-2021-3476\n https://nvd.nist.gov/vuln/detail/CVE-2021-3476\n[ 16 ] CVE-2021-3477\n https://nvd.nist.gov/vuln/detail/CVE-2021-3477\n[ 17 ] CVE-2021-3478\n https://nvd.nist.gov/vuln/detail/CVE-2021-3478\n[ 18 ] CVE-2021-3479\n https://nvd.nist.gov/vuln/detail/CVE-2021-3479\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202107-27\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2021 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: OpenEXR security update\nAdvisory ID: RHSA-2020:4039-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:4039\nIssue date: 2020-09-29\nCVE Names: CVE-2020-11761 CVE-2020-11763 CVE-2020-11764\n====================================================================\n1. Summary:\n\nAn update for OpenEXR is now available for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nOpenEXR is a high dynamic-range (HDR) image file format developed by\nIndustrial Light \u0026 Magic for use in computer imaging applications. This\npackage contains libraries and sample applications for handling the format. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.9 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nOpenEXR-1.7.1-8.el7.src.rpm\n\nx86_64:\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-libs-1.7.1-8.el7.i686.rpm\nOpenEXR-libs-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\nOpenEXR-1.7.1-8.el7.x86_64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-devel-1.7.1-8.el7.i686.rpm\nOpenEXR-devel-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nOpenEXR-1.7.1-8.el7.src.rpm\n\nx86_64:\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-libs-1.7.1-8.el7.i686.rpm\nOpenEXR-libs-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\nOpenEXR-1.7.1-8.el7.x86_64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-devel-1.7.1-8.el7.i686.rpm\nOpenEXR-devel-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nOpenEXR-1.7.1-8.el7.src.rpm\n\nppc64:\nOpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm\nOpenEXR-libs-1.7.1-8.el7.ppc.rpm\nOpenEXR-libs-1.7.1-8.el7.ppc64.rpm\n\nppc64le:\nOpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm\nOpenEXR-libs-1.7.1-8.el7.ppc64le.rpm\n\ns390x:\nOpenEXR-debuginfo-1.7.1-8.el7.s390.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm\nOpenEXR-libs-1.7.1-8.el7.s390.rpm\nOpenEXR-libs-1.7.1-8.el7.s390x.rpm\n\nx86_64:\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-libs-1.7.1-8.el7.i686.rpm\nOpenEXR-libs-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nOpenEXR-1.7.1-8.el7.ppc64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm\nOpenEXR-devel-1.7.1-8.el7.ppc.rpm\nOpenEXR-devel-1.7.1-8.el7.ppc64.rpm\n\nppc64le:\nOpenEXR-1.7.1-8.el7.ppc64le.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm\nOpenEXR-devel-1.7.1-8.el7.ppc64le.rpm\n\ns390x:\nOpenEXR-1.7.1-8.el7.s390x.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.s390.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm\nOpenEXR-devel-1.7.1-8.el7.s390.rpm\nOpenEXR-devel-1.7.1-8.el7.s390x.rpm\n\nx86_64:\nOpenEXR-1.7.1-8.el7.x86_64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-devel-1.7.1-8.el7.i686.rpm\nOpenEXR-devel-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nOpenEXR-1.7.1-8.el7.src.rpm\n\nx86_64:\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-libs-1.7.1-8.el7.i686.rpm\nOpenEXR-libs-1.7.1-8.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nOpenEXR-1.7.1-8.el7.x86_64.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.i686.rpm\nOpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm\nOpenEXR-devel-1.7.1-8.el7.i686.rpm\nOpenEXR-devel-1.7.1-8.el7.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-11761\nhttps://access.redhat.com/security/cve/CVE-2020-11763\nhttps://access.redhat.com/security/cve/CVE-2020-11764\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBX3OhUtzjgjWX9erEAQhyFQ/+J5Ul3SoJTvzk/7rqW/WA4GkT5/I6owm1\nBnhvO6tELbBul8250MCo/jaUukdjQ3bJ/ZdjmPFrPgNR7UrmIN0LQdAiDlMtnhIF\n7Ppw7RDniUBtv3Q2471W4FQxpeXKf+n5sqkq+blxZbeYLXI7Nya/2qKirO0dJ4M1\nbAl1exBJ4cSp+kuUOn8oBsGQi6L2oM6ldPf4KklMswOU69qDexywZNtvQVfANmur\nmNIx/9bmQG+WRlj941A1BFTsAdXsCyTc3qaBecC5iEFxKPkVlpfBhQJ+N6zxdKwj\nCtVftLiGpcuiWck6THkpPbQg9HWqtJI3tQyW5NUZFHhUnwvOw3SGKgN3ufsnS/tF\n9MsnwovV+6kuR/k1UWiDXuSZrdjEIOSz0We8oT5VhOKNkXcE0OY4yxLKpVTlP1HN\naM2OGkf3DiUdKEysSQ7yPa2tfimLYQS/XJo6w4FZPKapmOvF926/R7NgIIucvG4J\nU51DVzqGpkt40pK790wQLrwUZ/E+HYyeZpPJC8QrmJmPNXsXFEm4iYxjCIyaecKf\nhOlBFwy7mU6fuOLynrrfxeStoS0+zJFfYqdiKOfTpRoLozBqaA8Vt8VasOfOwGeY\nAr+nuTxwoQn3KCSGvHk533UkNyqKqpNDIfyqk3M8y8S5HjXvoMx9zxaN0ujT4/pB\nvySbS8H4PEI=P3yT\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.2.1-4.1+deb10u1. \n\nWe recommend that you upgrade your openexr packages. \n\nFor the detailed security status of openexr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openexr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8\nTjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG\nG6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW\nvn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx\nANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo\nW7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY\nl+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg\nzKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK\n3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c\nR2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ\nUgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD\ndjd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY=\n=FDcC\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-11763"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004073"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "VULHUB",
"id": "VHN-164374"
},
{
"db": "VULMON",
"id": "CVE-2020-11763"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "PACKETSTORM",
"id": "168903"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-11763",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "163465",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "159359",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004073",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202004-959",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2020.2985",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1448",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1816",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3401",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021071101",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "50015",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2020-24156",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-164374",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-11763",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "168903",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164374"
},
{
"db": "VULMON",
"id": "CVE-2020-11763"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004073"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-959"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11763"
}
]
},
"id": "VAR-202004-0473",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-164374"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T20:20:58.916000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "OpenEXR Release Notes",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020"
},
{
"title": "AcademySoftwareFoundation/openexr",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1"
},
{
"title": "Industrial Light and Magic OpenEXR Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=116441"
},
{
"title": "Debian CVElist Bug Report Logs: openexr: CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=c611c9f78ad3458919de1d9728e6b32b"
},
{
"title": "Ubuntu Security Notice: openexr vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-4339-1"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11763"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004073"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-959"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-125",
"trust": 1.9
},
{
"problemtype": "CWE-787",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164374"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004073"
},
{
"db": "NVD",
"id": "CVE-2020-11763"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://usn.ubuntu.com/4339-1/"
},
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/202107-27"
},
{
"trust": 1.8,
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1987"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/blob/master/changes.md#version-241-february-11-2020"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/releases/tag/v2.4.1"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211288"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211289"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211290"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211291"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211293"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211294"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211295"
},
{
"trust": 1.7,
"url": "https://www.debian.org/security/2020/dsa-4755"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00056.html"
},
{
"trust": 1.7,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00051.html"
},
{
"trust": 1.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11763"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11763"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2985/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211291"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1448/"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/50015"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211295"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1816/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163465/gentoo-linux-security-advisory-202107-27.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/159359/red-hat-security-advisory-2020-4039-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3401/"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/openexr-multiple-vulnerabilities-32108"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021071101"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11761"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11764"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15305"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11765"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11758"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15306"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11762"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11759"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11760"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/787.html"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959444"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3476"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3478"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20296"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3479"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15304"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3474"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3475"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3477"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11764"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:4039"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11763"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11761"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/openexr"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9115"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9113"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9111"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9114"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164374"
},
{
"db": "VULMON",
"id": "CVE-2020-11763"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004073"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-959"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11763"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-164374"
},
{
"db": "VULMON",
"id": "CVE-2020-11763"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004073"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "159359"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-959"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11763"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-14T00:00:00",
"db": "VULHUB",
"id": "VHN-164374"
},
{
"date": "2020-04-14T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11763"
},
{
"date": "2020-05-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004073"
},
{
"date": "2021-07-12T15:22:22",
"db": "PACKETSTORM",
"id": "163465"
},
{
"date": "2020-09-30T15:45:11",
"db": "PACKETSTORM",
"id": "159359"
},
{
"date": "2020-08-28T19:12:00",
"db": "PACKETSTORM",
"id": "168903"
},
{
"date": "2020-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-959"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2020-04-14T23:15:12.433000",
"db": "NVD",
"id": "CVE-2020-11763"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-09T00:00:00",
"db": "VULHUB",
"id": "VHN-164374"
},
{
"date": "2020-09-09T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11763"
},
{
"date": "2020-05-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004073"
},
{
"date": "2022-11-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-959"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2024-11-21T04:58:33.477000",
"db": "NVD",
"id": "CVE-2020-11763"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-959"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenEXR Out-of-bounds read vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004073"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-959"
}
],
"trust": 0.6
}
}
VAR-202004-0469
Vulnerability from variot - Updated: 2024-11-23 20:14An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer. OpenEXR Exists in an integer overflow vulnerability.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock in versions prior to LIM OpenEXR 2.4.1 have an input validation error vulnerability. The vulnerability stems from the failure of the network system or product to properly validate the input data. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-27
https://security.gentoo.org/
Severity: Normal Title: OpenEXR: Multiple vulnerabilities Date: July 11, 2021 Bugs: #717474, #746794, #762862, #770229, #776808 ID: 202107-27
Synopsis
Multiple vulnerabilities have been found in OpenEXR, the worst of which could result in the arbitrary execution of code.
