Security update for openexr SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1537-1 Final 1 1 2021-12-06T13:06:33Z current 2021-12-06T13:06:33Z 2021-12-06T13:06:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openexr This update for openexr fixes the following issues: - CVE-2021-3941: Fixed divide-by-zero in Imf_3_1:RGBtoXYZ (bsc#1192556). - CVE-2021-3933: Fixed integer-overflow in Imf_3_1:bytesPerDeepLineTable (bsc#1192498). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1537 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EKJUN3YRRGAS46NITMDUWNKKE4DUYDHB/ E-Mail link for openSUSE-SU-2021:1537-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1192498 SUSE Bug 1192498 https://bugzilla.suse.com/1192556 SUSE Bug 1192556 https://www.suse.com/security/cve/CVE-2021-3933/ SUSE CVE CVE-2021-3933 page https://www.suse.com/security/cve/CVE-2021-3941/ SUSE CVE CVE-2021-3941 page openSUSE Leap 15.2 libIlmImf-2_2-23-2.2.1-lp152.7.23.1 libIlmImf-2_2-23-32bit-2.2.1-lp152.7.23.1 libIlmImfUtil-2_2-23-2.2.1-lp152.7.23.1 libIlmImfUtil-2_2-23-32bit-2.2.1-lp152.7.23.1 openexr-2.2.1-lp152.7.23.1 openexr-devel-2.2.1-lp152.7.23.1 openexr-doc-2.2.1-lp152.7.23.1 libIlmImf-2_2-23-2.2.1-lp152.7.23.1 as a component of openSUSE Leap 15.2 libIlmImf-2_2-23-32bit-2.2.1-lp152.7.23.1 as a component of openSUSE Leap 15.2 libIlmImfUtil-2_2-23-2.2.1-lp152.7.23.1 as a component of openSUSE Leap 15.2 libIlmImfUtil-2_2-23-32bit-2.2.1-lp152.7.23.1 as a component of openSUSE Leap 15.2 openexr-2.2.1-lp152.7.23.1 as a component of openSUSE Leap 15.2 openexr-devel-2.2.1-lp152.7.23.1 as a component of openSUSE Leap 15.2 openexr-doc-2.2.1-lp152.7.23.1 as a component of openSUSE Leap 15.2 An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths. CVE-2021-3933 openSUSE Leap 15.2:libIlmImf-2_2-23-2.2.1-lp152.7.23.1 openSUSE Leap 15.2:libIlmImf-2_2-23-32bit-2.2.1-lp152.7.23.1 openSUSE Leap 15.2:libIlmImfUtil-2_2-23-2.2.1-lp152.7.23.1 openSUSE Leap 15.2:libIlmImfUtil-2_2-23-32bit-2.2.1-lp152.7.23.1 openSUSE Leap 15.2:openexr-2.2.1-lp152.7.23.1 openSUSE Leap 15.2:openexr-devel-2.2.1-lp152.7.23.1 openSUSE Leap 15.2:openexr-doc-2.2.1-lp152.7.23.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EKJUN3YRRGAS46NITMDUWNKKE4DUYDHB/ https://www.suse.com/security/cve/CVE-2021-3933.html CVE-2021-3933 https://bugzilla.suse.com/1192498 SUSE Bug 1192498 In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR. CVE-2021-3941 openSUSE Leap 15.2:libIlmImf-2_2-23-2.2.1-lp152.7.23.1 openSUSE Leap 15.2:libIlmImf-2_2-23-32bit-2.2.1-lp152.7.23.1 openSUSE Leap 15.2:libIlmImfUtil-2_2-23-2.2.1-lp152.7.23.1 openSUSE Leap 15.2:libIlmImfUtil-2_2-23-32bit-2.2.1-lp152.7.23.1 openSUSE Leap 15.2:openexr-2.2.1-lp152.7.23.1 openSUSE Leap 15.2:openexr-devel-2.2.1-lp152.7.23.1 openSUSE Leap 15.2:openexr-doc-2.2.1-lp152.7.23.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EKJUN3YRRGAS46NITMDUWNKKE4DUYDHB/ https://www.suse.com/security/cve/CVE-2021-3941.html CVE-2021-3941 https://bugzilla.suse.com/1192556 SUSE Bug 1192556