[ubuntu/focal-security] openexr 2.3.0-6ubuntu0.5 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Thu Apr 1 17:30:14 UTC 2021 

openexr (2.3.0-6ubuntu0.5) focal-security; urgency=medium

  * SECURITY UPDATE: shift overflow in FastHufDecoder
    - debian/patches/CVE-2021-3474.patch: compute Huf codelengths using 64
      bit to prevent shift overflow in IlmImf/ImfFastHuf.cpp.
    - CVE-2021-3474
  * SECURITY UPDATE: integer overflow in calculateNumTiles
    - debian/patches/CVE-2021-3475.patch: compute level size with 64 bits
      to avoid overflow in IlmImf/ImfTiledMisc.cpp.
    - CVE-2021-3475
  * SECURITY UPDATE: shift overflows
    - debian/patches/CVE-2021-3476.patch: ignore unused bits in B44 mode
      detection in IlmImf/ImfB44Compressor.cpp.
    - CVE-2021-3476
  * SECURITY UPDATE: out-of-bounds read via deep tile sample size
    - debian/patches/CVE-2021-3477.patch: fix overflow computing deeptile
      sample table size in IlmImf/ImfDeepTiledInputFile.cpp.
    - CVE-2021-3477
  * SECURITY UPDATE: memory consumption via input file
    - debian/patches/CVE-2021-3478-pre1.patch: reduce size limit for
      scanline files; prevent large chunkoffset allocations in
      IlmImf/ImfCompressor.cpp, IlmImf/ImfCompressor.h, IlmImf/ImfMisc.cpp,
      IlmImf/ImfMultiPartInputFile.cpp, IlmImf/ImfScanLineInputFile.cpp.
    - debian/patches/CVE-2021-3478.patch: sanity check ScanlineInput
      bytesPerLine instead of lineOffset size in
      IlmImf/ImfScanLineInputFile.cpp.
    - CVE-2021-3478
  * SECURITY UPDATE: memory consumption in scanline API
    - debian/patches/CVE-2021-3479-pre1.patch: address issues reported by
      Undefined Behavior Sanitizer in IlmImf/ImfInputFile.cpp.
    - debian/patches/CVE-2021-3479.patch: more efficient handling of filled
      channels reading tiles with scanline API in IlmImf/ImfInputFile.cpp,
      IlmImfTest/testScanLineApi.cpp.
    - CVE-2021-3479

Date: 2021-04-01 13:45:09.575921+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/openexr/2.3.0-6ubuntu0.5
-------------- next part --------------
Sorry, changesfile not available.

More information about the Focal-changes mailing list