From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 03 21:08:35 2024 Received: (at submit) by debbugs.gnu.org; 4 Apr 2024 01:08:35 +0000 Received: from localhost ([127.0.0.1]:60027 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rsBaj-0005V1-Tq for submit@debbugs.gnu.org; Wed, 03 Apr 2024 21:08:35 -0400 Received: from lists.gnu.org ([2001:470:142::17]:53806) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rsBag-0005U9-Hk for submit@debbugs.gnu.org; Wed, 03 Apr 2024 21:08:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rsBaV-0008DN-63 for bug-guix@gnu.org; Wed, 03 Apr 2024 21:08:19 -0400 Received: from mout02.posteo.de ([185.67.36.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rsBaR-0001EH-Bz for bug-guix@gnu.org; Wed, 03 Apr 2024 21:08:18 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id EBE9D240103 for ; Thu, 4 Apr 2024 03:08:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1712192892; bh=hk+Y/Rho8XeCuZc/fV+s96SFigonM58+60gXKVrUc8Q=; h=Message-ID:Date:MIME-Version:To:From:Subject:Content-Type: Content-Transfer-Encoding:From; b=Xlfrt2i9Qcz5iLrv+e/wwf1jU1EidZ3AhkqE5uaKMoAzlF+2KSIPX8ngrvZBgOJdt mPB12vGZmmahE/epLkCXa4GVt1mC5/ofARBmC9XAmOyjcxkJUlC2ydw5g5ry+0Vyr+ y9AXeAcuRW9HfJPtfrRy+DTAjpU/5jHm6rCefIp32dfDqYakwvjCnklpI6CKB7tbwL hPsMvBrPTBhqD3BiziN6sjLNKJXJSQuBSaLNdS5LN6BwTvUucakB8AeAhcdWQqGFcU t+PZmWF6oZNHpv9zxjFVi7MmSeTBH5fbh+WNI0BpA/udsbj9wVOWZi9ZSaSUgFGoe/ vcGrUYALLli9A== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4V93QL6Qgwz9rxB for ; Thu, 4 Apr 2024 03:08:10 +0200 (CEST) Message-ID: Date: Thu, 4 Apr 2024 01:07:52 +0000 MIME-Version: 1.0 Content-Language: en-US To: bug-guix@gnu.org From: Vinicius Monego Subject: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=185.67.36.66; envelope-from=monego@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) OpenEXR suffers from these vulnerabilities which were fixed in version 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently 3.1.3. The package contains 448 dependents, and a change in derivation shouldn't be pushed to master, at least according to the patch submission guidelines. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841 [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942 From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 03 22:50:49 2024 Received: (at 70174) by debbugs.gnu.org; 4 Apr 2024 02:50:49 +0000 Received: from localhost ([127.0.0.1]:60084 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rsDBh-0006fO-50 for submit@debbugs.gnu.org; Wed, 03 Apr 2024 22:50:49 -0400 Received: from mail-4316.protonmail.ch ([185.70.43.16]:12771) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rsDBd-0006eT-Sq