Security update for openexr SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:2043-1 Final 1 1 2019-08-02T13:18:41Z current 2019-08-02T13:18:41Z 2019-08-02T13:18:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openexr This update for openexr fixes the following issues: - CVE-2017-14988: Fixed a denial of service in Header::readfrom() (bsc#1061305). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-2043,SUSE-SLE-Module-Desktop-Applications-15-2019-2043,SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-2043,SUSE-SLE-Module-Development-Tools-OBS-15-2019-2043,SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2043 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20192043-1/ Link for SUSE-SU-2019:2043-1 https://lists.suse.com/pipermail/sle-security-updates/2019-August/005771.html E-Mail link for SUSE-SU-2019:2043-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1061305 SUSE Bug 1061305 https://www.suse.com/security/cve/CVE-2017-14988/ SUSE CVE CVE-2017-14988 page SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Desktop Applications 15 SP1 libIlmImf-2_2-23-2.2.1-3.9.2 libIlmImf-2_2-23-32bit-2.2.1-3.9.2 libIlmImf-2_2-23-64bit-2.2.1-3.9.2 libIlmImfUtil-2_2-23-2.2.1-3.9.2 libIlmImfUtil-2_2-23-32bit-2.2.1-3.9.2 libIlmImfUtil-2_2-23-64bit-2.2.1-3.9.2 openexr-2.2.1-3.9.2 openexr-devel-2.2.1-3.9.2 openexr-doc-2.2.1-3.9.2 libIlmImf-2_2-23-2.2.1-3.9.2 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 libIlmImfUtil-2_2-23-2.2.1-3.9.2 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 openexr-devel-2.2.1-3.9.2 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 libIlmImf-2_2-23-2.2.1-3.9.2 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 libIlmImfUtil-2_2-23-2.2.1-3.9.2 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 openexr-devel-2.2.1-3.9.2 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 ** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid. CVE-2017-14988 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImf-2_2-23-2.2.1-3.9.2 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImfUtil-2_2-23-2.2.1-3.9.2 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:openexr-devel-2.2.1-3.9.2 SUSE Linux Enterprise Module for Desktop Applications 15:libIlmImf-2_2-23-2.2.1-3.9.2 SUSE Linux Enterprise Module for Desktop Applications 15:libIlmImfUtil-2_2-23-2.2.1-3.9.2 SUSE Linux Enterprise Module for Desktop Applications 15:openexr-devel-2.2.1-3.9.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192043-1/ https://www.suse.com/security/cve/CVE-2017-14988.html CVE-2017-14988 https://bugzilla.suse.com/1061305 SUSE Bug 1061305