Background
OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/openexr < 2.5.6 >= 2.5.6
Description
Multiple vulnerabilities have been discovered in OpenEXR. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All OpenEXR users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/openexr-2.5.6"
References
[ 1 ] CVE-2020-11758 https://nvd.nist.gov/vuln/detail/CVE-2020-11758 [ 2 ] CVE-2020-11759 https://nvd.nist.gov/vuln/detail/CVE-2020-11759 [ 3 ] CVE-2020-11760 https://nvd.nist.gov/vuln/detail/CVE-2020-11760 [ 4 ] CVE-2020-11761 https://nvd.nist.gov/vuln/detail/CVE-2020-11761 [ 5 ] CVE-2020-11762 https://nvd.nist.gov/vuln/detail/CVE-2020-11762 [ 6 ] CVE-2020-11763 https://nvd.nist.gov/vuln/detail/CVE-2020-11763 [ 7 ] CVE-2020-11764 https://nvd.nist.gov/vuln/detail/CVE-2020-11764 [ 8 ] CVE-2020-11765 https://nvd.nist.gov/vuln/detail/CVE-2020-11765 [ 9 ] CVE-2020-15304 https://nvd.nist.gov/vuln/detail/CVE-2020-15304 [ 10 ] CVE-2020-15305 https://nvd.nist.gov/vuln/detail/CVE-2020-15305 [ 11 ] CVE-2020-15306 https://nvd.nist.gov/vuln/detail/CVE-2020-15306 [ 12 ] CVE-2021-20296 https://nvd.nist.gov/vuln/detail/CVE-2021-20296 [ 13 ] CVE-2021-3474 https://nvd.nist.gov/vuln/detail/CVE-2021-3474 [ 14 ] CVE-2021-3475 https://nvd.nist.gov/vuln/detail/CVE-2021-3475 [ 15 ] CVE-2021-3476 https://nvd.nist.gov/vuln/detail/CVE-2021-3476 [ 16 ] CVE-2021-3477 https://nvd.nist.gov/vuln/detail/CVE-2021-3477 [ 17 ] CVE-2021-3478 https://nvd.nist.gov/vuln/detail/CVE-2021-3478 [ 18 ] CVE-2021-3479 https://nvd.nist.gov/vuln/detail/CVE-2021-3479
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202107-27
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
.
For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1.
We recommend that you upgrade your openexr packages.
For the detailed security status of openexr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openexr
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8 TjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG G6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW vn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx ANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo W7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY l+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg zKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK 3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c R2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ UgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD djd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY= =FDcC -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202004-0469",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "itunes",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.10.8"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "7.20"
},
{
"model": "tvos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.4.8"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.15.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.04"
},
{
"model": "openexr",
"scope": "lt",
"trust": 1.0,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "ipados",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.15"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "20.04"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "19.10"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "icloud",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.0"
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "6.2.8"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.3"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.8,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.0.4"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.0.7"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.1.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.1.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.2.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.2.2"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.2"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.4.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.7.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.7.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.0.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.0.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.1.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.2.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.2.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.3.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.4.0"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11759"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004027"
},
{
"db": "NVD",
"id": "CVE-2020-11759"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:openexr:openexr",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004027"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Gentoo",
"sources": [
{
"db": "PACKETSTORM",
"id": "163465"
}
],
"trust": 0.1
},
"cve": "CVE-2020-11759",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2020-11759",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004027",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-164369",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"id": "CVE-2020-11759",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004027",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-11759",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2020-004027",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202004-946",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-164369",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-11759",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164369"
},
{
"db": "VULMON",
"id": "CVE-2020-11759"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004027"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-946"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11759"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer. OpenEXR Exists in an integer overflow vulnerability.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock in versions prior to LIM OpenEXR 2.4.1 have an input validation error vulnerability. The vulnerability stems from the failure of the network system or product to properly validate the input data. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202107-27\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenEXR: Multiple vulnerabilities\n Date: July 11, 2021\n Bugs: #717474, #746794, #762862, #770229, #776808\n ID: 202107-27\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in OpenEXR, the worst of which\ncould result in the arbitrary execution of code. \n\nBackground\n==========\n\nOpenEXR is a high dynamic-range (HDR) image file format developed by\nIndustrial Light \u0026 Magic for use in computer imaging applications. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 media-libs/openexr \u003c 2.5.6 \u003e= 2.5.6 \n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in OpenEXR. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenEXR users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=media-libs/openexr-2.5.6\"\n\nReferences\n==========\n\n[ 1 ] CVE-2020-11758\n https://nvd.nist.gov/vuln/detail/CVE-2020-11758\n[ 2 ] CVE-2020-11759\n https://nvd.nist.gov/vuln/detail/CVE-2020-11759\n[ 3 ] CVE-2020-11760\n https://nvd.nist.gov/vuln/detail/CVE-2020-11760\n[ 4 ] CVE-2020-11761\n https://nvd.nist.gov/vuln/detail/CVE-2020-11761\n[ 5 ] CVE-2020-11762\n https://nvd.nist.gov/vuln/detail/CVE-2020-11762\n[ 6 ] CVE-2020-11763\n https://nvd.nist.gov/vuln/detail/CVE-2020-11763\n[ 7 ] CVE-2020-11764\n https://nvd.nist.gov/vuln/detail/CVE-2020-11764\n[ 8 ] CVE-2020-11765\n https://nvd.nist.gov/vuln/detail/CVE-2020-11765\n[ 9 ] CVE-2020-15304\n https://nvd.nist.gov/vuln/detail/CVE-2020-15304\n[ 10 ] CVE-2020-15305\n https://nvd.nist.gov/vuln/detail/CVE-2020-15305\n[ 11 ] CVE-2020-15306\n https://nvd.nist.gov/vuln/detail/CVE-2020-15306\n[ 12 ] CVE-2021-20296\n https://nvd.nist.gov/vuln/detail/CVE-2021-20296\n[ 13 ] CVE-2021-3474\n https://nvd.nist.gov/vuln/detail/CVE-2021-3474\n[ 14 ] CVE-2021-3475\n https://nvd.nist.gov/vuln/detail/CVE-2021-3475\n[ 15 ] CVE-2021-3476\n https://nvd.nist.gov/vuln/detail/CVE-2021-3476\n[ 16 ] CVE-2021-3477\n https://nvd.nist.gov/vuln/detail/CVE-2021-3477\n[ 17 ] CVE-2021-3478\n https://nvd.nist.gov/vuln/detail/CVE-2021-3478\n[ 18 ] CVE-2021-3479\n https://nvd.nist.gov/vuln/detail/CVE-2021-3479\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202107-27\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2021 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n\n. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.2.1-4.1+deb10u1. \n\nWe recommend that you upgrade your openexr packages. \n\nFor the detailed security status of openexr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openexr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8\nTjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG\nG6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW\nvn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx\nANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo\nW7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY\nl+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg\nzKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK\n3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c\nR2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ\nUgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD\ndjd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY=\n=FDcC\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-11759"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004027"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "VULHUB",
"id": "VHN-164369"