for 70174@debbugs.gnu.org; Wed, 03 Apr 2024 22:50:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1712199034; x=1712458234; bh=B7Sf2Nx+quo+7OUcwh8eoBkM5p26J68Gqe1N5Y2MAXM=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=G+rUptL5Vh8jluWknpVLFYUb23JLPV196xWozNoJAS66pkq4lORjEemqPCoJnjzTN 1BfeRN6zZ5qgLEiSv1oOohyuFPVdiWwI0z8gi2SEW8EctPN0xlDe+laXKlyUn/TfhZ 9nXV5mBN9gTBqhcjHjBB1wsfS+i5ZIjjH7dRqlMhy6ov+tznsvWY3fvOaXdFXHzmMB u+cFxsssroBCYV4zoG9caOAzoFoavqYxMPH2ChcNRS2cdQrvTy/r0JztKX3zmclAKR SdxDoCfL0VEKS8dgci4ZgF9cHugw9wgnvHRsrlfI5uo5SKqsIaxJtO4uxYSF2Gc/gF Bqb8gHe12MBHA== Date: Thu, 04 Apr 2024 02:50:28 +0000 To: Vinicius Monego From: John Kehayias Subject: Re: bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942 Message-ID: <87zfu9vo28.fsf@protonmail.com> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="b1_BRWXhPwGgCEGzc0gKGbk0ZBfR1TWcqNDy0o3Oebhc" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70174 Cc: 70174@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This is a multi-part message in MIME format. --b1_BRWXhPwGgCEGzc0gKGbk0ZBfR1TWcqNDy0o3Oebhc Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote: > OpenEXR suffers from these vulnerabilities which were fixed in version > 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently > 3.1.3. > > The package contains 448 dependents, and a change in derivation > shouldn't be pushed to master, at least according to the patch > submission guidelines. > > [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841 > > [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942 Thanks for passing this along. I've applied a patch, attached, locally to the mesa-updates branch which updates openexr to the latest version, 3.2.4. It required a few minor changes (fix a phase, an input) but it builds. I may wait to queue up some more fixes for that branch, but don't currently have anything pending. Either way, it will be there soon and hopefully merged to master (just need to wait for everything to build and look good). Thanks! John --b1_BRWXhPwGgCEGzc0gKGbk0ZBfR1TWcqNDy0o3Oebhc Content-Type: text/x-patch; name=0001-gnu-openexr-Update-to-3.2.4-security-fixes.patch Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=0001-gnu-openexr-Update-to-3.2.4-security-fixes.patch RnJvbSA4NzAzNTkzNTFlODBhM2QxNDMwNGE0ZjZhMWI3MzRmNjdjMWVhMTY3IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQ0KTWVzc2FnZS1JRDogPDg3MDM1OTM1MWU4MGEzZDE0MzA0YTRmNmExYjcz NGY2N2MxZWExNjcuMTcxMjE5ODg1OC5naXQuam9obi5rZWhheWlhc0Bwcm90b25tYWlsLmNvbT4N CkZyb206IEpvaG4gS2VoYXlpYXMgPGpvaG4ua2VoYXlpYXNAcHJvdG9ubWFpbC5jb20+DQpEYXRl OiBXZWQsIDMgQXByIDIwMjQgMjI6NDU6NTAgLTA0MDANClN1YmplY3Q6IFtQQVRDSF0gZ251OiBv