Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [oss-security] Multiple crashes in OpenEXR

From: Brandon Perry <bperry.volatile () gmail com>
Date: Mon, 22 May 2017 07:54:27 -0500


On May 12, 2017, at 1:48 PM, Brandon Perry <bperry.volatile () gmail com> wrote:



On May 12, 2017, at 1:45 PM, Henri Salo <henri () nerv fi> wrote:

On Fri, May 12, 2017 at 12:09:30PM -0500, Brandon Perry wrote:

As of this writing, <snip>. No CVEs have been requested.


Why not?


I’m lazy. I might this weekend.



Attached is the email from MITRE regarding the 7 CVE allocations.
--- Begin Message --- From: <cve-request () mitre org>
Date: Sun, 21 May 2017 13:48:48 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The 7 CVE IDs are below. In our web form, the field sizes are
unfortunately not large enough for the full Valgrind output; however,
we understand that the intention was to send the Valgrind output in
the attached ZIP file of the
http://marc.info/?l=oss-security&m=149460897719400&w=2 post.



[Suggested description]
In OpenEXR 2.2.0,
an invalid read of size 2 in the hufDecode function in ImfHuf.cpp
could cause the application to crash.

------------------------------------------

[Additional Information]
==25145== Memcheck, a memory error detector
==25145== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==25145== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==25145== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000012,sig:11,src:000328+001154,op:splice,rep:16 
/dev/null
==25145== 
==25145== Invalid read of size 2
==25145==    at 0x4EDC452: hufDecode (ImfHuf.cpp:898)
==25145==    by 0x4EDC452: Imf_2_2::hufUncompress(char const*, int, unsigned short*, int) (ImfHuf.cpp:1101)
==25145==    by 0x4EE5680: Imf_2_2::PizCompressor::uncompress(char const*, int, Imath_2_2::Box<Imath_2_2::Vec2<int> 

, char const*&) (ImfPizCompressor.cpp:576)

==25145==    by 0x4EE4E9D: Imf_2_2::PizCompressor::uncompress(char const*, int, int, char const*&) 
(ImfPizCompressor.cpp:284)
==25145==    by 0x4F5F4A3: Imf_2_2::(anonymous namespace)::LineBufferTask::execute() (ImfScanLineInputFile.cpp:540)
==25145==    by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433)
==25145==    by 0x4F58B47: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1612)
==25145==    by 0x4EB603F: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815)
==25145==    by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302)
==25145==    by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509)
==25145==    by 0x40283D: exr2aces (main.cpp:128)
==25145==    by 0x40283D: main (main.cpp:220)
==25145==  Address 0x717c03e is 2 bytes before a block of size 8,356,352 alloc'd
==25145==    at 0x4C2E80F: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25145==    by 0x4EE26EA: Imf_2_2::PizCompressor::PizCompressor(Imf_2_2::Header const&, unsigned long, unsigned 
long) (ImfPizCompressor.cpp:193)
==25145==    by 0x4EE0767: Imf_2_2::newCompressor(Imf_2_2::Compression, unsigned long, Imf_2_2::Header const&) 
(ImfCompressor.cpp:148)
== ...

------------------------------------------

[Vulnerability Type]
Buffer Overflow

------------------------------------------

[Vendor of Product]
Industrial Light & Magic

------------------------------------------

[Affected Product Code Base]
OpenEXR - 2.2.0

------------------------------------------

[Affected Component]
ImfHuf.cpp, hufDecode function

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
Someone must open a crafted

------------------------------------------

[Reference]
http://www.openwall.com/lists/oss-security/2017/05/12/5

------------------------------------------

[Discoverer]
Brandon Perry


Use CVE-2017-9110.



[Suggested description]
In OpenEXR 2.2.0,
an invalid write of size 8 in the storeSSE function in
ImfOptimizedPixelReading.h could cause the application to crash or
execute arbitrary code.