},
{
"db": "VULMON",
"id": "CVE-2020-11759"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "168903"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-11759",
"trust": 2.8
},
{
"db": "PACKETSTORM",
"id": "163465",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004027",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202004-946",
"trust": 0.7
},
{
"db": "CS-HELP",
"id": "SB2021071101",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2985",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1448",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "50014",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2020-24152",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-164369",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-11759",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "168903",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164369"
},
{
"db": "VULMON",
"id": "CVE-2020-11759"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004027"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-946"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11759"
}
]
},
"id": "VAR-202004-0469",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-164369"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T20:14:04.003000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "OpenEXR Release Notes",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020"
},
{
"title": "v2.4.1",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1"
},
{
"title": "Industrial Light and Magic OpenEXR Enter the fix for the verification error vulnerability",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=116436"
},
{
"title": "Debian CVElist Bug Report Logs: openexr: CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=c611c9f78ad3458919de1d9728e6b32b"
},
{
"title": "Ubuntu Security Notice: openexr vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-4339-1"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11759"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004027"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-946"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-190",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164369"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004027"
},
{
"db": "NVD",
"id": "CVE-2020-11759"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://usn.ubuntu.com/4339-1/"
},
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/202107-27"
},
{
"trust": 1.8,
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1987"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/blob/master/changes.md#version-241-february-11-2020"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/releases/tag/v2.4.1"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211288"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211289"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211290"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211291"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211293"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211294"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211295"
},
{
"trust": 1.7,
"url": "https://www.debian.org/security/2020/dsa-4755"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00056.html"
},
{
"trust": 1.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11759"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11759"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2985/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211291"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1448/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211295"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163465/gentoo-linux-security-advisory-202107-27.html"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/50014"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/openexr-multiple-vulnerabilities-32108"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021071101"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11761"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15305"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11765"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11763"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11758"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15306"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11762"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11764"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11760"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/190.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959444"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3476"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3478"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20296"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3479"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15304"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3474"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3475"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3477"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/openexr"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9115"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9113"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9111"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9114"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164369"
},
{
"db": "VULMON",
"id": "CVE-2020-11759"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004027"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-946"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11759"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-164369"
},
{
"db": "VULMON",
"id": "CVE-2020-11759"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004027"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-946"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11759"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-14T00:00:00",
"db": "VULHUB",
"id": "VHN-164369"
},
{
"date": "2020-04-14T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11759"
},
{
"date": "2020-05-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004027"
},
{
"date": "2021-07-12T15:22:22",
"db": "PACKETSTORM",
"id": "163465"
},
{
"date": "2020-08-28T19:12:00",
"db": "PACKETSTORM",
"id": "168903"
},
{
"date": "2020-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-946"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2020-04-14T23:15:12.217000",
"db": "NVD",
"id": "CVE-2020-11759"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-09T00:00:00",
"db": "VULHUB",
"id": "VHN-164369"
},
{
"date": "2020-09-09T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11759"
},
{
"date": "2020-05-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004027"
},
{
"date": "2022-11-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-946"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2024-11-21T04:58:32.637000",
"db": "NVD",
"id": "CVE-2020-11759"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-946"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenEXR Integer overflow vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004027"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-946"
}
],
"trust": 0.6
}
}
VAR-202004-0468
Vulnerability from variot - Updated: 2024-11-23 19:53An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h. OpenEXR Exists in an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the ImfOptimizedPixelReading.h file in LIM OpenEXR versions prior to 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-27
https://security.gentoo.org/
Severity: Normal Title: OpenEXR: Multiple vulnerabilities Date: July 11, 2021 Bugs: #717474, #746794, #762862, #770229, #776808 ID: 202107-27
Synopsis
Multiple vulnerabilities have been found in OpenEXR, the worst of which could result in the arbitrary execution of code.
Background
OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/openexr < 2.5.6 >= 2.5.6
Description
Multiple vulnerabilities have been discovered in OpenEXR. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All OpenEXR users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/openexr-2.5.6"
References
[ 1 ] CVE-2020-11758 https://nvd.nist.gov/vuln/detail/CVE-2020-11758 [ 2 ] CVE-2020-11759 https://nvd.nist.gov/vuln/detail/CVE-2020-11759 [ 3 ] CVE-2020-11760 https://nvd.nist.gov/vuln/detail/CVE-2020-11760 [ 4 ] CVE-2020-11761 https://nvd.nist.gov/vuln/detail/CVE-2020-11761 [ 5 ] CVE-2020-11762 https://nvd.nist.gov/vuln/detail/CVE-2020-11762 [ 6 ] CVE-2020-11763 https://nvd.nist.gov/vuln/detail/CVE-2020-11763 [ 7 ] CVE-2020-11764 https://nvd.nist.gov/vuln/detail/CVE-2020-11764 [ 8 ] CVE-2020-11765 https://nvd.nist.gov/vuln/detail/CVE-2020-11765 [ 9 ] CVE-2020-15304 https://nvd.nist.gov/vuln/detail/CVE-2020-15304 [ 10 ] CVE-2020-15305 https://nvd.nist.gov/vuln/detail/CVE-2020-15305 [ 11 ] CVE-2020-15306 https://nvd.nist.gov/vuln/detail/CVE-2020-15306 [ 12 ] CVE-2021-20296 https://nvd.nist.gov/vuln/detail/CVE-2021-20296 [ 13 ] CVE-2021-3474 https://nvd.nist.gov/vuln/detail/CVE-2021-3474 [ 14 ] CVE-2021-3475 https://nvd.nist.gov/vuln/detail/CVE-2021-3475 [ 15 ] CVE-2021-3476 https://nvd.nist.gov/vuln/detail/CVE-2021-3476 [ 16 ] CVE-2021-3477 https://nvd.nist.gov/vuln/detail/CVE-2021-3477 [ 17 ] CVE-2021-3478 https://nvd.nist.gov/vuln/detail/CVE-2021-3478 [ 18 ] CVE-2021-3479 https://nvd.nist.gov/vuln/detail/CVE-2021-3479
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202107-27
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
. ========================================================================== Ubuntu Security Notice USN-4339-1 April 27, 2020
openexr vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenEXR.
Software Description: - openexr: tools for the OpenEXR image format
Details:
Brandon Perry discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)
Tan Jie discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2018-18444)
Samuel Groß discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764)
It was discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service. (CVE-2020-11765)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04: libopenexr24 2.3.0-6ubuntu0.1 openexr 2.3.0-6ubuntu0.1
Ubuntu 19.10: libopenexr23 2.2.1-4.1ubuntu1.1 openexr 2.2.1-4.1ubuntu1.1
Ubuntu 18.04 LTS: libopenexr22 2.2.0-11.1ubuntu1.2 openexr 2.2.0-11.1ubuntu1.2
Ubuntu 16.04 LTS: libopenexr22 2.2.0-10ubuntu2.2 openexr 2.2.0-10ubuntu2.2
In general, a standard system update will make all the necessary changes.
References: https://usn.ubuntu.com/4339-1 CVE-2017-9111, CVE-2017-9113, CVE-2017-9115, CVE-2018-18444, CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764, CVE-2020-11765
Package Information: https://launchpad.net/ubuntu/+source/openexr/2.3.0-6ubuntu0.1 https://launchpad.net/ubuntu/+source/openexr/2.2.1-4.1ubuntu1.1 https://launchpad.net/ubuntu/+source/openexr/2.2.0-11.1ubuntu1.2 https://launchpad.net/ubuntu/+source/openexr/2.2.0-10ubuntu2.2
.
For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1.
We recommend that you upgrade your openexr packages.
For the detailed security status of openexr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openexr
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8 TjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG G6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW vn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx ANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo W7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY l+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg zKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK 3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c R2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ UgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD djd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY= =FDcC -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202004-0468",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "itunes",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.10.8"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "7.20"
},
{
"model": "tvos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.4.8"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.15.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.04"
},
{
"model": "openexr",
"scope": "lt",
"trust": 1.0,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "ipados",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "20.04"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "icloud",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "11.0"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "19.10"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.1"
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "6.2.8"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.3"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.8,
"vendor": "openexr",
"version": "2.4.1"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004026"
},
{
"db": "NVD",
"id": "CVE-2020-11758"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:openexr:openexr",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004026"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ubuntu",
"sources": [
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-944"
}
],
"trust": 0.7
},
"cve": "CVE-2020-11758",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2020-11758",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004026",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-164368",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"id": "CVE-2020-11758",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004026",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-11758",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2020-004026",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202004-944",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-164368",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-11758",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164368"
},
{
"db": "VULMON",
"id": "CVE-2020-11758"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004026"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-944"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11758"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h. OpenEXR Exists in an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the ImfOptimizedPixelReading.h file in LIM OpenEXR versions prior to 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202107-27\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenEXR: Multiple vulnerabilities\n Date: July 11, 2021\n Bugs: #717474, #746794, #762862, #770229, #776808\n ID: 202107-27\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in OpenEXR, the worst of which\ncould result in the arbitrary execution of code. \n\nBackground\n==========\n\nOpenEXR is a high dynamic-range (HDR) image file format developed by\nIndustrial Light \u0026 Magic for use in computer imaging applications. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 media-libs/openexr \u003c 2.5.6 \u003e= 2.5.6 \n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in OpenEXR. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenEXR users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=media-libs/openexr-2.5.6\"\n\nReferences\n==========\n\n[ 1 ] CVE-2020-11758\n https://nvd.nist.gov/vuln/detail/CVE-2020-11758\n[ 2 ] CVE-2020-11759\n https://nvd.nist.gov/vuln/detail/CVE-2020-11759\n[ 3 ] CVE-2020-11760\n https://nvd.nist.gov/vuln/detail/CVE-2020-11760\n[ 4 ] CVE-2020-11761\n https://nvd.nist.gov/vuln/detail/CVE-2020-11761\n[ 5 ] CVE-2020-11762\n https://nvd.nist.gov/vuln/detail/CVE-2020-11762\n[ 6 ] CVE-2020-11763\n https://nvd.nist.gov/vuln/detail/CVE-2020-11763\n[ 7 ] CVE-2020-11764\n https://nvd.nist.gov/vuln/detail/CVE-2020-11764\n[ 8 ] CVE-2020-11765\n https://nvd.nist.gov/vuln/detail/CVE-2020-11765\n[ 9 ] CVE-2020-15304\n https://nvd.nist.gov/vuln/detail/CVE-2020-15304\n[ 10 ] CVE-2020-15305\n https://nvd.nist.gov/vuln/detail/CVE-2020-15305\n[ 11 ] CVE-2020-15306\n https://nvd.nist.gov/vuln/detail/CVE-2020-15306\n[ 12 ] CVE-2021-20296\n https://nvd.nist.gov/vuln/detail/CVE-2021-20296\n[ 13 ] CVE-2021-3474\n https://nvd.nist.gov/vuln/detail/CVE-2021-3474\n[ 14 ] CVE-2021-3475\n https://nvd.nist.gov/vuln/detail/CVE-2021-3475\n[ 15 ] CVE-2021-3476\n https://nvd.nist.gov/vuln/detail/CVE-2021-3476\n[ 16 ] CVE-2021-3477\n https://nvd.nist.gov/vuln/detail/CVE-2021-3477\n[ 17 ] CVE-2021-3478\n https://nvd.nist.gov/vuln/detail/CVE-2021-3478\n[ 18 ] CVE-2021-3479\n https://nvd.nist.gov/vuln/detail/CVE-2021-3479\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202107-27\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2021 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n\n. ==========================================================================\nUbuntu Security Notice USN-4339-1\nApril 27, 2020\n\nopenexr vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 20.04\n- Ubuntu 19.10\n- Ubuntu 18.04 LTS\n- Ubuntu 16.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in OpenEXR. \n\nSoftware Description:\n- openexr: tools for the OpenEXR image format\n\nDetails:\n\nBrandon Perry discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service, or possibly\nexecute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. \n(CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)\n\nTan Jie discovered that OpenEXR incorrectly handled certain malformed EXR\nimage files. If a user were tricked into opening a crafted EXR image file,\na remote attacker could cause a denial of service, or possibly execute\narbitrary code. This issue only applied to Ubuntu 20.04 LTS. \n(CVE-2018-18444)\n\nSamuel Gro\u00df discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service, or possibly\nexecute arbitrary code. (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760,\nCVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764)\n\nIt was discovered that OpenEXR incorrectly handled certain malformed EXR\nimage files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service. (CVE-2020-11765)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 20.04:\n libopenexr24 2.3.0-6ubuntu0.1\n openexr 2.3.0-6ubuntu0.1\n\nUbuntu 19.10:\n libopenexr23 2.2.1-4.1ubuntu1.1\n openexr 2.2.1-4.1ubuntu1.1\n\nUbuntu 18.04 LTS:\n libopenexr22 2.2.0-11.1ubuntu1.2\n openexr 2.2.0-11.1ubuntu1.2\n\nUbuntu 16.04 LTS:\n libopenexr22 2.2.0-10ubuntu2.2\n openexr 2.2.0-10ubuntu2.2\n\nIn general, a standard system update will make all the necessary changes. \n\nReferences:\n https://usn.ubuntu.com/4339-1\n CVE-2017-9111, CVE-2017-9113, CVE-2017-9115, CVE-2018-18444,\n CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761,\n CVE-2020-11762, CVE-2020-11763, CVE-2020-11764, CVE-2020-11765\n\nPackage Information:\n https://launchpad.net/ubuntu/+source/openexr/2.3.0-6ubuntu0.1\n https://launchpad.net/ubuntu/+source/openexr/2.2.1-4.1ubuntu1.1\n https://launchpad.net/ubuntu/+source/openexr/2.2.0-11.1ubuntu1.2\n https://launchpad.net/ubuntu/+source/openexr/2.2.0-10ubuntu2.2\n\n. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.2.1-4.1+deb10u1. \n\nWe recommend that you upgrade your openexr packages. \n\nFor the detailed security status of openexr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openexr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8\nTjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG\nG6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW\nvn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx\nANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo\nW7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY\nl+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg\nzKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK\n3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c\nR2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ\nUgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD\ndjd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY=\n=FDcC\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-11758"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004026"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "VULHUB",
"id": "VHN-164368"
},
{
"db": "VULMON",
