FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

openexr -- Heap Overflow in Scanline Deep Data Parsing

Affected packages
openexr < 3.1.12
3.2.0 <= openexr < 3.2.2

Details

VuXML ID f161a5ad-c9bd-11ee-b7a7-353f1e043d9a
Discovery 2023-10-26
Entry 2024-02-12

Austin Hackers Anonymous report:

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXR image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.

[...] it is in a routine that is predominantly used for development and testing. It is not likely to appear in production code.

References

CVE Name CVE-2023-5841
URL https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.2
URL https://takeonme.org/cves/CVE-2023-5841.html