------------------------------------------

[Additional Information]
==1726== Memcheck, a memory error detector
==1726== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==1726== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==1726== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000087,sig:11,src:000562+000300,op:splice,rep:2 
/dev/null
==1726== 
==1726== Invalid write of size 8
==1726==    at 0x4F5C940: storeSSE<true> (ImfOptimizedPixelReading.h:125)
==1726==    by 0x4F5C940: writeToRGBASSETemplate<false, true> (ImfOptimizedPixelReading.h:166)
==1726==    by 0x4F5C940: optimizedWriteToRGBA (ImfOptimizedPixelReading.h:248)
==1726==    by 0x4F5C940: Imf_2_2::(anonymous namespace)::LineBufferTaskIIF::execute() (ImfScanLineInputFile.cpp:959)
==1726==    by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433)
==1726==    by 0x4F58B47: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1612)
==1726==    by 0x4EB603F: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815)
==1726==    by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302)
==1726==    by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509)
==1726==    by 0x40283D: exr2aces (main.cpp:128)
==1726==    by 0x40283D: main (main.cpp:220)
==1726==  Address 0x4fd0070ea9f0 is not stack'd, malloc'd or (recently) free'd
==1726== 
==1726== 
==1726== Process terminating with default action of signal 11 (SIGSEGV)
==1726==  Access not within mapped region at address 0x4FD0070EA9F0
==1726==    at 0x4F5C940: storeSSE<true> (ImfOptimizedPixelReading.h:125)
==1726==    by 0x4F5C940: writeToRGBASSETemplate<false, true> (ImfOptimizedPixelReading.h:166)
==1726==    by 0x4F5C940: optimizedWriteToRGBA (ImfOptimizedPixelReading.h:248)
==1726==    by 0x4F5C940: Imf_2_2::(anonymous namespace)::LineBufferTaskIIF::execute() (ImfScanLineInputFile.cpp:959)
==1726==    by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*)

------------------------------------------

[Vulnerability Type]
Buffer Overflow

------------------------------------------

[Vendor of Product]
Industrial Light & Magic

------------------------------------------

[Affected Product Code Base]
OpenEXR - 2.2.0

------------------------------------------

[Affected Component]
ImfOptimizedPixelReading.h, storeSSE function

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Attack Vectors]
Someone must open a crafted EXR image

------------------------------------------

[Reference]
http://www.openwall.com/lists/oss-security/2017/05/12/5

------------------------------------------

[Discoverer]
Brandon Perry


Use CVE-2017-9111.



[Suggested description]
In OpenEXR 2.2.0,
an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash.

------------------------------------------

[Additional Information]
==7206== Memcheck, a memory error detector
==7206== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==7206== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==7206== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000103,sig:11,src:002037+004745,op:splice,rep:2 
/dev/null
==7206== 
==7206== Invalid read of size 1
==7206==    at 0x4EDAA4D: getBits (ImfHuf.cpp:180)
==7206==    by 0x4EDAA4D: hufUnpackEncTable (ImfHuf.cpp:543)
==7206==    by 0x4EDAA4D: Imf_2_2::hufUncompress(char const*, int, unsigned short*, int) (ImfHuf.cpp:1089)
==7206==    by 0x4EE5680: Imf_2_2::PizCompressor::uncompress(char const*, int, Imath_2_2::Box<Imath_2_2::Vec2<int> >, 
char const*&) (ImfPizCompressor.cpp:576)
==7206==    by 0x4EE4E9D: Imf_2_2::PizCompressor::uncompress(char const*, int, int, char const*&) 
(ImfPizCompressor.cpp:284)
==7206==    by 0x4F5BCD1: Imf_2_2::(anonymous namespace)::LineBufferTaskIIF::execute() (ImfScanLineInputFile.cpp:855)
==7206==    by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433)
==7206==    by 0x4F58B47: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1612)
==7206==    by 0x4EB603F: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815)
==7206==    by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302)
==7206==    by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509)
==7206==    by 0x40283D: exr2aces (main.cpp:128)
==7206==    by 0x40283D: main (main.cpp:220)
==7206==  Address 0x6daa4a0 is 0 bytes after a block of size 768 alloc'd
==7206==    at 0x4C2FFC6: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7206==    by 0x4C300D1: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7206==    by 0x4F523A2: EXRAllocAligned (ImfSystemSpecific.h:66)
==7206==    by 0x4F523A2: Imf_2_2::ScanLineInputFile::initialize(Imf_2_2::Header const&) (ImfScanLineInpu ...

------------------------------------------

[Vulnerability Type]
Buffer Overflow

------------------------------------------

[Vendor of Product]
Industrial Light & Magic

------------------------------------------

[Affected Product Code Base]
OpenEXR - 2.2.0

------------------------------------------

[Affected Component]
ImfHuf.cpp, getBits function

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
Someone must open a specially crafted EXR image.

