I've been asked to forward the following message from Francois Chardavoine at Lucasfilm:
Several of you have contacted us recently with concerns about potential security vulnerabilities (CVEs) in OpenEXR. We wanted to let the community know that we are aware of the seriousness of the reported vulnerabilities and the implications for OpenEXR, and are hoping to have them resolved as soon as possible. Please look forward to an announcement soon. > On Oct 22, 2017, at 10:32 PM, Shane Ambler <[email protected]> wrote: > > > Currently oiio relies on openexr and there is no option to disable it's > use. > > Seems there are several security reports related to openexr and there > appears to be some lack of interest in repairing the issues, at least on > github, contact has been attempted directly to ILM. > > Today a discussion was started about changing the status of the openexr > libraries from vulnerable to forbidden, not sure if it will get support. > This is in the freebsd ports, which could be the first/one of many. > > This sounds like a very damaging step to me. > > If openexr is removed as an available dependency can oiio still be > built? Could an option be added instead of multiple patches being made > for each system package? > > OpenEXR is a bsd licensed project. Anyone interested in forking it? > > The list of vulnerabilities in the discussion - > > CVE-2017-9110 In OpenEXR 2.2.0, an invalid read of size 2 in the > hufDecode function in ImfHuf.cpp could cause the application to crash. > CVE-2017-9111 In OpenEXR 2.2.0, an invalid write of size 8 in the > storeSSE function in ImfOptimizedPixelReading.h could cause the > application to crash or execute arbitrary code. > CVE-2017-9112 In OpenEXR 2.2.0, an invalid read of size 1 in the getBits > function in ImfHuf.cpp could cause the application to crash. > CVE-2017-9113 In OpenEXR 2.2.0, an invalid write of size 1 in the > bufferedReadPixels function in ImfInputFile.cpp could cause the > application to crash or execute arbitrary code. > CVE-2017-9114 In OpenEXR 2.2.0, an invalid read of size 1 in the refill > function in ImfFastHuf.cpp could cause the application to crash. > CVE-2017-9115 In OpenEXR 2.2.0, an invalid write of size 2 in the = > operator function in half.h could cause the application to crash or > execute arbitrary code. > CVE-2017-9116 In OpenEXR 2.2.0, an invalid read of size 1 in the > uncompress function in ImfZip.cpp could cause the application to crash. > > > -- > FreeBSD - the place to B...Software Developing > > Shane Ambler > > _______________________________________________ > Oiio-dev mailing list > [email protected] > http://lists.openimageio.org/listinfo.cgi/oiio-dev-openimageio.org -- Larry Gritz [email protected]
_______________________________________________ Oiio-dev mailing list [email protected] http://lists.openimageio.org/listinfo.cgi/oiio-dev-openimageio.org