"id": "CVE-2020-11758"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-11758",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "163465",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004026",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202004-944",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "157403",
"trust": 0.7
},
{
"db": "CS-HELP",
"id": "SB2021071101",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "50011",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1816",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1448",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2985",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2020-24151",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-164368",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-11758",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "168903",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164368"
},
{
"db": "VULMON",
"id": "CVE-2020-11758"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004026"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-944"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11758"
}
]
},
"id": "VAR-202004-0468",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-164368"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T19:53:21.490000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "OpenEXR Release Notes",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020"
},
{
"title": "v2.4.1",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1"
},
{
"title": "Industrial Light and Magic OpenEXR Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=116435"
},
{
"title": "Debian CVElist Bug Report Logs: openexr: CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=c611c9f78ad3458919de1d9728e6b32b"
},
{
"title": "Ubuntu Security Notice: openexr vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-4339-1"
},
{
"title": "Debian Security Advisories: DSA-4755-1 openexr -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=9325b22b993ac0e61f53dccb8f346da4"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11758"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004026"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-944"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-125",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164368"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004026"
},
{
"db": "NVD",
"id": "CVE-2020-11758"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://usn.ubuntu.com/4339-1/"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211288"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211289"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211290"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211291"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211293"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211294"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht211295"
},
{
"trust": 1.8,
"url": "https://www.debian.org/security/2020/dsa-4755"
},
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/202107-27"
},
{
"trust": 1.8,
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1987"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/blob/master/changes.md#version-241-february-11-2020"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/releases/tag/v2.4.1"
},
{
"trust": 1.8,
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00056.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00051.html"
},
{
"trust": 1.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11758"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11758"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2985/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211291"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/157403/ubuntu-security-notice-usn-4339-1.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1448/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211295"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1816/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163465/gentoo-linux-security-advisory-202107-27.html"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/50011"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/openexr-multiple-vulnerabilities-32108"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021071101"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11761"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11765"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11762"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15305"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11763"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15306"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11764"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11759"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11760"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9111"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959444"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3476"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3478"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20296"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3479"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15304"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3474"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3475"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3477"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-18444"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.3.0-6ubuntu0.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.2.0-10ubuntu2.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.2.1-4.1ubuntu1.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.2.0-11.1ubuntu1.2"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/4339-1"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/openexr"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9115"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9113"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9114"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164368"
},
{
"db": "VULMON",
"id": "CVE-2020-11758"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004026"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-944"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11758"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-164368"
},
{
"db": "VULMON",
"id": "CVE-2020-11758"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004026"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-944"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11758"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-14T00:00:00",
"db": "VULHUB",
"id": "VHN-164368"
},
{
"date": "2020-04-14T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11758"
},
{
"date": "2020-05-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004026"
},
{
"date": "2021-07-12T15:22:22",
"db": "PACKETSTORM",
"id": "163465"
},
{
"date": "2020-04-27T15:19:30",
"db": "PACKETSTORM",
"id": "157403"
},
{
"date": "2020-08-28T19:12:00",
"db": "PACKETSTORM",
"id": "168903"
},
{
"date": "2020-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-944"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2020-04-14T23:15:12.167000",
"db": "NVD",
"id": "CVE-2020-11758"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-09T00:00:00",
"db": "VULHUB",
"id": "VHN-164368"
},
{
"date": "2020-09-09T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11758"
},
{
"date": "2020-05-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004026"
},
{
"date": "2022-04-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-944"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2024-11-21T04:58:32.430000",
"db": "NVD",
"id": "CVE-2020-11758"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-944"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenEXR Out-of-bounds read vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004026"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-944"
}
],
"trust": 0.6
}
}
VAR-202004-0472
Vulnerability from variot - Updated: 2024-11-23 19:30An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case. OpenEXR There are vulnerabilities related to out-of-bounds writes and out-of-bounds reads.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the 'DwaCompressor::uncompress' function of the ImfDwaCompressor.cpp file in LIM OpenEXR versions prior to 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-27
https://security.gentoo.org/
Severity: Normal Title: OpenEXR: Multiple vulnerabilities Date: July 11, 2021 Bugs: #717474, #746794, #762862, #770229, #776808 ID: 202107-27
Synopsis
Multiple vulnerabilities have been found in OpenEXR, the worst of which could result in the arbitrary execution of code.
Background
OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/openexr < 2.5.6 >= 2.5.6
Description
Multiple vulnerabilities have been discovered in OpenEXR. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All OpenEXR users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/openexr-2.5.6"
References
[ 1 ] CVE-2020-11758 https://nvd.nist.gov/vuln/detail/CVE-2020-11758 [ 2 ] CVE-2020-11759 https://nvd.nist.gov/vuln/detail/CVE-2020-11759 [ 3 ] CVE-2020-11760 https://nvd.nist.gov/vuln/detail/CVE-2020-11760 [ 4 ] CVE-2020-11761 https://nvd.nist.gov/vuln/detail/CVE-2020-11761 [ 5 ] CVE-2020-11762 https://nvd.nist.gov/vuln/detail/CVE-2020-11762 [ 6 ] CVE-2020-11763 https://nvd.nist.gov/vuln/detail/CVE-2020-11763 [ 7 ] CVE-2020-11764 https://nvd.nist.gov/vuln/detail/CVE-2020-11764 [ 8 ] CVE-2020-11765 https://nvd.nist.gov/vuln/detail/CVE-2020-11765 [ 9 ] CVE-2020-15304 https://nvd.nist.gov/vuln/detail/CVE-2020-15304 [ 10 ] CVE-2020-15305 https://nvd.nist.gov/vuln/detail/CVE-2020-15305 [ 11 ] CVE-2020-15306 https://nvd.nist.gov/vuln/detail/CVE-2020-15306 [ 12 ] CVE-2021-20296 https://nvd.nist.gov/vuln/detail/CVE-2021-20296 [ 13 ] CVE-2021-3474 https://nvd.nist.gov/vuln/detail/CVE-2021-3474 [ 14 ] CVE-2021-3475 https://nvd.nist.gov/vuln/detail/CVE-2021-3475 [ 15 ] CVE-2021-3476 https://nvd.nist.gov/vuln/detail/CVE-2021-3476 [ 16 ] CVE-2021-3477 https://nvd.nist.gov/vuln/detail/CVE-2021-3477 [ 17 ] CVE-2021-3478 https://nvd.nist.gov/vuln/detail/CVE-2021-3478 [ 18 ] CVE-2021-3479 https://nvd.nist.gov/vuln/detail/CVE-2021-3479
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202107-27
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
. ========================================================================== Ubuntu Security Notice USN-4339-1 April 27, 2020
openexr vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenEXR.