------------------------------------------

[Reference]
http://www.openwall.com/lists/oss-security/2017/05/12/5

------------------------------------------

[Discoverer]
Brandon Perry


Use CVE-2017-9112.



[Suggested description]
In OpenEXR 2.2.0,
an invalid write of size 1 in the bufferedReadPixels function in
ImfInputFile.cpp could cause the application to crash or execute
arbitrary code.

------------------------------------------

[Additional Information]
==17324== Memcheck, a memory error detector
==17324== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==17324== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==17324== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000131,sig:11,src:000514+002831,op:splice,rep:16 
/dev/null
==17324== 
==17324== Invalid write of size 1
==17324==    at 0x4EB4FBA: bufferedReadPixels (ImfInputFile.cpp:331)
==17324==    by 0x4EB4FBA: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:811)
==17324==    by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302)
==17324==    by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509)
==17324==    by 0x40283D: exr2aces (main.cpp:128)
==17324==    by 0x40283D: main (main.cpp:220)
==17324==  Address 0xffffffd006dbf6d6 is not stack'd, malloc'd or (recently) free'd
==17324== 
==17324== 
==17324== Process terminating with default action of signal 11 (SIGSEGV)
==17324==  Access not within mapped region at address 0xFFFFFFD006DBF6D6
==17324==    at 0x4EB4FBA: bufferedReadPixels (ImfInputFile.cpp:331)
==17324==    by 0x4EB4FBA: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:811)
==17324==    by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302)
==17324==    by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509)
==17324==    by 0x40283D: exr2aces (main.cpp:128)
==17324==    by 0x40283D: main (main.cpp:220)
==17324==  If you believe this happened as a result of a stack
==17324==  overflow in your program's main thread (unlikely but
==17324==  possible), you can try to increase the size of the
==17324==  main thread stack using the --main-stacksize= flag.
==17324==  The main thread stack size used in this run was 8388608.
==17324== 
==17324== HEAP SUMMARY:
==17324==     in use at exit: 275,884 bytes in 198 blocks
==17324==   total heap usage: 254 allocs, 56 frees, 283,664 bytes allocated
== ...

------------------------------------------

[Vulnerability Type]
Buffer Overflow

------------------------------------------

[Vendor of Product]
Industrial Light & Magic

------------------------------------------

[Affected Product Code Base]
OpenEXR - 2.2.0

------------------------------------------

[Affected Component]
ImfInputFile.cpp, bufferedReadPixels function

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Attack Vectors]
Someone must open a crafted EXR image

------------------------------------------

[Reference]
http://www.openwall.com/lists/oss-security/2017/05/12/5

------------------------------------------

[Discoverer]
Brandon Perry


Use CVE-2017-9113.



[Suggested description]
In OpenEXR 2.2.0,
an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash.

------------------------------------------

[Additional Information]
==21490== Memcheck, a memory error detector
==21490== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21490== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==21490== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000132,sig:11,src:000895,op:havoc,rep:32 /dev/null
==21490== 
==21490== Invalid read of size 1
==21490==    at 0x50394CB: refill (ImfFastHuf.cpp:491)
==21490==    by 0x50394CB: Imf_2_2::FastHufDecoder::decode(unsigned char const*, int, unsigned short*, int) 
(ImfFastHuf.cpp:643)
==21490==    by 0x4EDA77C: Imf_2_2::hufUncompress(char const*, int, unsigned short*, int) (ImfHuf.cpp:1080)
==21490==    by 0x4EE5680: Imf_2_2::PizCompressor::uncompress(char const*, int, Imath_2_2::Box<Imath_2_2::Vec2<int> 

, char const*&) (ImfPizCompressor.cpp:576)

==21490==    by 0x4EE4E9D: Imf_2_2::PizCompressor::uncompress(char const*, int, int, char const*&) 
(ImfPizCompressor.cpp:284)
==21490==    by 0x4F5BCD1: Imf_2_2::(anonymous namespace)::LineBufferTaskIIF::execute() (ImfScanLineInputFile.cpp:855)
==21490==    by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433)
==21490==    by 0x4F58B47: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1612)
==21490==    by 0x4EB603F: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815)
==21490==    by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302)
==21490==    by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509)
==21490==    by 0x40283D: exr2aces (main.cpp:128)
==21490==    by 0x40283D: main (main.cpp:220)
==21490==  Address 0x6dcd950 is 0 bytes after a block of size 49,344 alloc'd
==21490==    at 0x4C2FFC6: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21490==    by 0x4C300D1: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21490==    by 0x4F523A2: EXRAllocAligned (ImfSystemSpecific.h:66)
==21490==    by ...

