PublicDateAtUSN: 2020-04-14 23:15:00 UTC
Candidate: CVE-2020-11765
PublicDate: 2020-04-14 23:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11765
 https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
 https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020
 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1
 https://ubuntu.com/security/notices/USN-4339-1
Description:
 An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one
 error in use of the ImfXdr.h read function by
 DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read.
Ubuntu-Description:
Notes:
 mdeslaur> possibly same commits as CVE-2020-11762, need to check
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H [5.5 MEDIUM]


Patches_openexr:
 upstream: https://github.com/AcademySoftwareFoundation/openexr/commit/3eda5d70aba127bae9bd6bae9956fcf024b64031
 upstream: https://github.com/AcademySoftwareFoundation/openexr/commit/2ae5f8376b0a6c3e2bb100042f5de79503ba837a
upstream_openexr: needs-triage
precise/esm_openexr: DNE
trusty_openexr: ignored (out of standard support)
trusty/esm_openexr: DNE
xenial_openexr: released (2.2.0-10ubuntu2.2)
esm-infra/xenial_openexr: released (2.2.0-10ubuntu2.2)
bionic_openexr: released (2.2.0-11.1ubuntu1.2)
eoan_openexr: released (2.2.1-4.1ubuntu1.1)
focal_openexr: released (2.3.0-6ubuntu0.1)
devel_openexr: released (2.3.0-6ubuntu0.1)