openEuler 20.03 LTS SP1 update for OpenEXR
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 11 |
| CVE-ID | CVE-2021-3598 CVE-2020-11759 CVE-2020-15306 CVE-2020-11763 CVE-2020-11761 CVE-2020-11765 CVE-2020-11760 CVE-2020-15305 CVE-2020-11758 CVE-2020-11764 CVE-2020-11762 |
| CWE-ID | CWE-122 CWE-190 CWE-787 CWE-125 CWE-193 CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
openEuler Operating systems & Components / Operating system OpenEXR-debugsource Operating systems & Components / Operating system package or component OpenEXR-libs Operating systems & Components / Operating system package or component OpenEXR-devel Operating systems & Components / Operating system package or component OpenEXR-debuginfo Operating systems & Components / Operating system package or component OpenEXR Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
1) Heap-based buffer overflow
EUVDB-ID: #VU54399
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3598
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the readChars() function in ImfIO.h. A remote attacker can pass specially crafted data to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
OpenEXR-debugsource: before 2.2.0-22
OpenEXR-libs: before 2.2.0-22
OpenEXR-devel: before 2.2.0-22
OpenEXR-debuginfo: before 2.2.0-22
OpenEXR: before 2.2.0-22
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1268
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Integer overflow
EUVDB-ID: #VU34463
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11759
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
OpenEXR-debugsource: before 2.2.0-22
OpenEXR-libs: before 2.2.0-22
OpenEXR-devel: before 2.2.0-22
OpenEXR-debuginfo: before 2.2.0-22
OpenEXR: before 2.2.0-22
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1268
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Heap-based buffer overflow
EUVDB-ID: #VU31715
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15306
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in "getChunkOffsetTableSize()" in "IlmImf/ImfMisc.cpp". A local user can pass specially crafted data to the applicatoin, trigger heap-based buffer overflow and cause a denial of service conditon on the target system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
OpenEXR-debugsource: before 2.2.0-22
OpenEXR-libs: before 2.2.0-22
OpenEXR-devel: before 2.2.0-22
OpenEXR-debuginfo: before 2.2.0-22
OpenEXR: before 2.2.0-22
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1268
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds write
EUVDB-ID: #VU34467
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11763
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
OpenEXR-debugsource: before 2.2.0-22
OpenEXR-libs: before 2.2.0-22
OpenEXR-devel: before 2.2.0-22
OpenEXR-debuginfo: before 2.2.0-22
OpenEXR: before 2.2.0-22
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1268
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds read
EUVDB-ID: #VU34465
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11761
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
OpenEXR-debugsource: before 2.2.0-22
OpenEXR-libs: before 2.2.0-22
OpenEXR-devel: before 2.2.0-22
OpenEXR-debuginfo: before 2.2.0-22
OpenEXR: before 2.2.0-22
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1268
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Off-by-one
EUVDB-ID: #VU34469
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11765
CWE-ID:
CWE-193 - Off-by-one Error
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
OpenEXR-debugsource: before 2.2.0-22
OpenEXR-libs: before 2.2.0-22
OpenEXR-devel: before 2.2.0-22
OpenEXR-debuginfo: before 2.2.0-22
OpenEXR: before 2.2.0-22
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1268
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds read
EUVDB-ID: #VU34464
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11760
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
OpenEXR-debugsource: before 2.2.0-22
OpenEXR-libs: before 2.2.0-22
OpenEXR-devel: before 2.2.0-22
OpenEXR-debuginfo: before 2.2.0-22
OpenEXR: before 2.2.0-22
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1268
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Use-after-free
EUVDB-ID: #VU31714
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15305
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in "DeepScanLineInputFile::DeepScanLineInputFile()" in "IlmImf/ImfDeepScanLineInputFile.cpp". A local user can cause a denial of service (DoS) condition on the target system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
OpenEXR-debugsource: before 2.2.0-22
OpenEXR-libs: before 2.2.0-22
OpenEXR-devel: before 2.2.0-22
OpenEXR-debuginfo: before 2.2.0-22
OpenEXR: before 2.2.0-22
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1268
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds read
EUVDB-ID: #VU34462
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11758
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
OpenEXR-debugsource: before 2.2.0-22
OpenEXR-libs: before 2.2.0-22
OpenEXR-devel: before 2.2.0-22
OpenEXR-debuginfo: before 2.2.0-22
OpenEXR: before 2.2.0-22
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1268
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Out-of-bounds write
EUVDB-ID: #VU34468
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11764
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
OpenEXR-debugsource: before 2.2.0-22
OpenEXR-libs: before 2.2.0-22
OpenEXR-devel: before 2.2.0-22
OpenEXR-debuginfo: before 2.2.0-22
OpenEXR: before 2.2.0-22
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1268
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Out-of-bounds write
EUVDB-ID: #VU34466
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11762
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
OpenEXR-debugsource: before 2.2.0-22
OpenEXR-libs: before 2.2.0-22
OpenEXR-devel: before 2.2.0-22
OpenEXR-debuginfo: before 2.2.0-22
OpenEXR: before 2.2.0-22
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1268
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
