Candidate: CVE-2021-23169
PublicDate: 2021-06-08 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23169
Description:
 A heap-buffer overflow was found in the copyIntoFrameBuffer function of
 OpenEXR in versions before 3.0.1. An attacker could use this flaw to
 execute arbitrary code with the permissions of the user running the
 application compiled against OpenEXR.
Ubuntu-Description:
Notes:
 mdeslaur> it looks like the fix for this issue actually went into the
 mdeslaur> exrcheck tool used by the fuzzer
Mitigation:
Bugs:
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28051
Priority: negligible
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_openexr:
 upstream: https://github.com/AcademySoftwareFoundation/openexr/commit/ae6d203892cc9311917a7f4f05354ef792b3e58e
upstream_openexr: released (2.5.4-2)
precise/esm_openexr: DNE
trusty_openexr: ignored (out of standard support)
trusty/esm_openexr: DNE
xenial_openexr: ignored (end of standard support, was needs-triage)
esm-infra/xenial_openexr: not-affected (code not present)
bionic_openexr: not-affected (code not present)
focal_openexr: needs-triage
groovy_openexr: ignored (reached end-of-life)
hirsute_openexr: ignored (reached end-of-life)
impish_openexr: not-affected (2.5.4-2)
jammy_openexr: not-affected (2.5.7-1)
devel_openexr: not-affected (2.5.7-1)