Nom du paquet
OpenEXR
Date
2009-12-08
Advisory ID
MDVSA-2009:191-1
Affected versions
2008.0 i586 , 2008.0 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in OpenEXR:

Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1
allow context-dependent attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via unspecified
vectors that trigger heap-based buffer overflows, related to (1)
the Imf::PreviewImage::PreviewImage function and (2) compressor
constructors. NOTE: some of these details are obtained from third
party information (CVE-2009-1720).

The decompression implementation in the Imf::hufUncompress function in
OpenEXR 1.2.2 and 1.6.1 allows context-dependent attackers to cause a
denial of service (application crash) or possibly execute arbitrary
code via vectors that trigger a free of an uninitialized pointer
(CVE-2009-1721).

Buffer overflow in the compression implementation in OpenEXR 1.2.2
allows context-dependent attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via unspecified
vectors (CVE-2009-1722).

This update provides fixes for these vulnerabilities.

Update:

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

Updated packages

2008.0 i586

 d871ec8916e58946d88cee51dfb29906  2008.0/i586/libOpenEXR4-1.4.0-3.1mdv2008.0.i586.rpm
 950408c16ab4787996f3e4a0363a2f08  2008.0/i586/libOpenEXR-devel-1.4.0-3.1mdv2008.0.i586.rpm
 7841e6de8a3992014709b5ef4384e7b1  2008.0/i586/OpenEXR-1.4.0-3.1mdv2008.0.i586.rpm 
 462c13fc16159a38e14f7c4977ddad01  2008.0/SRPMS/OpenEXR-1.4.0-3.1mdv2008.0.src.rpm

2008.0 x86_64

 fbbc98d890871fa7ee51606c32c40897  2008.0/x86_64/lib64OpenEXR4-1.4.0-3.1mdv2008.0.x86_64.rpm
 6898d32809ffee7f7cb2e960ca9244e1  2008.0/x86_64/lib64OpenEXR-devel-1.4.0-3.1mdv2008.0.x86_64.rpm
 6b52dedf34ef41052a472049258677d1  2008.0/x86_64/OpenEXR-1.4.0-3.1mdv2008.0.x86_64.rpm 
 462c13fc16159a38e14f7c4977ddad01  2008.0/SRPMS/OpenEXR-1.4.0-3.1mdv2008.0.src.rpm

References