diff -Nru openexr-2.2.0/debian/changelog openexr-2.2.0/debian/changelog --- openexr-2.2.0/debian/changelog 2020-04-24 11:32:37.000000000 +0000 +++ openexr-2.2.0/debian/changelog 2020-06-30 18:24:45.000000000 +0000 @@ -1,3 +1,19 @@ +openexr (2.2.0-10ubuntu2.3) xenial-security; urgency=medium + + * SECURITY UPDATE: use-after-free in DeepScanLineInputFile + - debian/patches/CVE-2020-15305.patch: add missing throw in + deepscanline error handling in IlmImf/ImfDeepScanLineInputFile.cpp. + - CVE-2020-15305 + * SECURITY UPDATE: heap buffer overflow in getChunkOffsetTableSize() + - debian/patches/CVE-2020-15306.patch: always ignore chunkCount + attribute unless it cannot be computed in + IlmImf/ImfDeepTiledOutputFile.cpp, IlmImf/ImfMisc.cpp, + IlmImf/ImfMisc.h, IlmImf/ImfMultiPartInputFile.cpp, + IlmImf/ImfMultiPartOutputFile.cpp. + - CVE-2020-15306 + + -- Marc Deslauriers Tue, 30 Jun 2020 14:24:45 -0400 + openexr (2.2.0-10ubuntu2.2) xenial-security; urgency=medium * SECURITY UPDATE: Multiple security issues diff -Nru openexr-2.2.0/debian/patches/CVE-2020-15305.patch openexr-2.2.0/debian/patches/CVE-2020-15305.patch --- openexr-2.2.0/debian/patches/CVE-2020-15305.patch 1970-01-01 00:00:00.000000000 +0000 +++ openexr-2.2.0/debian/patches/CVE-2020-15305.patch 2020-06-30 18:24:35.000000000 +0000 @@ -0,0 +1,21 @@ +From 3d03979dc101612e806cdf0b011475d9fa685a73 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Tue, 19 May 2020 16:09:21 +1200 +Subject: [PATCH] fix #728 - missing 'throw' in deepscanline error handling + +Signed-off-by: Peter Hillman +--- + OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/IlmImf/ImfDeepScanLineInputFile.cpp ++++ b/IlmImf/ImfDeepScanLineInputFile.cpp +@@ -1049,6 +1049,8 @@ DeepScanLineInputFile::DeepScanLineInput + delete _data->_streamData; + } + if (_data) delete _data; ++ ++ throw; + } + + readLineOffsets (*_data->_streamData->is, diff -Nru openexr-2.2.0/debian/patches/CVE-2020-15306.patch openexr-2.2.0/debian/patches/CVE-2020-15306.patch --- openexr-2.2.0/debian/patches/CVE-2020-15306.patch 1970-01-01 00:00:00.000000000 +0000 +++ openexr-2.2.0/debian/patches/CVE-2020-15306.patch 2020-06-30 18:24:40.000000000 +0000 @@ -0,0 +1,139 @@ +From 6a9f8af6e89547bcd370ae3cec2b12849eee0b54 Mon Sep 17 00:00:00 2001 +From: peterhillman +Date: Wed, 27 May 2020 13:50:54 +1200 +Subject: [PATCH] always ignore chunkCount attribute unless it cannot be + computed (#738) + +Signed-off-by: Peter Hillman +--- + OpenEXR/IlmImf/ImfDeepTiledOutputFile.cpp | 2 +- + OpenEXR/IlmImf/ImfMisc.cpp | 28 ++++++++++++++++------- + OpenEXR/IlmImf/ImfMisc.h | 11 +++++---- + OpenEXR/IlmImf/ImfMultiPartInputFile.cpp | 2 +- + OpenEXR/IlmImf/ImfMultiPartOutputFile.cpp | 8 +++---- + 5 files changed, 33 insertions(+), 18 deletions(-) + +--- a/IlmImf/ImfDeepTiledOutputFile.cpp ++++ b/IlmImf/ImfDeepTiledOutputFile.cpp +@@ -1228,7 +1228,7 @@ DeepTiledOutputFile::initialize (const H + _data->numYTiles); + + //ignore the existing value of chunkCount - correct it if it's wrong +- _data->header.setChunkCount(getChunkOffsetTableSize(_data->header,true)); ++ _data->header.setChunkCount(getChunkOffsetTableSize(_data->header)); + + _data->maxSampleCountTableSize = _data->tileDesc.ySize * + _data->tileDesc.xSize * +--- a/IlmImf/ImfMisc.cpp ++++ b/IlmImf/ImfMisc.cpp +@@ -1877,18 +1877,30 @@ int + getTiledChunkOffsetTableSize(const Header& header); + + int +-getChunkOffsetTableSize(const Header& header,bool ignore_attribute) ++getChunkOffsetTableSize(const Header& header,bool) + { +- if(!ignore_attribute && header.hasChunkCount()) +- { +- return header.chunkCount(); +- } +- ++ // ++ // if there is a type in the header which indicates the part is not a currently supported type, ++ // use the chunkCount attribute ++ // ++ ++ + if(header.hasType() && !isSupportedType(header.type())) + { +- throw IEX_NAMESPACE::ArgExc ("unsupported header type to " +- "get chunk offset table size"); ++ if(header.hasChunkCount()) ++ { ++ return header.chunkCount(); ++ } ++ else ++ { ++ throw IEX_NAMESPACE::ArgExc ("unsupported header type to " ++ "get chunk offset table size"); ++ } + } ++ ++ // ++ // part is a known type - ignore the header attribute and compute the chunk size from the header ++ // + if (isTiled(header.type()) == false) + return getScanlineChunkOffsetTableSize(header); + else +--- a/IlmImf/ImfMisc.h ++++ b/IlmImf/ImfMisc.h +@@ -452,13 +452,16 @@ bool usesLongNames (const Header &header + + + // +-// compute size of chunk offset table - if ignore_attribute set to true +-// will compute from the image size and layout, rather than the attribute +-// The default behaviour is to read the attribute ++// compute size of chunk offset table - for existing types, computes ++// the chunk size from the image size, compression type, and tile description ++// (for tiled types). If the type is not supported, uses the chunkCount attribute ++// if present, or throws an exception otherwise ++// deprecated_attribute is no longer used by this function ++// + // + + IMF_EXPORT +-int getChunkOffsetTableSize(const Header& header,bool ignore_attribute=false); ++int getChunkOffsetTableSize(const Header& header,bool deprecated_attribute=false); + + OPENEXR_IMF_INTERNAL_NAMESPACE_HEADER_EXIT + +--- a/IlmImf/ImfMultiPartInputFile.cpp ++++ b/IlmImf/ImfMultiPartInputFile.cpp +@@ -735,7 +735,7 @@ MultiPartInputFile::Data::readChunkOffse + + for (size_t i = 0; i < parts.size(); i++) + { +- int chunkOffsetTableSize = getChunkOffsetTableSize(parts[i]->header,false); ++ int chunkOffsetTableSize = getChunkOffsetTableSize(parts[i]->header); + parts[i]->chunkOffsets.resize(chunkOffsetTableSize); + + for (int j = 0; j < chunkOffsetTableSize; j++) +--- a/IlmImf/ImfMultiPartOutputFile.cpp ++++ b/IlmImf/ImfMultiPartOutputFile.cpp +@@ -145,7 +145,7 @@ MultiPartOutputFile::Data::do_header_san + if (isMultiPart) + { + // multipart files must contain a chunkCount attribute +- _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0],true)); ++ _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0])); + + for (size_t i = 1; i < parts; i++) + { +@@ -153,7 +153,7 @@ MultiPartOutputFile::Data::do_header_san + throw IEX_NAMESPACE::ArgExc ("Every header in a multipart file should have a type"); + + +- _headers[i].setChunkCount(getChunkOffsetTableSize(_headers[i],true)); ++ _headers[i].setChunkCount(getChunkOffsetTableSize(_headers[i])); + _headers[i].sanityCheck (_headers[i].hasTileDescription(), isMultiPart); + + +@@ -185,7 +185,7 @@ MultiPartOutputFile::Data::do_header_san + + if (_headers[0].hasType() && isImage(_headers[0].type()) == false) + { +- _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0],true)); ++ _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0])); + } + + } +@@ -494,7 +494,7 @@ MultiPartOutputFile::Data::writeChunkTab + { + for (size_t i = 0; i < parts.size(); i++) + { +- int chunkTableSize = getChunkOffsetTableSize(parts[i]->header,false); ++ int chunkTableSize = getChunkOffsetTableSize(parts[i]->header); + + Int64 pos = os->tellp(); + diff -Nru openexr-2.2.0/debian/patches/series openexr-2.2.0/debian/patches/series --- openexr-2.2.0/debian/patches/series 2020-04-24 11:31:54.000000000 +0000 +++ openexr-2.2.0/debian/patches/series 2020-06-30 18:24:40.000000000 +0000 @@ -32,3 +32,5 @@ CVE-2020-117xx/0021-missing-header-for-ptrdiff_t.patch CVE-2020-117xx/0022-minor-tweaks-and-typo-fixes.patch CVE-2020-117xx/0023-force-x-y-Sampling-to-1-for-Deep-Scanline-Images.patch +CVE-2020-15305.patch +CVE-2020-15306.patch