------------------------------------------

[Vulnerability Type]
Buffer Overflow

------------------------------------------

[Vendor of Product]
Industrial Light & Magic

------------------------------------------

[Affected Product Code Base]
OpenEXR - 2.2.0

------------------------------------------

[Affected Component]
ImfFastHuf.cpp, refill function

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
Someone must open a crafted EXR image.

------------------------------------------

[Reference]
http://www.openwall.com/lists/oss-security/2017/05/12/5

------------------------------------------

[Discoverer]
Brandon Perry


Use CVE-2017-9114.



[Suggested description]
In OpenEXR 2.2.0,
an invalid write of size 2 in the = operator function in half.h could
cause the application to crash or execute arbitrary code.

------------------------------------------

[Additional Information]
==12435== Memcheck, a memory error detector
==12435== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==12435== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==12435== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000104,sig:11,src:001329+000334,op:splice,rep:2 
/dev/null
==12435== 
==12435== Invalid write of size 2
==12435==    at 0x4F2D1F7: operator= (half.h:574)
==12435==    by 0x4F2D1F7: Imf_2_2::copyIntoFrameBuffer(char const*&, char*, char*, unsigned long, bool, double, 
Imf_2_2::Compressor::Format, Imf_2_2::PixelType, Imf_2_2::PixelType) (ImfMisc.cpp:317)
==12435==    by 0x4F5FDC5: Imf_2_2::(anonymous namespace)::LineBufferTask::execute() (ImfScanLineInputFile.cpp:635)
==12435==    by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433)
==12435==    by 0x4F58B47: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1612)
==12435==    by 0x4EB603F: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815)
==12435==    by 0x4ED4C42: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1302)
==12435==    by 0x4FB2416: Imf_2_2::AcesInputFile::readPixels(int, int) (ImfAcesFile.cpp:509)
==12435==    by 0x40283D: exr2aces (main.cpp:128)
==12435==    by 0x40283D: main (main.cpp:220)
==12435==  Address 0x4806d9b156 is not stack'd, malloc'd or (recently) free'd
==12435== 
==12435== 
==12435== Process terminating with default action of signal 11 (SIGSEGV)
==12435==  Access not within mapped region at address 0x4806D9B156
==12435==    at 0x4F2D1F7: operator= (half.h:574)
==12435==    by 0x4F2D1F7: Imf_2_2::copyIntoFrameBuffer(char const*&, char*, char*, unsigned long, bool, double, 
Imf_2_2::Compressor::Format, Imf_2_2::PixelType, Imf_2_2::PixelType) (ImfMisc.cpp:317)
==12435==    by 0x4F5FDC5: Imf_2_2::(anonymous namespace)::LineBufferTask::execute() (ImfScanLineInputFile.cpp:635)
==12435==    by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThrea ...

------------------------------------------

[Vulnerability Type]
Buffer Overflow

------------------------------------------

[Vendor of Product]
Industrial Light & Magic

------------------------------------------

[Affected Product Code Base]
OpenEXR - 2.2.0

------------------------------------------

[Affected Component]
half.h, operator= function

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Attack Vectors]
Someone must open a crafted EXR image.

------------------------------------------

[Reference]
http://www.openwall.com/lists/oss-security/2017/05/12/5

------------------------------------------

[Discoverer]
Brandon Perry


Use CVE-2017-9115.



[Suggested description]
In OpenEXR 2.2.0,
an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash.

