Debian DLA-3236-1 : openexr - LTS security update

medium Nessus Plugin ID 168916

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3236 advisory.

- A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file. (CVE-2020-16587)

- A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service via a crafted EXR file. (CVE-2020-16588)

- A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of service via a crafted EXR file. (CVE-2020-16589)

- A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted input file supplied by an attacker, that is processed by the Dwa decompression functionality of OpenEXR's IlmImf library, could cause a NULL pointer dereference. The highest threat from this vulnerability is to system availability.
(CVE-2021-20296)

- A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability. (CVE-2021-20298)

- A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability. (CVE-2021-20299)

- A flaw was found in OpenEXR's hufUncompress functionality in OpenEXR/IlmImf/ImfHuf.cpp. This flaw allows an attacker who can submit a crafted file that is processed by OpenEXR, to trigger an integer overflow.
The highest threat from this vulnerability is to system availability. (CVE-2021-20300)

- A flaw was found in OpenEXR's TiledInputFile functionality. This flaw allows an attacker who can submit a crafted single-part non-image to be processed by OpenEXR, to trigger a floating-point exception error. The highest threat from this vulnerability is to system availability. (CVE-2021-20302)

- A flaw found in function dataWindowForTile() of IlmImf/ImfTiledMisc.cpp. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, leading to an out-of-bounds write on the heap. The greatest impact of this flaw is to application availability, with some potential impact to data integrity as well. (CVE-2021-20303)

- An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.
(CVE-2021-23215)

- An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215. (CVE-2021-26260)

- There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application availability. (CVE-2021-3474)

- There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow, potentially leading to problems with application availability. (CVE-2021-3475)

- A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially affecting application availability. (CVE-2021-3476)

- There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability. (CVE-2021-3477)

- There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability. (CVE-2021-3478)

- There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability. (CVE-2021-3479)

- There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability. (CVE-2021-3598)

- There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability. (CVE-2021-3605)

- An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits.
This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths. (CVE-2021-3933)

- In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR. (CVE-2021-3941)

- OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE:
db217f2 may be inapplicable. (CVE-2021-45942)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the openexr packages.

For Debian 10 buster, these problems have been fixed in version 2.2.1-4.1+deb10u2.

See Also

https://security-tracker.debian.org/tracker/CVE-2021-3478

https://security-tracker.debian.org/tracker/CVE-2021-3479

https://security-tracker.debian.org/tracker/CVE-2021-3598

https://security-tracker.debian.org/tracker/CVE-2021-3605

https://security-tracker.debian.org/tracker/CVE-2021-3933

https://security-tracker.debian.org/tracker/CVE-2021-3941

https://security-tracker.debian.org/tracker/CVE-2021-45942

https://packages.debian.org/source/buster/openexr

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986796

https://security-tracker.debian.org/tracker/source-package/openexr

https://www.debian.org/lts/security/2022/dla-3236

https://security-tracker.debian.org/tracker/CVE-2020-16587

https://security-tracker.debian.org/tracker/CVE-2020-16588

https://security-tracker.debian.org/tracker/CVE-2020-16589

https://security-tracker.debian.org/tracker/CVE-2021-20296

https://security-tracker.debian.org/tracker/CVE-2021-20298

https://security-tracker.debian.org/tracker/CVE-2021-20299

https://security-tracker.debian.org/tracker/CVE-2021-20300

https://security-tracker.debian.org/tracker/CVE-2021-20302

https://security-tracker.debian.org/tracker/CVE-2021-20303

https://security-tracker.debian.org/tracker/CVE-2021-23215

https://security-tracker.debian.org/tracker/CVE-2021-26260

https://security-tracker.debian.org/tracker/CVE-2021-3474

https://security-tracker.debian.org/tracker/CVE-2021-3475

https://security-tracker.debian.org/tracker/CVE-2021-3476

https://security-tracker.debian.org/tracker/CVE-2021-3477

Plugin Details

Severity: Medium

ID: 168916

File Name: debian_DLA-3236.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/19/2022

Updated: 9/12/2023

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2021-20303

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libopenexr-dev, cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:openexr, p-cpe:/a:debian:debian_linux:libopenexr23, p-cpe:/a:debian:debian_linux:openexr-doc

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/12/2022

Vulnerability Publication Date: 12/9/2020

Reference Information

CVE: CVE-2020-16587, CVE-2020-16588, CVE-2020-16589, CVE-2021-20296, CVE-2021-20298, CVE-2021-20299, CVE-2021-20300, CVE-2021-20302, CVE-2021-20303, CVE-2021-23215, CVE-2021-26260, CVE-2021-3474, CVE-2021-3475, CVE-2021-3476, CVE-2021-3477, CVE-2021-3478, CVE-2021-3479, CVE-2021-3598, CVE-2021-3605, CVE-2021-3933, CVE-2021-3941, CVE-2021-45942