cGVuZXhyOiBVcGRhdGUgdG8gMy4yLjQgW3NlY3VyaXR5IGZpeGVzXS4NCg0KUHJldmlvdXMgdmVy c2lvbnMsIDMuMi4yIGFuZCAzLjEuNCwgZml4ZWQgQ1ZFLTIwMjMtNTg0MSBhbmQgQ1ZFLTIwMjEt NDU5NDIsDQpyZXNwZWN0aXZlbHkuDQoNCiogZ251L3BhY2thZ2VzL2dyYXBoaWNzLnNjbSAob3Bl bmV4cik6IFVwZGF0ZSB0byAzLjIuNC4NCg0KUmVwb3J0ZWQtYnk6IFZpbmljaXVzIE1vbmVnbyA8 bW9uZWdvQHBvc3Rlby5uZXQ+DQpDaGFuZ2UtSWQ6IEk3MmY4MmU2MjNjOWI4OTg4Y2FlNDMzOTQ3 MTE3Y2Q4MWY0MGNkYmMzDQotLS0NCiBnbnUvcGFja2FnZXMvZ3JhcGhpY3Muc2NtIHwgOCArKyst LS0tLQ0KIDEgZmlsZSBjaGFuZ2VkLCAzIGluc2VydGlvbnMoKyksIDUgZGVsZXRpb25zKC0pDQoN CmRpZmYgLS1naXQgYS9nbnUvcGFja2FnZXMvZ3JhcGhpY3Muc2NtIGIvZ251L3BhY2thZ2VzL2dy YXBoaWNzLnNjbQ0KaW5kZXggYWQwODE0MWM5Ni4uMTg4ZTA2Njc2NiAxMDA2NDQNCi0tLSBhL2du dS9wYWNrYWdlcy9ncmFwaGljcy5zY20NCisrKyBiL2dudS9wYWNrYWdlcy9ncmFwaGljcy5zY20N CkBAIC0xMjAwLDcgKzEyMDAsNyBAQCAoZGVmaW5lLXB1YmxpYyBvZ3JlDQogKGRlZmluZS1wdWJs aWMgb3BlbmV4cg0KICAgKHBhY2thZ2UNCiAgICAgKG5hbWUgIm9wZW5leHIiKQ0KLSAgICAodmVy c2lvbiAiMy4xLjMiKQ0KKyAgICAodmVyc2lvbiAiMy4yLjQiKQ0KICAgICAoc291cmNlIChvcmln aW4NCiAgICAgICAgICAgICAgIChtZXRob2QgZ2l0LWZldGNoKQ0KICAgICAgICAgICAgICAgKHVy aSAoZ2l0LXJlZmVyZW5jZQ0KQEAgLTEyMTAsNyArMTIxMCw3IEBAIChkZWZpbmUtcHVibGljIG9w ZW5leHINCiAgICAgICAgICAgICAgIChmaWxlLW5hbWUgKGdpdC1maWxlLW5hbWUgbmFtZSB2ZXJz aW9uKSkNCiAgICAgICAgICAgICAgIChzaGEyNTYNCiAgICAgICAgICAgICAgICAoYmFzZTMyDQot ICAgICAgICAgICAgICAgICIwYzl2bGEwa2JzYmJoa2s0MmpsYmY5NG56ZmIxYW5xaDdkeTliMGIz bm5hMXFyNnY0Ymg2IikpKSkNCisgICAgICAgICAgICAgICAgIjAwczFhMDVrZ2drNzF2ZmJuc3Z5 a3lqYzJqN3k2eXl6Z2w2M3N5NHlpZGRzaHoyazJtY3IiKSkpKQ0KICAgICAoYnVpbGQtc3lzdGVt IGNtYWtlLWJ1aWxkLXN5c3RlbSkNCiAgICAgKGFyZ3VtZW50cw0KICAgICAgKGxpc3QgIzpwaGFz ZXMNCkBAIC0xMjE4LDggKzEyMTgsNiBAQCAoZGVmaW5lLXB1YmxpYyBvcGVuZXhyDQogICAgICAg ICAgICAgICAgKGFkZC1hZnRlciAndW5wYWNrICdwYXRjaC10ZXN0LWRpcmVjdG9yeQ0KICAgICAg ICAgICAgICAgICAgKGxhbWJkYSBfDQogICAgICAgICAgICAgICAgICAgIChzdWJzdGl0dXRlKiAo bGlzdA0KLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJzcmMvdGVzdC9PcGVuRVhS VXRpbFRlc3QvdG1wRGlyLmgiDQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInNy Yy90ZXN0L09wZW5FWFJGdXp6VGVzdC90bXBEaXIuaCINCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAic3JjL3Rlc3QvT3BlbkVYUlRlc3QvdG1wRGlyLmgiDQogICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgInNyYy90ZXN0L09wZW5FWFJDb3JlVGVzdC9tYWluLmNwcCIp DQogICAgICAgICAgICAgICAgICAgICAgKCgiL3Zhci90bXAiKQ0KQEAgLTEyNDcsNyArMTI0NSw3 IEBAIChkZWZpbmUtcHVibGljIG9wZW5leHINCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICIiKQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoKCJURVNUIFxcKHRlc3RP cHRpbWl6ZWRJbnRlcmxlYXZlUGF0dGVybnMsIFwiYmFzaWNcIlxcKTsiKQ0KICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIiIpKSkpKSkpKSkNCi0gICAgKGlucHV0cyAobGlzdCBpbWF0 