Security update for openexr SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:1962-1 Final 1 1 2019-07-24T09:41:20Z current 2019-07-24T09:41:20Z 2019-07-24T09:41:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openexr This update for openexr fixes the following issues: Security issue fixed: - CVE-2017-9111: Fixed an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h (bsc#1040109). - CVE-2017-9113: Fixed an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp (bsc#1040113). - CVE-2017-9115: Fixed an invalid write of size 2 in the = operator function inhalf.h (bsc#1040115). - CVE-2018-18444: Fixed Out-of-bounds write in makeMultiView.cpp (bsc#1113455). - CVE-2017-9112: Fixed invalid read of size 1 in the getBits function in ImfHuf.cpp (bsc#1040112). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-1962,SUSE-SLE-DESKTOP-12-SP4-2019-1962,SUSE-SLE-SDK-12-SP4-2019-1962,SUSE-SLE-SERVER-12-SP4-2019-1962,SUSE-SLE-WE-12-SP4-2019-1962 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20191962-1/ Link for SUSE-SU-2019:1962-1 https://lists.suse.com/pipermail/sle-security-updates/2019-July/005747.html E-Mail link for SUSE-SU-2019:1962-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1040109 SUSE Bug 1040109 https://bugzilla.suse.com/1040112 SUSE Bug 1040112 https://bugzilla.suse.com/1040113 SUSE Bug 1040113 https://bugzilla.suse.com/1040115 SUSE Bug 1040115 https://bugzilla.suse.com/1113455 SUSE Bug 1113455 https://www.suse.com/security/cve/CVE-2017-9111/ SUSE CVE CVE-2017-9111 page https://www.suse.com/security/cve/CVE-2017-9112/ SUSE CVE CVE-2017-9112 page https://www.suse.com/security/cve/CVE-2017-9113/ SUSE CVE CVE-2017-9113 page https://www.suse.com/security/cve/CVE-2017-9115/ SUSE CVE CVE-2017-9115 page https://www.suse.com/security/cve/CVE-2018-18444/ SUSE CVE CVE-2018-18444 page SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Software Development Kit 12 SP4 SUSE Linux Enterprise Workstation Extension 12 SP4 libIlmImf-Imf_2_1-21-2.1.0-6.10.1 libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 libIlmImf-Imf_2_1-21-64bit-2.1.0-6.10.1 openexr-2.1.0-6.10.1 openexr-devel-2.1.0-6.10.1 openexr-doc-2.1.0-6.10.1 libIlmImf-Imf_2_1-21-2.1.0-6.10.1 as a component of SUSE Linux Enterprise Desktop 12 SP4 libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 as a component of SUSE Linux Enterprise Desktop 12 SP4 openexr-2.1.0-6.10.1 as a component of SUSE Linux Enterprise Desktop 12 SP4 libIlmImf-Imf_2_1-21-2.1.0-6.10.1 as a component of SUSE Linux Enterprise Server 12 SP4 openexr-2.1.0-6.10.1 as a component of SUSE Linux Enterprise Server 12 SP4 libIlmImf-Imf_2_1-21-2.1.0-6.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 openexr-2.1.0-6.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 openexr-devel-2.1.0-6.10.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP4 libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP4 In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code. CVE-2017-9111 SUSE Linux Enterprise Desktop 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Desktop 12 SP4:libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 SUSE Linux Enterprise Desktop 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Server 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Server 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Software Development Kit 12 SP4:openexr-devel-2.1.0-6.10.1 SUSE Linux Enterprise Workstation Extension 12 SP4:libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191962-1/ https://www.suse.com/security/cve/CVE-2017-9111.html CVE-2017-9111 https://bugzilla.suse.com/1040109 SUSE Bug 1040109 In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash. CVE-2017-9112 SUSE Linux Enterprise Desktop 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Desktop 12 SP4:libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 SUSE Linux Enterprise Desktop 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Server 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Server 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Software Development Kit 12 SP4:openexr-devel-2.1.0-6.10.1 SUSE Linux Enterprise Workstation Extension 12 SP4:libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191962-1/ https://www.suse.com/security/cve/CVE-2017-9112.html CVE-2017-9112 https://bugzilla.suse.com/1040112 SUSE Bug 1040112 In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code. CVE-2017-9113 SUSE Linux Enterprise Desktop 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Desktop 12 SP4:libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 SUSE Linux Enterprise Desktop 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Server 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Server 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Software Development Kit 12 SP4:openexr-devel-2.1.0-6.10.1 SUSE Linux Enterprise Workstation Extension 12 SP4:libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191962-1/ https://www.suse.com/security/cve/CVE-2017-9113.html CVE-2017-9113 https://bugzilla.suse.com/1040113 SUSE Bug 1040113 In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code. CVE-2017-9115 SUSE Linux Enterprise Desktop 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Desktop 12 SP4:libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 SUSE Linux Enterprise Desktop 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Server 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Server 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Software Development Kit 12 SP4:openexr-devel-2.1.0-6.10.1 SUSE Linux Enterprise Workstation Extension 12 SP4:libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191962-1/ https://www.suse.com/security/cve/CVE-2017-9115.html CVE-2017-9115 https://bugzilla.suse.com/1040115 SUSE Bug 1040115 makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possibly unspecified other impact. CVE-2018-18444 SUSE Linux Enterprise Desktop 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Desktop 12 SP4:libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 SUSE Linux Enterprise Desktop 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Server 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Server 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libIlmImf-Imf_2_1-21-2.1.0-6.10.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:openexr-2.1.0-6.10.1 SUSE Linux Enterprise Software Development Kit 12 SP4:openexr-devel-2.1.0-6.10.1 SUSE Linux Enterprise Workstation Extension 12 SP4:libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1 low 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191962-1/ https://www.suse.com/security/cve/CVE-2018-18444.html CVE-2018-18444 https://bugzilla.suse.com/1113455 SUSE Bug 1113455