Security update for openexr SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:1293-1 Final 1 1 2020-05-18T05:38:10Z current 2020-05-18T05:38:10Z 2020-05-18T05:38:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openexr This update for openexr provides the following fix: Security issues fixed: - CVE-2020-11765: Fixed an off-by-one error in use of the ImfXdr.h read function by DwaCompressor:Classifier:Classifier (bsc#1169575). - CVE-2020-11764: Fixed an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp (bsc#1169574). - CVE-2020-11763: Fixed an out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp (bsc#1169576). - CVE-2020-11762: Fixed an out-of-bounds read and write in DwaCompressor:uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case (bsc#1169549). - CVE-2020-11761: Fixed an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder:refill in ImfFastHuf.cpp (bsc#1169578). - CVE-2020-11760: Fixed an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp (bsc#1169580). - CVE-2020-11758: Fixed an out-of-bounds read in ImfOptimizedPixelReading.h (bsc#1169573). Non-security issue fixed: - Enable tests when building the package on x86_64. (bsc#1146648) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container containers/lmcache-vllm-openai:0-2020-1293,Container containers/open-webui:0-2020-1293,Container containers/vllm-openai:0-2020-1293,Image ai_15_6-2020-1293,SUSE-2020-1293,SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1293,SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1293 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20201293-1/ Link for SUSE-SU-2020:1293-1 https://lists.suse.com/pipermail/sle-security-updates/2020-May/006826.html E-Mail link for SUSE-SU-2020:1293-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1146648 SUSE Bug 1146648 https://bugzilla.suse.com/1169549 SUSE Bug 1169549 https://bugzilla.suse.com/1169573 SUSE Bug 1169573 https://bugzilla.suse.com/1169574 SUSE Bug 1169574 https://bugzilla.suse.com/1169575 SUSE Bug 1169575 https://bugzilla.suse.com/1169576 SUSE Bug 1169576 https://bugzilla.suse.com/1169578 SUSE Bug 1169578 https://bugzilla.suse.com/1169580 SUSE Bug 1169580 https://www.suse.com/security/cve/CVE-2020-11758/ SUSE CVE CVE-2020-11758 page https://www.suse.com/security/cve/CVE-2020-11760/ SUSE CVE CVE-2020-11760 page https://www.suse.com/security/cve/CVE-2020-11761/ SUSE CVE CVE-2020-11761 page https://www.suse.com/security/cve/CVE-2020-11762/ SUSE CVE CVE-2020-11762 page https://www.suse.com/security/cve/CVE-2020-11763/ SUSE CVE CVE-2020-11763 page https://www.suse.com/security/cve/CVE-2020-11764/ SUSE CVE CVE-2020-11764 page https://www.suse.com/security/cve/CVE-2020-11765/ SUSE CVE CVE-2020-11765 page Container containers/lmcache-vllm-openai:0 Container containers/open-webui:0 Container containers/vllm-openai:0 Image ai_15_6 SUSE Linux Enterprise Module for Desktop Applications 15 SP1 libIlmImf-2_2-23-2.2.1-3.14.1 libIlmImf-2_2-23-32bit-2.2.1-3.14.1 libIlmImf-2_2-23-64bit-2.2.1-3.14.1 libIlmImfUtil-2_2-23-2.2.1-3.14.1 libIlmImfUtil-2_2-23-32bit-2.2.1-3.14.1 libIlmImfUtil-2_2-23-64bit-2.2.1-3.14.1 openexr-2.2.1-3.14.1 openexr-devel-2.2.1-3.14.1 openexr-doc-2.2.1-3.14.1 libIlmImf-2_2-23-2.2.1-3.14.1 as a component of Container containers/lmcache-vllm-openai:0 libIlmImf-2_2-23-2.2.1-3.14.1 as a component of Container containers/open-webui:0 libIlmImf-2_2-23-2.2.1-3.14.1 as a component of Container containers/vllm-openai:0 libIlmImf-2_2-23-2.2.1-3.14.1 as a component of Image ai_15_6 libIlmImf-2_2-23-2.2.1-3.14.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 libIlmImfUtil-2_2-23-2.2.1-3.14.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 openexr-devel-2.2.1-3.14.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h. CVE-2020-11758 Container containers/lmcache-vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/open-webui:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Image ai_15_6:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImfUtil-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:openexr-devel-2.2.1-3.14.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201293-1/ https://www.suse.com/security/cve/CVE-2020-11758.html CVE-2020-11758 https://bugzilla.suse.com/1169549 SUSE Bug 1169549 https://bugzilla.suse.com/1169573 SUSE Bug 1169573 https://bugzilla.suse.com/1169574 SUSE Bug 1169574 An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp. CVE-2020-11760 Container containers/lmcache-vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/open-webui:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Image ai_15_6:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImfUtil-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:openexr-devel-2.2.1-3.14.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201293-1/ https://www.suse.com/security/cve/CVE-2020-11760.html CVE-2020-11760 https://bugzilla.suse.com/1169580 SUSE Bug 1169580 An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp. CVE-2020-11761 Container containers/lmcache-vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/open-webui:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Image ai_15_6:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImfUtil-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:openexr-devel-2.2.1-3.14.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201293-1/ https://www.suse.com/security/cve/CVE-2020-11761.html CVE-2020-11761 https://bugzilla.suse.com/1169578 SUSE Bug 1169578 An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case. CVE-2020-11762 Container containers/lmcache-vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/open-webui:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Image ai_15_6:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImfUtil-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:openexr-devel-2.2.1-3.14.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201293-1/ https://www.suse.com/security/cve/CVE-2020-11762.html CVE-2020-11762 https://bugzilla.suse.com/1169549 SUSE Bug 1169549 https://bugzilla.suse.com/1169573 SUSE Bug 1169573 https://bugzilla.suse.com/1169574 SUSE Bug 1169574 https://bugzilla.suse.com/1169575 SUSE Bug 1169575 https://bugzilla.suse.com/1169576 SUSE Bug 1169576 https://bugzilla.suse.com/1169578 SUSE Bug 1169578 https://bugzilla.suse.com/1169579 SUSE Bug 1169579 https://bugzilla.suse.com/1169580 SUSE Bug 1169580 An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp. CVE-2020-11763 Container containers/lmcache-vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/open-webui:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Image ai_15_6:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImfUtil-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:openexr-devel-2.2.1-3.14.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201293-1/ https://www.suse.com/security/cve/CVE-2020-11763.html CVE-2020-11763 https://bugzilla.suse.com/1169576 SUSE Bug 1169576 An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp. CVE-2020-11764 Container containers/lmcache-vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/open-webui:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Image ai_15_6:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImfUtil-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:openexr-devel-2.2.1-3.14.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201293-1/ https://www.suse.com/security/cve/CVE-2020-11764.html CVE-2020-11764 https://bugzilla.suse.com/1169574 SUSE Bug 1169574 An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read. CVE-2020-11765 Container containers/lmcache-vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/open-webui:0:libIlmImf-2_2-23-2.2.1-3.14.1 Container containers/vllm-openai:0:libIlmImf-2_2-23-2.2.1-3.14.1 Image ai_15_6:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImf-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libIlmImfUtil-2_2-23-2.2.1-3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:openexr-devel-2.2.1-3.14.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201293-1/ https://www.suse.com/security/cve/CVE-2020-11765.html CVE-2020-11765 https://bugzilla.suse.com/1169575 SUSE Bug 1169575