New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-5841: […] Heap Overflow in Scanline Deep Data Parsing #1625
Comments
No message was ever received at security@openexr.com, so this is the first notice we've seen of the vulnerability. We'll investigate right away. |
So there must be some issue in the reporting (note I'm just a bystander from a downstream distribution): According to their timeline there was disclosure on 2023-11-09 via security@openexr.com and a reminder on 2024-01-25. I have mailed cve@takeonme.org to see if there was an issue on receiving communication. |
For context, I am also “a bystander from a downstream distribution” – I co-maintain the |
Hello! AHA! attempted disclosure on November 9, then again on January 25. We never received a reply to either. If you want to check your spam filters, it would have been from aha@takeonme.org with the subject "CVE-2023-5841 disclosure" |
We may have had a problem with the email configuration, we're investigating. At any rate, #1627 should fix it, can you confirm? We'll make a release shortly |
Resolved by #1627, released in 3.2.2 and 3.1.12, and CVE sites have been updated |
CVE-2023-5841 was recently disclosed, describing a “failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data,” resulting in a heap buffer overflow.
Has a fix for this issue been prepared yet? I was not able to find any commits, issues, or PR’s that appeared to be related.
The text was updated successfully, but these errors were encountered: