Your message dated Fri, 9 Sep 2022 09:27:55 +0200
with message-id <[email protected]>
and subject line Re: tinyexr: CVE-2018-12688 CVE-2018-12064 CVE-2022-34300
has caused the Debian Bug report #1014980,
regarding tinyexr: CVE-2018-12688 CVE-2018-12064 CVE-2022-34300
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014980: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014980
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tinyexr
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for tinyexr.
CVE-2018-12688[0]:
| tinyexr 0.9.5 has a segmentation fault in the wav2Decode function.
https://github.com/syoyo/tinyexr/issues/83
CVE-2018-12064[1]:
| tinyexr 0.9.5 has a heap-based buffer over-read via
| tinyexr::ReadChannelInfo in tinyexr.h.
Doesn't seem to have been reported upstream so far:
https://github.com/ChijinZ/security_advisories/tree/master/tinyexr_7953aea
CVE-2022-34300[2]:
| In tinyexr 1.0.1, there is a heap-based buffer over-read in
| tinyexr::DecodePixelData.
https://github.com/syoyo/tinyexr/issues/167
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-12688
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12688
[1] https://security-tracker.debian.org/tracker/CVE-2018-12064
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12064
[2] https://security-tracker.debian.org/tracker/CVE-2022-34300
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34300
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
I looked further into this issue with "git bisect" on the upstream
repository.
On Thu, 8 Sep 2022 20:59:14 +0200 Timo =?utf-8?Q?R=C3=B6hling?=
<[email protected]> wrote:
> CVE-2018-12688[0]:
> | tinyexr 0.9.5 has a segmentation fault in the wav2Decode function.
>
> https://github.com/syoyo/tinyexr/issues/83
I cannot reproduce this.
This has been fixed by commit 6c3b01ff9223036fb1c7a6f1cc2d3a63cc1e7c1d
on March 5th, 2019.
> CVE-2018-12064[1]:
> | tinyexr 0.9.5 has a heap-based buffer over-read via
> | tinyexr::ReadChannelInfo in tinyexr.h.
>
> Doesn't seem to have been reported upstream so far:
> https://github.com/ChijinZ/security_advisories/tree/master/tinyexr_7953aea
I cannot reproduce this either.
This has been fixed by commit 6fd0c1f7575b9119f287fbe5577b2eff41c71bd5
on June 7th, 2018.
Both fixes are included in release 1.0.0 (September 9th, 2020), so the Debian
packages
were never vulnerable.
Cheers
Timo
--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯
signature.asc
Description: PGP signature
--- End Message ---