------------------------------------------

[Additional Information]
==28224== Memcheck, a memory error detector
==28224== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==28224== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==28224== Command: /root/openexr/OpenEXR/exr2aces/build/exr2aces id:000077,sig:11,src:002575,op:havoc,rep:4 /dev/null
==28224== 
==28224== Invalid read of size 1
==28224==    at 0x6733D3A: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.8)
==28224==    by 0x6738DD4: uncompress (in /lib/x86_64-linux-gnu/libz.so.1.2.8)
==28224==    by 0x503C7AD: Imf_2_2::Zip::uncompress(char const*, int, char*) (ImfZip.cpp:148)
==28224==    by 0x4F0ABB4: Imf_2_2::DwaCompressor::uncompress(char const*, int, Imath_2_2::Box<Imath_2_2::Vec2<int> 

, char const*&) (ImfDwaCompressor.cpp:2592)

==28224==    by 0x4F09DF8: Imf_2_2::DwaCompressor::uncompress(char const*, int, int, char const*&) 
(ImfDwaCompressor.cpp:2312)
==28224==    by 0x4F5F4A3: Imf_2_2::(anonymous namespace)::LineBufferTask::execute() (ImfScanLineInputFile.cpp:540)
==28224==    by 0x54587BD: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433)
==28224==    by 0x4F58B47: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1612)
==28224==    by 0x4EB603F: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815)
==28224==    by 0x4ED2187: Imf_2_2::RgbaInputFile::FromYca::readYCAScanLine(int, Imf_2_2::Rgba*) 
(ImfRgbaFile.cpp:1126)
==28224==    by 0x4ED11F6: Imf_2_2::RgbaInputFile::FromYca::readPixels(int) (ImfRgbaFile.cpp:1050)
==28224==    by 0x4ED4CA1: readPixels (ImfRgbaFile.cpp:959)
==28224==    by 0x4ED4CA1: Imf_2_2::RgbaInputFile::readPixels(int, int) (ImfRgbaFile.cpp:1298)
==28224==  Address 0x6800000006d986d8 is not stack'd, malloc'd or (recently) free'd
==28224== 
==28224== 
==28224== Process terminating with default action of signal 11 (SIGSEGV)
==28224==  General Protection Fault
==28224==    at 0x6733D3A: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.8)
==28224==    by 0x ...

------------------------------------------

[Vulnerability Type]
Buffer Overflow

------------------------------------------

[Vendor of Product]
Industrial Light & Magic

------------------------------------------

[Affected Product Code Base]
OpenEXR - 2.2.0

------------------------------------------

[Affected Component]
ImfZip.cpp, uncompress function

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
Someone must open a crafted EXR image.

------------------------------------------

[Reference]
http://www.openwall.com/lists/oss-security/2017/05/12/5

------------------------------------------

[Discoverer]
Brandon Perry


Use CVE-2017-9116.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZIdKJAAoJEHb/MwWLVhi2T7YP/ijc5bTN+xxbTDjtpeaC9Df/
TVK5YsN9Q9chEGnL/Fv3saCBZc36IMF3NIdxUDDFrpLLFj62aQF9dJnObasgobDJ
NFxu5vcGaHRrGO5oDFpnjONKo+mcc1uX7c89ALf7XpaIBtBZdGanAZf+mwBTDCye
ihjE4OjaeB+qWxHg9VfgTjMWUffY28D93zimyWJZXUK49NlgCxgLLW1FAWdpvC6i
e9mjayHcAtrsMhqJJgkfCrf12q2ybHcaDQCY0n95pOp8BO99Z0PQ8s0GGCq59ZVj
1vvWD/0QN3O+nqTvwYI3BaYplPWRLa6g4W4EcLYwSzkOlgjIniKzEjEebcx8XJkh
HwdTz1I4d0o00Jfkgw+FU3w1BbfNQeBmD+2YNJk6aQr990Ls6nTyr1G81Yjvm9fF
m5ANEEjswRcUJ+cQuqdfCKZ/mPT6SfOIldDGbMXLXtRA+qaCeNhVTtcu1jYRdL+Z
lvoGZKqTLLTXoK0jA9wZSUdDsISbxaI9F8MImhlenLyNWXjHnjSXk4REh7Xzem+9
EDyCMs4faueoseDekX2b9oPt9LsITb73HBVfBSEgh8PcIwLTBjpCY+N84YvAaXBC
yx3Hr62tRRveWKIVqT9K/NqqC4b5ng4aQpNY0TsTLVmwFEfumCzzjGrbANSXWptT
I+fb15b8cl+e7h4STff4
=UzO0
-----END PGP SIGNATURE-----

--- End Message ---



--
Henri Salo

Attachment: signature.asc
Description: Message signed with OpenPGP


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: