[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942
|
From: |
John Kehayias |
|
Subject: |
bug#70174: OpenEXR is vulnerable to CVE-2023-5841 and CVE-2021-45942 |
|
Date: |
Thu, 04 Apr 2024 02:50:28 +0000 |
Hello,
On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote:
> OpenEXR suffers from these vulnerabilities which were fixed in version
> 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently
> 3.1.3.
>
> The package contains 448 dependents, and a change in derivation
> shouldn't be pushed to master, at least according to the patch
> submission guidelines.
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841
>
> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942
Thanks for passing this along.
I've applied a patch, attached, locally to the mesa-updates branch which
updates openexr to the latest version, 3.2.4. It required a few minor
changes (fix a phase, an input) but it builds.
I may wait to queue up some more fixes for that branch, but don't
currently have anything pending. Either way, it will be there soon and
hopefully merged to master (just need to wait for everything to build
and look good).
Thanks!
John
0001-gnu-openexr-Update-to-3.2.4-security-fixes.patch
Description: Text Data