Software Description: - openexr: tools for the OpenEXR image format
Details:
Brandon Perry discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)
Tan Jie discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2018-18444)
Samuel Groß discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764)
It was discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service. (CVE-2020-11765)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04: libopenexr24 2.3.0-6ubuntu0.1 openexr 2.3.0-6ubuntu0.1
Ubuntu 19.10: libopenexr23 2.2.1-4.1ubuntu1.1 openexr 2.2.1-4.1ubuntu1.1
Ubuntu 18.04 LTS: libopenexr22 2.2.0-11.1ubuntu1.2 openexr 2.2.0-11.1ubuntu1.2
Ubuntu 16.04 LTS: libopenexr22 2.2.0-10ubuntu2.2 openexr 2.2.0-10ubuntu2.2
In general, a standard system update will make all the necessary changes.
References: https://usn.ubuntu.com/4339-1 CVE-2017-9111, CVE-2017-9113, CVE-2017-9115, CVE-2018-18444, CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764, CVE-2020-11765
Package Information: https://launchpad.net/ubuntu/+source/openexr/2.3.0-6ubuntu0.1 https://launchpad.net/ubuntu/+source/openexr/2.2.1-4.1ubuntu1.1 https://launchpad.net/ubuntu/+source/openexr/2.2.0-11.1ubuntu1.2 https://launchpad.net/ubuntu/+source/openexr/2.2.0-10ubuntu2.2
.
For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1.
We recommend that you upgrade your openexr packages.
For the detailed security status of openexr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openexr
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8 TjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG G6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW vn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx ANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo W7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY l+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg zKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK 3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c R2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ UgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD djd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY= =FDcC -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202004-0472",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "itunes",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.10.8"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "7.20"
},
{
"model": "tvos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.4.8"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.15.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.04"
},
{
"model": "openexr",
"scope": "lt",
"trust": 1.0,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "ipados",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "20.04"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "19.10"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "icloud",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.1"
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "6.2.8"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.3"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.8,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.0.4"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.0.7"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.1.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.1.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.2.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.2.2"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.2"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.4.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.7.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.7.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.0.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.0.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.1.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.2.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.2.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.3.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.4.0"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11762"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004072"
},
{
"db": "NVD",
"id": "CVE-2020-11762"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:openexr:openexr",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004072"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ubuntu",
"sources": [
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-955"
}
],
"trust": 0.7
},
"cve": "CVE-2020-11762",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2020-11762",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004072",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-164373",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"id": "CVE-2020-11762",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004072",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-11762",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2020-004072",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202004-955",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-164373",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-11762",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164373"
},
{
"db": "VULMON",
"id": "CVE-2020-11762"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004072"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-955"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11762"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case. OpenEXR There are vulnerabilities related to out-of-bounds writes and out-of-bounds reads.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the \u0027DwaCompressor::uncompress\u0027 function of the ImfDwaCompressor.cpp file in LIM OpenEXR versions prior to 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202107-27\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenEXR: Multiple vulnerabilities\n Date: July 11, 2021\n Bugs: #717474, #746794, #762862, #770229, #776808\n ID: 202107-27\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in OpenEXR, the worst of which\ncould result in the arbitrary execution of code. \n\nBackground\n==========\n\nOpenEXR is a high dynamic-range (HDR) image file format developed by\nIndustrial Light \u0026 Magic for use in computer imaging applications. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 media-libs/openexr \u003c 2.5.6 \u003e= 2.5.6 \n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in OpenEXR. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenEXR users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=media-libs/openexr-2.5.6\"\n\nReferences\n==========\n\n[ 1 ] CVE-2020-11758\n https://nvd.nist.gov/vuln/detail/CVE-2020-11758\n[ 2 ] CVE-2020-11759\n https://nvd.nist.gov/vuln/detail/CVE-2020-11759\n[ 3 ] CVE-2020-11760\n https://nvd.nist.gov/vuln/detail/CVE-2020-11760\n[ 4 ] CVE-2020-11761\n https://nvd.nist.gov/vuln/detail/CVE-2020-11761\n[ 5 ] CVE-2020-11762\n https://nvd.nist.gov/vuln/detail/CVE-2020-11762\n[ 6 ] CVE-2020-11763\n https://nvd.nist.gov/vuln/detail/CVE-2020-11763\n[ 7 ] CVE-2020-11764\n https://nvd.nist.gov/vuln/detail/CVE-2020-11764\n[ 8 ] CVE-2020-11765\n https://nvd.nist.gov/vuln/detail/CVE-2020-11765\n[ 9 ] CVE-2020-15304\n https://nvd.nist.gov/vuln/detail/CVE-2020-15304\n[ 10 ] CVE-2020-15305\n https://nvd.nist.gov/vuln/detail/CVE-2020-15305\n[ 11 ] CVE-2020-15306\n https://nvd.nist.gov/vuln/detail/CVE-2020-15306\n[ 12 ] CVE-2021-20296\n https://nvd.nist.gov/vuln/detail/CVE-2021-20296\n[ 13 ] CVE-2021-3474\n https://nvd.nist.gov/vuln/detail/CVE-2021-3474\n[ 14 ] CVE-2021-3475\n https://nvd.nist.gov/vuln/detail/CVE-2021-3475\n[ 15 ] CVE-2021-3476\n https://nvd.nist.gov/vuln/detail/CVE-2021-3476\n[ 16 ] CVE-2021-3477\n https://nvd.nist.gov/vuln/detail/CVE-2021-3477\n[ 17 ] CVE-2021-3478\n https://nvd.nist.gov/vuln/detail/CVE-2021-3478\n[ 18 ] CVE-2021-3479\n https://nvd.nist.gov/vuln/detail/CVE-2021-3479\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202107-27\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2021 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n\n. ==========================================================================\nUbuntu Security Notice USN-4339-1\nApril 27, 2020\n\nopenexr vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 20.04\n- Ubuntu 19.10\n- Ubuntu 18.04 LTS\n- Ubuntu 16.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in OpenEXR. \n\nSoftware Description:\n- openexr: tools for the OpenEXR image format\n\nDetails:\n\nBrandon Perry discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service, or possibly\nexecute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. \n(CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)\n\nTan Jie discovered that OpenEXR incorrectly handled certain malformed EXR\nimage files. If a user were tricked into opening a crafted EXR image file,\na remote attacker could cause a denial of service, or possibly execute\narbitrary code. This issue only applied to Ubuntu 20.04 LTS. \n(CVE-2018-18444)\n\nSamuel Gro\u00df discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service, or possibly\nexecute arbitrary code. (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760,\nCVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764)\n\nIt was discovered that OpenEXR incorrectly handled certain malformed EXR\nimage files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service. (CVE-2020-11765)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 20.04:\n libopenexr24 2.3.0-6ubuntu0.1\n openexr 2.3.0-6ubuntu0.1\n\nUbuntu 19.10:\n libopenexr23 2.2.1-4.1ubuntu1.1\n openexr 2.2.1-4.1ubuntu1.1\n\nUbuntu 18.04 LTS:\n libopenexr22 2.2.0-11.1ubuntu1.2\n openexr 2.2.0-11.1ubuntu1.2\n\nUbuntu 16.04 LTS:\n libopenexr22 2.2.0-10ubuntu2.2\n openexr 2.2.0-10ubuntu2.2\n\nIn general, a standard system update will make all the necessary changes. \n\nReferences:\n https://usn.ubuntu.com/4339-1\n CVE-2017-9111, CVE-2017-9113, CVE-2017-9115, CVE-2018-18444,\n CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761,\n CVE-2020-11762, CVE-2020-11763, CVE-2020-11764, CVE-2020-11765\n\nPackage Information:\n https://launchpad.net/ubuntu/+source/openexr/2.3.0-6ubuntu0.1\n https://launchpad.net/ubuntu/+source/openexr/2.2.1-4.1ubuntu1.1\n https://launchpad.net/ubuntu/+source/openexr/2.2.0-11.1ubuntu1.2\n https://launchpad.net/ubuntu/+source/openexr/2.2.0-10ubuntu2.2\n\n. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.2.1-4.1+deb10u1. \n\nWe recommend that you upgrade your openexr packages. \n\nFor the detailed security status of openexr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openexr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8\nTjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG\nG6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW\nvn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx\nANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo\nW7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY\nl+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg\nzKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK\n3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c\nR2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ\nUgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD\ndjd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY=\n=FDcC\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-11762"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004072"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "VULHUB",
"id": "VHN-164373"
},
{
"db": "VULMON",
"id": "CVE-2020-11762"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-11762",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "163465",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004072",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202004-955",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "157403",
"trust": 0.7
},
{
"db": "CS-HELP",
"id": "SB2021071101",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1816",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2985",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1448",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "50003",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2020-24155",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-164373",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-11762",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "168903",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164373"
},
{
"db": "VULMON",
"id": "CVE-2020-11762"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004072"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-955"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11762"
}
]
},
"id": "VAR-202004-0472",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-164373"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T19:30:40.322000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "OpenEXR Release Notes",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020"
},
{
"title": "AcademySoftwareFoundation/openexr",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1"
},
{
"title": "Industrial Light and Magic OpenEXR Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=116440"
},
{
"title": "Debian CVElist Bug Report Logs: openexr: CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=c611c9f78ad3458919de1d9728e6b32b"
},
{
"title": "Ubuntu Security Notice: openexr vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-4339-1"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11762"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004072"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-955"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-125",
"trust": 1.9
},
{
"problemtype": "CWE-787",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164373"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004072"
},
{
"db": "NVD",
"id": "CVE-2020-11762"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://usn.ubuntu.com/4339-1/"
},
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/202107-27"
},
{
"trust": 1.8,
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1987"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/blob/master/changes.md#version-241-february-11-2020"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/releases/tag/v2.4.1"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211288"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211289"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211290"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211291"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211293"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211294"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211295"
},
{
"trust": 1.7,
"url": "https://www.debian.org/security/2020/dsa-4755"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00056.html"
},
{
"trust": 1.7,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00051.html"
},
{
"trust": 1.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11762"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11762"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2985/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211291"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/157403/ubuntu-security-notice-usn-4339-1.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1448/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211295"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1816/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163465/gentoo-linux-security-advisory-202107-27.html"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/50003"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/openexr-multiple-vulnerabilities-32108"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021071101"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11761"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11765"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11758"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15305"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11763"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15306"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11764"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11759"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11760"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9111"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/787.html"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959444"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3476"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3478"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20296"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3479"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15304"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3474"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3475"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3477"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-18444"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.3.0-6ubuntu0.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.2.0-10ubuntu2.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.2.1-4.1ubuntu1.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openexr/2.2.0-11.1ubuntu1.2"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/4339-1"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/openexr"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9115"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9113"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9114"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164373"
},
{
"db": "VULMON",
"id": "CVE-2020-11762"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004072"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-955"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11762"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-164373"
},
{
"db": "VULMON",
"id": "CVE-2020-11762"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004072"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "157403"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-955"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11762"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-14T00:00:00",
"db": "VULHUB",
"id": "VHN-164373"
},
{
"date": "2020-04-14T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11762"
},
{
"date": "2020-05-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004072"
},
{
"date": "2021-07-12T15:22:22",
"db": "PACKETSTORM",
"id": "163465"
},
{
"date": "2020-04-27T15:19:30",
"db": "PACKETSTORM",
"id": "157403"
},
{
"date": "2020-08-28T19:12:00",
"db": "PACKETSTORM",
"id": "168903"
},
{
"date": "2020-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-955"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2020-04-14T23:15:12.387000",
"db": "NVD",
"id": "CVE-2020-11762"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-09T00:00:00",
"db": "VULHUB",
"id": "VHN-164373"
},
{
"date": "2020-09-09T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11762"
},
{
"date": "2020-05-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004072"
},
{
"date": "2022-11-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-955"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2024-11-21T04:58:33.270000",
"db": "NVD",
"id": "CVE-2020-11762"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-955"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenEXR Out-of-bounds write vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004072"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-955"
}
],
"trust": 0.6
}
}
VAR-202004-0470
Vulnerability from variot - Updated: 2024-11-23 19:25An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp. OpenEXR Exists in an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the 'rleUncompress' function of the ImfRle.cpp file in versions prior to LIM OpenEXR 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-27
https://security.gentoo.org/
Severity: Normal Title: OpenEXR: Multiple vulnerabilities Date: July 11, 2021 Bugs: #717474, #746794, #762862, #770229, #776808 ID: 202107-27
Synopsis
Multiple vulnerabilities have been found in OpenEXR, the worst of which could result in the arbitrary execution of code.
Background
OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/openexr < 2.5.6 >= 2.5.6
Description
Multiple vulnerabilities have been discovered in OpenEXR. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All OpenEXR users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/openexr-2.5.6"
References
[ 1 ] CVE-2020-11758 https://nvd.nist.gov/vuln/detail/CVE-2020-11758 [ 2 ] CVE-2020-11759 https://nvd.nist.gov/vuln/detail/CVE-2020-11759 [ 3 ] CVE-2020-11760 https://nvd.nist.gov/vuln/detail/CVE-2020-11760 [ 4 ] CVE-2020-11761 https://nvd.nist.gov/vuln/detail/CVE-2020-11761 [ 5 ] CVE-2020-11762 https://nvd.nist.gov/vuln/detail/CVE-2020-11762 [ 6 ] CVE-2020-11763 https://nvd.nist.gov/vuln/detail/CVE-2020-11763 [ 7 ] CVE-2020-11764 https://nvd.nist.gov/vuln/detail/CVE-2020-11764 [ 8 ] CVE-2020-11765 https://nvd.nist.gov/vuln/detail/CVE-2020-11765 [ 9 ] CVE-2020-15304 https://nvd.nist.gov/vuln/detail/CVE-2020-15304 [ 10 ] CVE-2020-15305 https://nvd.nist.gov/vuln/detail/CVE-2020-15305 [ 11 ] CVE-2020-15306 https://nvd.nist.gov/vuln/detail/CVE-2020-15306 [ 12 ] CVE-2021-20296 https://nvd.nist.gov/vuln/detail/CVE-2021-20296 [ 13 ] CVE-2021-3474 https://nvd.nist.gov/vuln/detail/CVE-2021-3474 [ 14 ] CVE-2021-3475 https://nvd.nist.gov/vuln/detail/CVE-2021-3475 [ 15 ] CVE-2021-3476 https://nvd.nist.gov/vuln/detail/CVE-2021-3476 [ 16 ] CVE-2021-3477 https://nvd.nist.gov/vuln/detail/CVE-2021-3477 [ 17 ] CVE-2021-3478 https://nvd.nist.gov/vuln/detail/CVE-2021-3478 [ 18 ] CVE-2021-3479 https://nvd.nist.gov/vuln/detail/CVE-2021-3479
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202107-27
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
.
For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1.
We recommend that you upgrade your openexr packages.
For the detailed security status of openexr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openexr
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8 TjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG G6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW vn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx ANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo W7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY l+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg zKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK 3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c R2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ UgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD djd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY= =FDcC -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202004-0470",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "itunes",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.10.8"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "7.20"
},
{
"model": "tvos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.4.8"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.15.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.04"
},
{
"model": "openexr",
"scope": "lt",
"trust": 1.0,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "ipados",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.14.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "20.04"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "19.10"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "icloud",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.1"
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "6.2.8"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.3"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.8,
"vendor": "openexr",
"version": "2.4.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.0.4"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.0.7"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.1.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.1.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.2.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.2.2"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.3.2"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.4.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.7.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "1.7.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.0.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.0.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.1.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.2.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.2.1"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.3.0"
},
{
"model": "openexr",
"scope": "eq",
"trust": 0.1,
"vendor": "openexr",
"version": "2.4.0"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11760"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004070"
},
{
"db": "NVD",
"id": "CVE-2020-11760"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:openexr:openexr",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004070"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Gentoo",
"sources": [
{
"db": "PACKETSTORM",
"id": "163465"
}
],
"trust": 0.1
},
"cve": "CVE-2020-11760",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2020-11760",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004070",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-164371",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"id": "CVE-2020-11760",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004070",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-11760",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2020-004070",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202004-948",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-164371",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-11760",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164371"
},
{
"db": "VULMON",
"id": "CVE-2020-11760"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004070"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-948"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11760"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp. OpenEXR Exists in an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the \u0027rleUncompress\u0027 function of the ImfRle.cpp file in versions prior to LIM OpenEXR 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202107-27\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenEXR: Multiple vulnerabilities\n Date: July 11, 2021\n Bugs: #717474, #746794, #762862, #770229, #776808\n ID: 202107-27\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in OpenEXR, the worst of which\ncould result in the arbitrary execution of code. \n\nBackground\n==========\n\nOpenEXR is a high dynamic-range (HDR) image file format developed by\nIndustrial Light \u0026 Magic for use in computer imaging applications. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 media-libs/openexr \u003c 2.5.6 \u003e= 2.5.6 \n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in OpenEXR. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenEXR users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=media-libs/openexr-2.5.6\"\n\nReferences\n==========\n\n[ 1 ] CVE-2020-11758\n https://nvd.nist.gov/vuln/detail/CVE-2020-11758\n[ 2 ] CVE-2020-11759\n https://nvd.nist.gov/vuln/detail/CVE-2020-11759\n[ 3 ] CVE-2020-11760\n https://nvd.nist.gov/vuln/detail/CVE-2020-11760\n[ 4 ] CVE-2020-11761\n https://nvd.nist.gov/vuln/detail/CVE-2020-11761\n[ 5 ] CVE-2020-11762\n https://nvd.nist.gov/vuln/detail/CVE-2020-11762\n[ 6 ] CVE-2020-11763\n https://nvd.nist.gov/vuln/detail/CVE-2020-11763\n[ 7 ] CVE-2020-11764\n https://nvd.nist.gov/vuln/detail/CVE-2020-11764\n[ 8 ] CVE-2020-11765\n https://nvd.nist.gov/vuln/detail/CVE-2020-11765\n[ 9 ] CVE-2020-15304\n https://nvd.nist.gov/vuln/detail/CVE-2020-15304\n[ 10 ] CVE-2020-15305\n https://nvd.nist.gov/vuln/detail/CVE-2020-15305\n[ 11 ] CVE-2020-15306\n https://nvd.nist.gov/vuln/detail/CVE-2020-15306\n[ 12 ] CVE-2021-20296\n https://nvd.nist.gov/vuln/detail/CVE-2021-20296\n[ 13 ] CVE-2021-3474\n https://nvd.nist.gov/vuln/detail/CVE-2021-3474\n[ 14 ] CVE-2021-3475\n https://nvd.nist.gov/vuln/detail/CVE-2021-3475\n[ 15 ] CVE-2021-3476\n https://nvd.nist.gov/vuln/detail/CVE-2021-3476\n[ 16 ] CVE-2021-3477\n https://nvd.nist.gov/vuln/detail/CVE-2021-3477\n[ 17 ] CVE-2021-3478\n https://nvd.nist.gov/vuln/detail/CVE-2021-3478\n[ 18 ] CVE-2021-3479\n https://nvd.nist.gov/vuln/detail/CVE-2021-3479\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202107-27\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2021 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n\n. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.2.1-4.1+deb10u1. \n\nWe recommend that you upgrade your openexr packages. \n\nFor the detailed security status of openexr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openexr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8\nTjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG\nG6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW\nvn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx\nANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo\nW7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY\nl+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg\nzKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK\n3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c\nR2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ\nUgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD\ndjd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY=\n=FDcC\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-11760"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004070"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "VULHUB",
"id": "VHN-164371"
},
{
"db": "VULMON",
"id": "CVE-2020-11760"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "168903"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-11760",
"trust": 2.8
},
{
"db": "PACKETSTORM",
"id": "163465",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004070",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202004-948",
"trust": 0.7
},
{
"db": "CS-HELP",
"id": "SB2021071101",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1816",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2985",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1448",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "50013",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2020-24153",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-164371",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-11760",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "168903",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164371"
},
{
"db": "VULMON",
"id": "CVE-2020-11760"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004070"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-948"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11760"
}
]
},
"id": "VAR-202004-0470",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-164371"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T19:25:34.406000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "OpenEXR Release Notes",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020"
},
{
"title": "AcademySoftwareFoundation/openexr",
"trust": 0.8,
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1"
},
{
"title": "Industrial Light and Magic OpenEXR Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=116437"
},
{
"title": "Debian CVElist Bug Report Logs: openexr: CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=c611c9f78ad3458919de1d9728e6b32b"
},
{
"title": "Ubuntu Security Notice: openexr vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-4339-1"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-11760"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004070"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-948"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-125",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164371"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004070"
},
{
"db": "NVD",
"id": "CVE-2020-11760"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://usn.ubuntu.com/4339-1/"
},
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/202107-27"
},
{
"trust": 1.8,
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1987"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/blob/master/changes.md#version-241-february-11-2020"
},
{
"trust": 1.8,
"url": "https://github.com/academysoftwarefoundation/openexr/releases/tag/v2.4.1"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211288"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211289"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211290"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211291"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211293"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211294"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht211295"
},
{
"trust": 1.7,
"url": "https://www.debian.org/security/2020/dsa-4755"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00056.html"
},
{
"trust": 1.7,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00051.html"
},
{
"trust": 1.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11760"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11760"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2985/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211291"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1448/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211295"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1816/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163465/gentoo-linux-security-advisory-202107-27.html"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/50013"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/openexr-multiple-vulnerabilities-32108"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021071101"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11761"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15305"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11765"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11763"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11758"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15306"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11762"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11764"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11759"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959444"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3476"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3478"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20296"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3479"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15304"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3474"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3475"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3477"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/openexr"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9115"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9113"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9111"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9114"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164371"
},
{
"db": "VULMON",
"id": "CVE-2020-11760"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004070"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-948"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11760"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-164371"
},
{
"db": "VULMON",
"id": "CVE-2020-11760"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004070"
},
{
"db": "PACKETSTORM",
"id": "163465"
},
{
"db": "PACKETSTORM",
"id": "168903"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-948"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2020-11760"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-14T00:00:00",
"db": "VULHUB",
"id": "VHN-164371"
},
{
"date": "2020-04-14T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11760"
},
{
"date": "2020-05-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004070"
},
{
"date": "2021-07-12T15:22:22",
"db": "PACKETSTORM",
"id": "163465"
},
{
"date": "2020-08-28T19:12:00",
"db": "PACKETSTORM",
"id": "168903"
},
{
"date": "2020-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-948"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2020-04-14T23:15:12.277000",
"db": "NVD",
"id": "CVE-2020-11760"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-09T00:00:00",
"db": "VULHUB",
"id": "VHN-164371"
},
{
"date": "2020-09-09T00:00:00",
"db": "VULMON",
"id": "CVE-2020-11760"
},
{
"date": "2020-05-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004070"
},
{
"date": "2022-11-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-948"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2024-11-21T04:58:32.837000",
"db": "NVD",
"id": "CVE-2020-11760"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-948"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenEXR Out-of-bounds read vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004070"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-948"
}
],
"trust": 0.6
}
}