Security update for openexr SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:2351-1 Final 1 1 2020-12-28T05:22:09Z current 2020-12-28T05:22:09Z 2020-12-28T05:22:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openexr This update for openexr fixes the following issues: Security issues fixed: - CVE-2020-16587: Fixed a heap-based buffer overflow in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp (bsc#1179879). - CVE-2020-16588: Fixed a null pointer deference in generatePreview (bsc#1179879). - CVE-2020-16589: Fixed a heap-based buffer overflow in writeTileData in ImfTiledOutputFile.cpp (bsc#1179879). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-2351 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ESEVYLX65LTFDH2ZVMY2Y4AN2MUHW5M5/ E-Mail link for openSUSE-SU-2020:2351-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1179879 SUSE Bug 1179879 https://www.suse.com/security/cve/CVE-2020-16587/ SUSE CVE CVE-2020-16587 page https://www.suse.com/security/cve/CVE-2020-16588/ SUSE CVE CVE-2020-16588 page https://www.suse.com/security/cve/CVE-2020-16589/ SUSE CVE CVE-2020-16589 page openSUSE Leap 15.2 libIlmImf-2_2-23-2.2.1-lp152.7.8.1 libIlmImf-2_2-23-32bit-2.2.1-lp152.7.8.1 libIlmImfUtil-2_2-23-2.2.1-lp152.7.8.1 libIlmImfUtil-2_2-23-32bit-2.2.1-lp152.7.8.1 openexr-2.2.1-lp152.7.8.1 openexr-devel-2.2.1-lp152.7.8.1 openexr-doc-2.2.1-lp152.7.8.1 libIlmImf-2_2-23-2.2.1-lp152.7.8.1 as a component of openSUSE Leap 15.2 libIlmImf-2_2-23-32bit-2.2.1-lp152.7.8.1 as a component of openSUSE Leap 15.2 libIlmImfUtil-2_2-23-2.2.1-lp152.7.8.1 as a component of openSUSE Leap 15.2 libIlmImfUtil-2_2-23-32bit-2.2.1-lp152.7.8.1 as a component of openSUSE Leap 15.2 openexr-2.2.1-lp152.7.8.1 as a component of openSUSE Leap 15.2 openexr-devel-2.2.1-lp152.7.8.1 as a component of openSUSE Leap 15.2 openexr-doc-2.2.1-lp152.7.8.1 as a component of openSUSE Leap 15.2 A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file. CVE-2020-16587 openSUSE Leap 15.2:libIlmImf-2_2-23-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:libIlmImf-2_2-23-32bit-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:libIlmImfUtil-2_2-23-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:libIlmImfUtil-2_2-23-32bit-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:openexr-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:openexr-devel-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:openexr-doc-2.2.1-lp152.7.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ESEVYLX65LTFDH2ZVMY2Y4AN2MUHW5M5/ https://www.suse.com/security/cve/CVE-2020-16587.html CVE-2020-16587 https://bugzilla.suse.com/1179879 SUSE Bug 1179879 https://bugzilla.suse.com/1180108 SUSE Bug 1180108 https://bugzilla.suse.com/1180109 SUSE Bug 1180109 A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service via a crafted EXR file. CVE-2020-16588 openSUSE Leap 15.2:libIlmImf-2_2-23-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:libIlmImf-2_2-23-32bit-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:libIlmImfUtil-2_2-23-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:libIlmImfUtil-2_2-23-32bit-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:openexr-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:openexr-devel-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:openexr-doc-2.2.1-lp152.7.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ESEVYLX65LTFDH2ZVMY2Y4AN2MUHW5M5/ https://www.suse.com/security/cve/CVE-2020-16588.html CVE-2020-16588 https://bugzilla.suse.com/1179879 SUSE Bug 1179879 https://bugzilla.suse.com/1180108 SUSE Bug 1180108 A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of service via a crafted EXR file. CVE-2020-16589 openSUSE Leap 15.2:libIlmImf-2_2-23-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:libIlmImf-2_2-23-32bit-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:libIlmImfUtil-2_2-23-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:libIlmImfUtil-2_2-23-32bit-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:openexr-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:openexr-devel-2.2.1-lp152.7.8.1 openSUSE Leap 15.2:openexr-doc-2.2.1-lp152.7.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ESEVYLX65LTFDH2ZVMY2Y4AN2MUHW5M5/ https://www.suse.com/security/cve/CVE-2020-16589.html CVE-2020-16589 https://bugzilla.suse.com/1179879 SUSE Bug 1179879 https://bugzilla.suse.com/1180109 SUSE Bug 1180109