GNU bug report logs - #70174
OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942

Previous Next

Package: guix;

Reported by: Vinicius Monego <monego <at> posteo.net>

Date: Thu, 4 Apr 2024 01:09:03 UTC

Severity: normal

Done: John Kehayias <john.kehayias <at> protonmail.com>

Bug is archived. No further changes may be made.

Full log

Message #8 received at 70174 <at> debbugs.gnu.org (full text, mbox):

From: John Kehayias <john.kehayias <at> protonmail.com>
To: Vinicius Monego <monego <at> posteo.net>
Cc: 70174 <at> debbugs.gnu.org
Subject: Re: bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and
 CVE-2021-45942
Date: Thu, 04 Apr 2024 02:50:28 +0000

[Message part 1 (text/plain, inline)]
Hello,

On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote:

> OpenEXR suffers from these vulnerabilities which were fixed in version
> 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently
> 3.1.3.
>
> The package contains 448 dependents, and a change in derivation
> shouldn't be pushed to master, at least according to the patch
> submission guidelines.
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841
>
> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942

Thanks for passing this along.

I've applied a patch, attached, locally to the mesa-updates branch which
 updates openexr to the latest version, 3.2.4. It required a few minor
 changes (fix a phase, an input) but it builds.

I may wait to queue up some more fixes for that branch, but don't
currently have anything pending. Either way, it will be there soon and
hopefully merged to master (just need to wait for everything to build
and look good).

Thanks!
John

[0001-gnu-openexr-Update-to-3.2.4-security-fixes.patch (text/x-patch, attachment)]
This bug report was last modified 1 year and 112 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.