Full Disclosure mailing list archives
Re: [oss-security] Multiple crashes in OpenEXR
From: Brandon Perry <bperry.volatile () gmail com>
Date: Mon, 22 May 2017 07:54:27 -0500
On May 12, 2017, at 1:48 PM, Brandon Perry <bperry.volatile () gmail com> wrote:On May 12, 2017, at 1:45 PM, Henri Salo <henri () nerv fi> wrote: On Fri, May 12, 2017 at 12:09:30PM -0500, Brandon Perry wrote:As of this writing, <snip>. No CVEs have been requested.Why not?I’m lazy. I might this weekend.
Attached is the email from MITRE regarding the 7 CVE allocations.
--- Begin Message --- From: <cve-request () mitre org>
Date: Sun, 21 May 2017 13:48:48 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The 7 CVE IDs are below. In our web form, the field sizes are unfortunately not large enough for the full Valgrind output; however, we understand that the intention was to send the Valgrind output in the attached ZIP file of the http://marc.info/?l=oss-security&m=149460897719400&w=2 post.[Suggested description] In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash. ------------------------------------------ [Additional Information] ==25145== Memcheck, a memory error detector ==25145== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==25145== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==25145== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000012,sig:11,src:000328+001154,op:splice,rep:16 /dev/null ==25145== ==25145== Invalid read of size 2 ==25145== at 0x4EDC452: hufDecode (ImfHuf.cpp:898) ==25145== by 0x4EDC452: Imf_2_2::hufUncompress(char const*, int, unsigned short*, int) (ImfHuf.cpp:1101) ==25145== by 0x4EE5680: Imf_2_2::PizCompressor::uncompress(char const*, int, Imath_2_2::Box<Imath_2_2::Vec2<int>, char const*&) (ImfPizCompressor.cpp:576)==25145== by 0x4EE4E9D: Imf_2_2::PizCompressor::uncompress(char const*, int, int, char const*&) (ImfPizCompressor.cpp:284) ==25145== by 0x4F5F4A3: Imf_2_2::(anonymous namespace)::LineBufferTask::execute() (ImfScanLineInputFile.cpp:540) ==25145== by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433) ==25145== by 0x4F58B47: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1612) ==25145== by 0x4EB603F: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815) ==25145== by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302) ==25145== by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509) ==25145== by 0x40283D: exr2aces (main.cpp:128) ==25145== by 0x40283D: main (main.cpp:220) ==25145== Address 0x717c03e is 2 bytes before a block of size 8,356,352 alloc'd ==25145== at 0x4C2E80F: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==25145== by 0x4EE26EA: Imf_2_2::PizCompressor::PizCompressor(Imf_2_2::Header const&, unsigned long, unsigned long) (ImfPizCompressor.cpp:193) ==25145== by 0x4EE0767: Imf_2_2::newCompressor(Imf_2_2::Compression, unsigned long, Imf_2_2::Header const&) (ImfCompressor.cpp:148) == ... ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Industrial Light & Magic ------------------------------------------ [Affected Product Code Base] OpenEXR - 2.2.0 ------------------------------------------ [Affected Component] ImfHuf.cpp, hufDecode function ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Someone must open a crafted ------------------------------------------ [Reference] http://www.openwall.com/lists/oss-security/2017/05/12/5 ------------------------------------------ [Discoverer] Brandon PerryUse CVE-2017-9110.[Suggested description] In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code. ------------------------------------------ [Additional Information] ==1726== Memcheck, a memory error detector ==1726== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==1726== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==1726== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000087,sig:11,src:000562+000300,op:splice,rep:2 /dev/null ==1726== ==1726== Invalid write of size 8 ==1726== at 0x4F5C940: storeSSE<true> (ImfOptimizedPixelReading.h:125) ==1726== by 0x4F5C940: writeToRGBASSETemplate<false, true> (ImfOptimizedPixelReading.h:166) ==1726== by 0x4F5C940: optimizedWriteToRGBA (ImfOptimizedPixelReading.h:248) ==1726== by 0x4F5C940: Imf_2_2::(anonymous namespace)::LineBufferTaskIIF::execute() (ImfScanLineInputFile.cpp:959) ==1726== by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433) ==1726== by 0x4F58B47: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1612) ==1726== by 0x4EB603F: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815) ==1726== by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302) ==1726== by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509) ==1726== by 0x40283D: exr2aces (main.cpp:128) ==1726== by 0x40283D: main (main.cpp:220) ==1726== Address 0x4fd0070ea9f0 is not stack'd, malloc'd or (recently) free'd ==1726== ==1726== ==1726== Process terminating with default action of signal 11 (SIGSEGV) ==1726== Access not within mapped region at address 0x4FD0070EA9F0 ==1726== at 0x4F5C940: storeSSE<true> (ImfOptimizedPixelReading.h:125) ==1726== by 0x4F5C940: writeToRGBASSETemplate<false, true> (ImfOptimizedPixelReading.h:166) ==1726== by 0x4F5C940: optimizedWriteToRGBA (ImfOptimizedPixelReading.h:248) ==1726== by 0x4F5C940: Imf_2_2::(anonymous namespace)::LineBufferTaskIIF::execute() (ImfScanLineInputFile.cpp:959) ==1726== by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Industrial Light & Magic ------------------------------------------ [Affected Product Code Base] OpenEXR - 2.2.0 ------------------------------------------ [Affected Component] ImfOptimizedPixelReading.h, storeSSE function ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] Someone must open a crafted EXR image ------------------------------------------ [Reference] http://www.openwall.com/lists/oss-security/2017/05/12/5 ------------------------------------------ [Discoverer] Brandon PerryUse CVE-2017-9111.[Suggested description] In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash. ------------------------------------------ [Additional Information] ==7206== Memcheck, a memory error detector ==7206== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==7206== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==7206== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000103,sig:11,src:002037+004745,op:splice,rep:2 /dev/null ==7206== ==7206== Invalid read of size 1 ==7206== at 0x4EDAA4D: getBits (ImfHuf.cpp:180) ==7206== by 0x4EDAA4D: hufUnpackEncTable (ImfHuf.cpp:543) ==7206== by 0x4EDAA4D: Imf_2_2::hufUncompress(char const*, int, unsigned short*, int) (ImfHuf.cpp:1089) ==7206== by 0x4EE5680: Imf_2_2::PizCompressor::uncompress(char const*, int, Imath_2_2::Box<Imath_2_2::Vec2<int> >, char const*&) (ImfPizCompressor.cpp:576) ==7206== by 0x4EE4E9D: Imf_2_2::PizCompressor::uncompress(char const*, int, int, char const*&) (ImfPizCompressor.cpp:284) ==7206== by 0x4F5BCD1: Imf_2_2::(anonymous namespace)::LineBufferTaskIIF::execute() (ImfScanLineInputFile.cpp:855) ==7206== by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433) ==7206== by 0x4F58B47: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1612) ==7206== by 0x4EB603F: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815) ==7206== by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302) ==7206== by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509) ==7206== by 0x40283D: exr2aces (main.cpp:128) ==7206== by 0x40283D: main (main.cpp:220) ==7206== Address 0x6daa4a0 is 0 bytes after a block of size 768 alloc'd ==7206== at 0x4C2FFC6: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7206== by 0x4C300D1: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7206== by 0x4F523A2: EXRAllocAligned (ImfSystemSpecific.h:66) ==7206== by 0x4F523A2: Imf_2_2::ScanLineInputFile::initialize(Imf_2_2::Header const&) (ImfScanLineInpu ... ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Industrial Light & Magic ------------------------------------------ [Affected Product Code Base] OpenEXR - 2.2.0 ------------------------------------------ [Affected Component] ImfHuf.cpp, getBits function ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Someone must open a specially crafted EXR image. ------------------------------------------ [Reference] http://www.openwall.com/lists/oss-security/2017/05/12/5 ------------------------------------------ [Discoverer] Brandon PerryUse CVE-2017-9112.[Suggested description] In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code. ------------------------------------------ [Additional Information] ==17324== Memcheck, a memory error detector ==17324== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==17324== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==17324== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000131,sig:11,src:000514+002831,op:splice,rep:16 /dev/null ==17324== ==17324== Invalid write of size 1 ==17324== at 0x4EB4FBA: bufferedReadPixels (ImfInputFile.cpp:331) ==17324== by 0x4EB4FBA: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:811) ==17324== by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302) ==17324== by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509) ==17324== by 0x40283D: exr2aces (main.cpp:128) ==17324== by 0x40283D: main (main.cpp:220) ==17324== Address 0xffffffd006dbf6d6 is not stack'd, malloc'd or (recently) free'd ==17324== ==17324== ==17324== Process terminating with default action of signal 11 (SIGSEGV) ==17324== Access not within mapped region at address 0xFFFFFFD006DBF6D6 ==17324== at 0x4EB4FBA: bufferedReadPixels (ImfInputFile.cpp:331) ==17324== by 0x4EB4FBA: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:811) ==17324== by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302) ==17324== by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509) ==17324== by 0x40283D: exr2aces (main.cpp:128) ==17324== by 0x40283D: main (main.cpp:220) ==17324== If you believe this happened as a result of a stack ==17324== overflow in your program's main thread (unlikely but ==17324== possible), you can try to increase the size of the ==17324== main thread stack using the --main-stacksize= flag. ==17324== The main thread stack size used in this run was 8388608. ==17324== ==17324== HEAP SUMMARY: ==17324== in use at exit: 275,884 bytes in 198 blocks ==17324== total heap usage: 254 allocs, 56 frees, 283,664 bytes allocated == ... ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Industrial Light & Magic ------------------------------------------ [Affected Product Code Base] OpenEXR - 2.2.0 ------------------------------------------ [Affected Component] ImfInputFile.cpp, bufferedReadPixels function ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] Someone must open a crafted EXR image ------------------------------------------ [Reference] http://www.openwall.com/lists/oss-security/2017/05/12/5 ------------------------------------------ [Discoverer] Brandon PerryUse CVE-2017-9113.[Suggested description] In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash. ------------------------------------------ [Additional Information] ==21490== Memcheck, a memory error detector ==21490== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==21490== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==21490== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000132,sig:11,src:000895,op:havoc,rep:32 /dev/null ==21490== ==21490== Invalid read of size 1 ==21490== at 0x50394CB: refill (ImfFastHuf.cpp:491) ==21490== by 0x50394CB: Imf_2_2::FastHufDecoder::decode(unsigned char const*, int, unsigned short*, int) (ImfFastHuf.cpp:643) ==21490== by 0x4EDA77C: Imf_2_2::hufUncompress(char const*, int, unsigned short*, int) (ImfHuf.cpp:1080) ==21490== by 0x4EE5680: Imf_2_2::PizCompressor::uncompress(char const*, int, Imath_2_2::Box<Imath_2_2::Vec2<int>, char const*&) (ImfPizCompressor.cpp:576)==21490== by 0x4EE4E9D: Imf_2_2::PizCompressor::uncompress(char const*, int, int, char const*&) (ImfPizCompressor.cpp:284) ==21490== by 0x4F5BCD1: Imf_2_2::(anonymous namespace)::LineBufferTaskIIF::execute() (ImfScanLineInputFile.cpp:855) ==21490== by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433) ==21490== by 0x4F58B47: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1612) ==21490== by 0x4EB603F: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815) ==21490== by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302) ==21490== by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509) ==21490== by 0x40283D: exr2aces (main.cpp:128) ==21490== by 0x40283D: main (main.cpp:220) ==21490== Address 0x6dcd950 is 0 bytes after a block of size 49,344 alloc'd ==21490== at 0x4C2FFC6: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21490== by 0x4C300D1: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21490== by 0x4F523A2: EXRAllocAligned (ImfSystemSpecific.h:66) ==21490== by ... ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Industrial Light & Magic ------------------------------------------ [Affected Product Code Base] OpenEXR - 2.2.0 ------------------------------------------ [Affected Component] ImfFastHuf.cpp, refill function ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Someone must open a crafted EXR image. ------------------------------------------ [Reference] http://www.openwall.com/lists/oss-security/2017/05/12/5 ------------------------------------------ [Discoverer] Brandon PerryUse CVE-2017-9114.[Suggested description] In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code. ------------------------------------------ [Additional Information] ==12435== Memcheck, a memory error detector ==12435== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==12435== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==12435== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000104,sig:11,src:001329+000334,op:splice,rep:2 /dev/null ==12435== ==12435== Invalid write of size 2 ==12435== at 0x4F2D1F7: operator= (half.h:574) ==12435== by 0x4F2D1F7: Imf_2_2::copyIntoFrameBuffer(char const*&, char*, char*, unsigned long, bool, double, Imf_2_2::Compressor::Format, Imf_2_2::PixelType, Imf_2_2::PixelType) (ImfMisc.cpp:317) ==12435== by 0x4F5FDC5: Imf_2_2::(anonymous namespace)::LineBufferTask::execute() (ImfScanLineInputFile.cpp:635) ==12435== by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433) ==12435== by 0x4F58B47: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1612) ==12435== by 0x4EB603F: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815) ==12435== by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302) ==12435== by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509) ==12435== by 0x40283D: exr2aces (main.cpp:128) ==12435== by 0x40283D: main (main.cpp:220) ==12435== Address 0x4806d9b156 is not stack'd, malloc'd or (recently) free'd ==12435== ==12435== ==12435== Process terminating with default action of signal 11 (SIGSEGV) ==12435== Access not within mapped region at address 0x4806D9B156 ==12435== at 0x4F2D1F7: operator= (half.h:574) ==12435== by 0x4F2D1F7: Imf_2_2::copyIntoFrameBuffer(char const*&, char*, char*, unsigned long, bool, double, Imf_2_2::Compressor::Format, Imf_2_2::PixelType, Imf_2_2::PixelType) (ImfMisc.cpp:317) ==12435== by 0x4F5FDC5: Imf_2_2::(anonymous namespace)::LineBufferTask::execute() (ImfScanLineInputFile.cpp:635) ==12435== by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThrea ... ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Industrial Light & Magic ------------------------------------------ [Affected Product Code Base] OpenEXR - 2.2.0 ------------------------------------------ [Affected Component] half.h, operator= function ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] Someone must open a crafted EXR image. ------------------------------------------ [Reference] http://www.openwall.com/lists/oss-security/2017/05/12/5 ------------------------------------------ [Discoverer] Brandon PerryUse CVE-2017-9115.[Suggested description] In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash. ------------------------------------------ [Additional Information] ==28224== Memcheck, a memory error detector ==28224== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==28224== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==28224== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000077,sig:11,src:002575,op:havoc,rep:4 /dev/null ==28224== ==28224== Invalid read of size 1 ==28224== at 0x6733D3A: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.8) ==28224== by 0x6738DD4: uncompress (in /lib/x86_64-linux-gnu/libz.so.1.2.8) ==28224== by 0x503C7AD: Imf_2_2::Zip::uncompress(char const*, int, char*) (ImfZip.cpp:148) ==28224== by 0x4F0ABB4: Imf_2_2::DwaCompressor::uncompress(char const*, int, Imath_2_2::Box<Imath_2_2::Vec2<int>, char const*&) (ImfDwaCompressor.cpp:2592)==28224== by 0x4F09DF8: Imf_2_2::DwaCompressor::uncompress(char const*, int, int, char const*&) (ImfDwaCompressor.cpp:2312) ==28224== by 0x4F5F4A3: Imf_2_2::(anonymous namespace)::LineBufferTask::execute() (ImfScanLineInputFile.cpp:540) ==28224== by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433) ==28224== by 0x4F58B47: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1612) ==28224== by 0x4EB603F: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815) ==28224== by 0x4ED2187: Imf_2_2::RgbaInputFile::FromYca::readYCAScanLine(int, Imf_2_2::Rgba*) (ImfRgbaFile.cpp:1126) ==28224== by 0x4ED11F6: Imf_2_2::RgbaInputFile::FromYca::readPixels(int) (ImfRgbaFile.cpp:1050) ==28224== by 0x4ED4CA1: readPixels (ImfRgbaFile.cpp:959) ==28224== by 0x4ED4CA1: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1298) ==28224== Address 0x6800000006d986d8 is not stack'd, malloc'd or (recently) free'd ==28224== ==28224== ==28224== Process terminating with default action of signal 11 (SIGSEGV) ==28224== General Protection Fault ==28224== at 0x6733D3A: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.8) ==28224== by 0x ... ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Industrial Light & Magic ------------------------------------------ [Affected Product Code Base] OpenEXR - 2.2.0 ------------------------------------------ [Affected Component] ImfZip.cpp, uncompress function ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Someone must open a crafted EXR image. ------------------------------------------ [Reference] http://www.openwall.com/lists/oss-security/2017/05/12/5 ------------------------------------------ [Discoverer] Brandon PerryUse CVE-2017-9116. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJZIdKJAAoJEHb/MwWLVhi2T7YP/ijc5bTN+xxbTDjtpeaC9Df/ TVK5YsN9Q9chEGnL/Fv3saCBZc36IMF3NIdxUDDFrpLLFj62aQF9dJnObasgobDJ NFxu5vcGaHRrGO5oDFpnjONKo+mcc1uX7c89ALf7XpaIBtBZdGanAZf+mwBTDCye ihjE4OjaeB+qWxHg9VfgTjMWUffY28D93zimyWJZXUK49NlgCxgLLW1FAWdpvC6i e9mjayHcAtrsMhqJJgkfCrf12q2ybHcaDQCY0n95pOp8BO99Z0PQ8s0GGCq59ZVj 1vvWD/0QN3O+nqTvwYI3BaYplPWRLa6g4W4EcLYwSzkOlgjIniKzEjEebcx8XJkh HwdTz1I4d0o00Jfkgw+FU3w1BbfNQeBmD+2YNJk6aQr990Ls6nTyr1G81Yjvm9fF m5ANEEjswRcUJ+cQuqdfCKZ/mPT6SfOIldDGbMXLXtRA+qaCeNhVTtcu1jYRdL+Z lvoGZKqTLLTXoK0jA9wZSUdDsISbxaI9F8MImhlenLyNWXjHnjSXk4REh7Xzem+9 EDyCMs4faueoseDekX2b9oPt9LsITb73HBVfBSEgh8PcIwLTBjpCY+N84YvAaXBC yx3Hr62tRRveWKIVqT9K/NqqC4b5ng4aQpNY0TsTLVmwFEfumCzzjGrbANSXWptT I+fb15b8cl+e7h4STff4 =UzO0 -----END PGP SIGNATURE-----
--- End Message ---
-- Henri Salo
Attachment:
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Multiple crashes in OpenEXR Brandon Perry (May 15)
- Message not available
- Message not available
- Re: [oss-security] Multiple crashes in OpenEXR Brandon Perry (May 22)
- Message not available
- Message not available