MDVSA-2009:191-1
- Package name
- OpenEXR
- Date
- 2009-12-08
- Advisory ID
- MDVSA-2009:191-1
- Affected versions
- 2008.0 i586 , 2008.0 x86_64
Problem description
Multiple vulnerabilities has been found and corrected in OpenEXR:
Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1
allow context-dependent attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via unspecified
vectors that trigger heap-based buffer overflows, related to (1)
the Imf::PreviewImage::PreviewImage function and (2) compressor
constructors. NOTE: some of these details are obtained from third
party information (CVE-2009-1720).
The decompression implementation in the Imf::hufUncompress function in
OpenEXR 1.2.2 and 1.6.1 allows context-dependent attackers to cause a
denial of service (application crash) or possibly execute arbitrary
code via vectors that trigger a free of an uninitialized pointer
(CVE-2009-1721).
Buffer overflow in the compression implementation in OpenEXR 1.2.2
allows context-dependent attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via unspecified
vectors (CVE-2009-1722).
This update provides fixes for these vulnerabilities.
Update:
Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
Updated packages
2008.0 i586
d871ec8916e58946d88cee51dfb29906 2008.0/i586/libOpenEXR4-1.4.0-3.1mdv2008.0.i586.rpm 950408c16ab4787996f3e4a0363a2f08 2008.0/i586/libOpenEXR-devel-1.4.0-3.1mdv2008.0.i586.rpm 7841e6de8a3992014709b5ef4384e7b1 2008.0/i586/OpenEXR-1.4.0-3.1mdv2008.0.i586.rpm 462c13fc16159a38e14f7c4977ddad01 2008.0/SRPMS/OpenEXR-1.4.0-3.1mdv2008.0.src.rpm
2008.0 x86_64
fbbc98d890871fa7ee51606c32c40897 2008.0/x86_64/lib64OpenEXR4-1.4.0-3.1mdv2008.0.x86_64.rpm 6898d32809ffee7f7cb2e960ca9244e1 2008.0/x86_64/lib64OpenEXR-devel-1.4.0-3.1mdv2008.0.x86_64.rpm 6b52dedf34ef41052a472049258677d1 2008.0/x86_64/OpenEXR-1.4.0-3.1mdv2008.0.x86_64.rpm 462c13fc16159a38e14f7c4977ddad01 2008.0/SRPMS/OpenEXR-1.4.0-3.1mdv2008.0.src.rpm