aCB6bGliKSkNCisgICAgKGlucHV0cyAobGlzdCBpbWF0aCBsaWJkZWZsYXRlIHpsaWIpKQ0KICAg ICAoaG9tZS1wYWdlICJodHRwczovL3d3dy5vcGVuZXhyLmNvbS8iKQ0KICAgICAoc3lub3BzaXMg IkhpZ2gtZHluYW1pYy1yYW5nZSBmaWxlIGZvcm1hdCBsaWJyYXJ5IikNCiAgICAgKGRlc2NyaXB0 aW9uDQoNCmJhc2UtY29tbWl0OiAxY2JhMWY4Y2U2Zjg0YzQ3Mzc2NTA0MDFjMGViMDQ3M2E0NWY5 ZmY3DQpwcmVyZXF1aXNpdGUtcGF0Y2gtaWQ6IGZhMWYyM2UxMzQwYTNlZWI5ZjM0N2VkNzE5Yjli MGZhMDU1OGZiM2YNCnByZXJlcXVpc2l0ZS1wYXRjaC1pZDogYTFlYjVmMDk1NWI5OTg4ZDNiZmUz YmU4NDAzYzc1OTk5YTFjYWU1Zg0KcHJlcmVxdWlzaXRlLXBhdGNoLWlkOiAyODg5YmUxOWM0YTA0 Njc2MGYyZjYwOGNlZmZmOTg3YjExYjY1YTMxDQpwcmVyZXF1aXNpdGUtcGF0Y2gtaWQ6IGVhOTNi NjY2MjI3NWFlZWMxZTAxNGE5YmM5ZmU3YTk2ZjI2YWM2MDANCnByZXJlcXVpc2l0ZS1wYXRjaC1p ZDogMTc3NDQwYTEyYjdjNzk3ZDIyZjhiYjEyNTNkYjEzM2QyZmJhZDM0OA0KcHJlcmVxdWlzaXRl LXBhdGNoLWlkOiAzYTUxODljMWU4ZTQ2MTJjZWI2ZjFiNzBjYzNjODNlMzlhOTc3ZWI5DQpwcmVy ZXF1aXNpdGUtcGF0Y2gtaWQ6IDdkZGZhNzk2OTE0ZjA3ODYxNTcyNDk0OWRiN2MxYWM2YzE0OGQw OWYNCnByZXJlcXVpc2l0ZS1wYXRjaC1pZDogMzAzN2I1NmM3MzFiYzBhNjJjNmI0YTJjZmVjYmFk YzhlYWQzODQ1Mw0KcHJlcmVxdWlzaXRlLXBhdGNoLWlkOiAxNjM1ODE1OTdjMTQxZTcwMWZjODA4 OWE2MzM3NjgzYWJjZTgyODk0DQpwcmVyZXF1aXNpdGUtcGF0Y2gtaWQ6IGYyZjExNmQ5ZmVkYWRi MzQ0M2JjNjFmZjM4MjRjNDc5Y2RhNWZjZjANCnByZXJlcXVpc2l0ZS1wYXRjaC1pZDogNTc4MDc4 MTRmZTk4YTY4ZmZjNjhmYjllYmRiOTJhNzExNTk1OWUwYg0KcHJlcmVxdWlzaXRlLXBhdGNoLWlk OiA5NWY1MThjZDZiZDQwMDE0YTJjYjFiODNmNWFmODA3YjA2OWE4NGNmDQpwcmVyZXF1aXNpdGUt cGF0Y2gtaWQ6IDA0MGVjZjhmODQzNDk4YjdiY2VkYWMzMzVjZmYxYjg0YWYxN2ZhZDkNCnByZXJl cXVpc2l0ZS1wYXRjaC1pZDogMDZiNTRjMjdmNWVjZDE4MjU3NGJlMjIyYTUwZjU5MmM1ZmIzZmE0 ZA0KcHJlcmVxdWlzaXRlLXBhdGNoLWlkOiA1MGYxYmQwYWM3MzZkMTc1MTE2ODkzZDc5ODY5Nzgw MDcwYTJlYTU5DQpwcmVyZXF1aXNpdGUtcGF0Y2gtaWQ6IDAzYmUwZTZkMjhjZDZjMTFlYWFmN2I5 Nzg0YmEwMzJmYTcyYmU0ZmYNCnByZXJlcXVpc2l0ZS1wYXRjaC1pZDogZGNlNGViYzhjN2RjMjZk Zjg3YjFhOTFmNjc2ZjY2MGE4NzM3OWM4YQ0KcHJlcmVxdWlzaXRlLXBhdGNoLWlkOiBlM2YyMTI5 MGJhYTZlYzgyYjY3MzM4Nzk3NGFlMjU2MWNhYWQ3ZTY0DQpwcmVyZXF1aXNpdGUtcGF0Y2gtaWQ6 IDE1ZjI2NmY0M2MxOTE4Y2M4NTI2NDA2MjgzYWY4MzM2OWM0ZGM4MGUNCnByZXJlcXVpc2l0ZS1w YXRjaC1pZDogNzhlZWRkMzA3ODZjNzdlMGUwYTA2ZjFkOTU5ZWU5YjY4NzkwMmQ4Zg0KcHJlcmVx dWlzaXRlLXBhdGNoLWlkOiAzYWQ1NzFkNDk3NWYxNzIxNmM3YWIwMDhmM2U4MWM1ZTAzOGVjNjVi DQpwcmVyZXF1aXNpdGUtcGF0Y2gtaWQ6IDhiY2YwM2Y0ODliMmYxMzlkMjc3ZDBlNDY1NTJhYzAy MTFiMDYxYjINCnByZXJlcXVpc2l0ZS1wYXRjaC1pZDogMGU5MjU3NmQ2Yjc2N2U3NWQ2NGFjY2Y1 YjVkMzhlZGEwOGRhZTc4ZQ0KLS0gDQoyLjQxLjANCg0K --b1_BRWXhPwGgCEGzc0gKGbk0ZBfR1TWcqNDy0o3Oebhc-- From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 03 23:47:56 2024 Received: (at 70174) by debbugs.gnu.org; 4 Apr 2024 03:47:56 +0000 Received: from localhost ([127.0.0.1]:60096 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rsE4x-0003bx-IX for submit@debbugs.gnu.org; Wed, 03 Apr 2024 23:47:56 -0400 Received: from mail-40133.protonmail.ch ([185.70.40.133]:40531) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rsE4u-0003aI-2G for 70174@debbugs.gnu.org; Wed, 03 Apr 2024 23:47:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1712202460; x=1712461660; bh=BMKCdUVtnCxRAwzpqedEdSBzE96/4hGn4Bvbthabxzo=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=VwnBBgM17s56scONnx7J6tEs20a412O60LBdtz+33y7m3Eeo3l8fjdl/aEKL+7B3B 25oe/nOiwSBvCYnOX+ckiBXSA82EbKaTR3IOoWVFBnaJjyHlKbGOXeeLzxATUCwI9M 0yMlDiLntP7rk6chB60FZrybD9WCBqkmUzhik10XVu2XHCL8A8VEfL1KIvO93hVeXb xv33HG0zVLi8ePzUEPYm3YtPwjmWHo/fTjJz1XUDBpaYundj5Wp0oz/pG8z9sLjwrC VP1Bncu3Nh3Vz6GcojdbCyQVrDhOHfKivm4bA8vIPifC/XVMmY2XXg+HgNFw42wcjc q0RK4KhcRLq+w== Date: Thu, 04 Apr 2024 03:47:37 +0000 To: Vinicius Monego From: John Kehayias Subject: Re: bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942 Message-ID: <87v84xvlex.fsf@protonmail.com> In-Reply-To: <87zfu9vo28.fsf@protonmail.com> References: <87zfu9vo28.fsf@protonmail.com> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70174 Cc: 70174@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Thu, Apr 04, 2024 at 02:50 AM, John Kehayias wrote: > Hello, > > On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote: > >> OpenEXR suffers from these vulnerabilities which were fixed in version >> 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently >> 3.1.3. >> >> The package contains 448 dependents, and a change in derivation >> shouldn't be pushed to master, at least according to the patch >> submission guidelines. >> >> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841 >> >> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942 > > Thanks for passing this along. > > I've applied a patch, attached, locally to the mesa-updates branch which > updates openexr to the latest version, 3.2.4. It required a few minor > changes (fix a phase, an input) but it builds. > > I may wait to queue up some more fixes for that branch, but don't > currently have anything pending. Either way, it will be there soon and > hopefully merged to master (just need to wait for everything to build > and look good). > > Thanks! > John Forgot to note the change in [inputs] in the changelog, fixed locally. From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 18 00:59:06 2024 Received: (at 70174-done) by debbugs.gnu.org; 18 Apr 2024 04:59:06 +0000 Received: from localhost ([127.0.0.1]:50139 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rxJrV-0004mZ-Ij for submit@debbugs.gnu.org; Thu, 18 Apr 2024 00:59:05 -0400 Received: from mail-40131.protonmail.ch ([185.70.40.131]:52149) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rxJrR-0004kq-K6 for 70174-done@debbugs.gnu.org; Thu, 18 Apr 2024 00:59:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1713416321; x=1713675521; bh=eB2H07HhGy1OZv0z1nHuFaH4HLsYUYQ4GE9pISg6c3M=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=fH3aWOc5tkRfR9DEA2DYUKGotuGJTZ6uH4lvLozwUPOb9xH9t6rTEQeRasrN10x/v j7mZjvjRAyD8Rb/pU0nfNkiGITWpE87CcNXhLkYgQ/U51PAKyCyhoKB5VN5Ho6vPCj qQmd4/XJNzIvBYbRqrjH0V/06DwPXKmjdFpaszaKe9xKmaLsi77qrdH7SrjZx73lqk GP1jBAKXHlSZIPRCVXL3EANfkqumu/rGTp2yr0+4PzM/CSKxp0JILqDQOmaMrF17ZI jxiVhHuExh4LXdtG8/QE4MoNtspnGyctlEAhm9254iw2t758k4imO/yFGU46gJRNBk 6QP7uDzdhnuBg== Date: Thu, 18 Apr 2024 04:58:37 +0000 To: Vinicius Monego From: John Kehayias Subject: Re: bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942 Message-ID: <87h6fz1d39.fsf@protonmail.com> In-Reply-To: <87v84xvlex.fsf@protonmail.com> References: <87zfu9vo28.fsf@protonmail.com> <87v84xvlex.fsf@protonmail.com> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70174-done Cc: 70174-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Thu, Apr 04, 2024 at 03:47 AM, John Kehayias wrote: > On Thu, Apr 04, 2024 at 02:50 AM, John Kehayias wrote: > >> Hello, >> >> On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote: >> >>> OpenEXR suffers from these vulnerabilities which were fixed in version >>> 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently >>> 3.1.3. >>> >>> The package contains 448 dependents, and a change in derivation >>> shouldn't be pushed to master, at least according to the patch >>> submission guidelines. >>> >>> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841 >>> >>> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942 >> >> Thanks for passing this along. >> >> I've applied a patch, attached, locally to the mesa-updates branch which >> updates openexr to the latest version, 3.2.4. It required a few minor >> changes (fix a phase, an input) but it builds. >> >> I may wait to queue up some more fixes for that branch, but don't >> currently have anything pending. Either way, it will be there soon and >> hopefully merged to master (just need to wait for everything to build >> and look good). >> >> Thanks! >> John > > Forgot to note the change in [inputs] in the changelog, fixed locally. Pushed as 410e699e0933653e69d03a4cdadf11854c6723f4 (and fixed some build issues with 2718616f77aace28b3962fef29b4e38b87a512ce) and merged with 2d5736cc3e869fadd2592cc13a8d332fac63b144. Thanks! John From unknown Sat Sep 06 00:11:27 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 16 May 2024 11:24:15 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator