CVE-2023-5841: […] Heap Overflow in Scanline Deep Data Parsing

[musicinmybrain]

CVE-2023-5841 was recently disclosed, describing a “failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data,” resulting in a heap buffer overflow.

Has a fix for this issue been prepared yet? I was not able to find any commits, issues, or PR’s that appeared to be related.

[cary-ilm]

No message was ever received at security@openexr.com, so this is the first notice we've seen of the vulnerability. We'll investigate right away.

[carnil]

So there must be some issue in the reporting (note I'm just a bystander from a downstream distribution): According to their timeline there was disclosure on 2023-11-09 via security@openexr.com and a reminder on 2024-01-25.

I have mailed cve@takeonme.org to see if there was an issue on receiving communication.

[musicinmybrain]

For context, I am also “a bystander from a downstream distribution” – I co-maintain the usd package in Fedora, which relies on a lightly forked, bundled copy of openexr.

[todb]

Hello!

AHA! attempted disclosure on November 9, then again on January 25. We never received a reply to either. If you want to check your spam filters, it would have been from aha@takeonme.org with the subject "CVE-2023-5841 disclosure"

[cary-ilm]

We may have had a problem with the email configuration, we're investigating. At any rate, #1627 should fix it, can you confirm? We'll make a release shortly

[cary-ilm]

Resolved by #1627, released in 3.2.2 and 3.1.12, and CVE sites have been updated