-
-
Notifications
You must be signed in to change notification settings - Fork 55.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenEXR vulnerabilities #21326
Comments
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I have prepared PR #21327 which disables bundled-in OpenEXR in runtime with link on this issue. So lets keep OpenEXR only problems in this issue. If you have concerns about openjpeg please open another new issue. Initial analyzing shows that OpenCV is not affected by OpenJPEG issue, see the comment above. More analyzing requires more input/details (which we don't have). |
to fix openexr maybe you can update it to 3.x |
New OpenEXR requires C++11, OpenCV 3.4 is C++98. So no upgrade is planned here. |
If you still need OpenEXR functionality and ensure that provided inputs are valid (from trusted sources) then you may turn off mentioned flag through environment variables (check internet how to use them). Any downgrading attempt is a security hole. Not recommended in general. Avoid posting text information through screenshots in internet. It is ridiculous. |
@alalek Hi. I'm having a same problem as fschiffers, currently using opencv 4.5.5. I'd be really grateful if you tell me more specific ways how to fix this problem using environment variables. I've tried following instructions from the error message which was using export OPENCV_IO_ENABLE_OPENEXR = true or alternatively by os.environ ~ = 'true' but didn't work. Thanks |
Both
Or using os.environ["OPENCV_IO_ENABLE_OPENEXR"]="1" |
Why do you think you have the right to disable EXR without thinking how many applications will stop because of this decision. |
FYI, this environment variable can also be defined after importing |
We recently noticed this issue as well. Evaluating OpenCV's alternatives to save/load of floating point images shows that TIFF and HDR formats work, but are not lossless (at least for floats). PFM works, but the image files are about 4-5 times as large as using OpenEXR. Therefore, we would like to keep using OpenEXR. The first solution is to always define environment variables on each machine that should use it. This is the same as always activating OpenEXR by replacing the function
which avoids using environment variables but is unsafe for exactly the same reasoning. To our understanding from the discussion here and the linked issues, the reason is not a general security risk but only an outdated OpenEXR version used inside OpenCV. Upgrading to a more recent one would be a solution, but is not intended because OpenEXR became a rather large library so far. Therefore, explicitly compiling OpenEXR and adding it as a dependency to OpenCV is the way to go. Here, we tried to compile OpenEXR as static library using VS2022 and added it to OpenCV using the Thereafter, compiling works except that edit: Besides this, the preprocessor definition |
A couple years back in this thread, needing C++98 compatibility was cited as the reason for not upgrading to the newer OpenEXR in which all these CVEs have been fixed. Since then, OpenEXR has acquired a core C API as well. This should allow re-inclusion. |
I dont think this issue is fully resolved yet. Despite providing the environment variable,
It is still failing, is there anything else we need to do, perhaps manually compile opencv with some flags?
|
Your code works fine for me in a fresh shell (Python 3.8.13, OpenCV 4.6.0, Ubuntu). Not sure why it fails for you. Maybe there's an issue with updating the environment variable? If you are open to recompiling OpenCV, it looks like enabling the CMake option |
OPENCV_IMGCODECS_USE_OPENEXR flag should really be enabled by default |
OpenCV 4.5.5/3.4.17: disabled OpenEXR in runtime: #21327
System information (version)
Detailed description
For openexr
according to http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openexr
For openjpeg
according to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29338
Steps to reproduce
build for default
Issue submission checklist
forum.opencv.org, Stack Overflow, etc and have not found solution
The text was updated successfully, but these errors were encountered: