Vulnerabilities > CVE-2017-12596 - Out-of-bounds Read vulnerability in Openexr 2.2.0

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2018:0587-1.
# The text itself is copyright (C) SUSE.
#

include("compat.inc");

if (description)
{
  script_id(107132);
  script_version("3.5");
  script_cvs_date("Date: 2019/09/10 13:51:47");

  script_cve_id("CVE-2017-12596", "CVE-2017-9110", "CVE-2017-9114");

  script_name(english:"SUSE SLES11 Security Update : OpenEXR (SUSE-SU-2018:0587-1)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SUSE host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for OpenEXR fixes the following issues :

  - CVE-2017-9110: In OpenEXR, an invalid read of size 2 in
    the hufDecode function in ImfHuf.cpp could cause the
    application to crash. (bsc#1040107)

  - CVE-2017-9114: In OpenEXR, an invalid read of size 1 in
    the refill function in ImfFastHuf.cpp could cause the
    application to crash. (bsc#1040114)

  - CVE-2017-12596: In OpenEXR, a crafted image causes a
    heap-based buffer over-read in the hufDecode function in
    IlmImf/ImfHuf.cpp during exrmaketiled execution; it
    could have resulted in denial of service or possibly
    unspecified other impact. (bsc#1052522)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1040107"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1040114"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1052522"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-12596/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-9110/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-9114/"
  );
  # https://www.suse.com/support/update/announcement/2018/suse-su-20180587-1/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?5f34f2f9"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
patch sdksp4-OpenEXR-13496=1

SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
slessp4-OpenEXR-13496=1

SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
dbgsp4-OpenEXR-13496=1

To bring your system up-to-date, use 'zypper patch'."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:OpenEXR");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/05");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);

sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);


flag = 0;
if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"OpenEXR-32bit-1.6.1-83.17.3.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"OpenEXR-32bit-1.6.1-83.17.3.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", reference:"OpenEXR-1.6.1-83.17.3.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenEXR");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(136862);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/28");

  script_cve_id(
    "CVE-2017-12596",
    "CVE-2017-14988",
    "CVE-2017-9110",
    "CVE-2017-9111",
    "CVE-2017-9112",
    "CVE-2017-9113",
    "CVE-2017-9114",
    "CVE-2017-9115",
    "CVE-2017-9116"
  );

  script_name(english:"EulerOS 2.0 SP8 : OpenEXR (EulerOS-SA-2020-1584)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the OpenEXR package installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

  - OpenEXR is a high dynamic-range (HDR) image file format
    developed by Industrial Light & Magic for use in
    computer imaging applications. This package contains
    libraries and sample applications for handling the
    format.Security Fix(es):In OpenEXR 2.2.0, an invalid
    write of size 2 in the = operator function in half.h
    could cause the application to crash or execute
    arbitrary code.(CVE-2017-9115)In OpenEXR 2.2.0, an
    invalid write of size 8 in the storeSSE function in
    ImfOptimizedPixelReading.h could cause the application
    to crash or execute arbitrary code.(CVE-2017-9111)In
    OpenEXR 2.2.0, a crafted image causes a heap-based
    buffer over-read in the hufDecode function in
    IlmImf/ImfHuf.cpp during exrmaketiled execution it may
    result in denial of service or possibly unspecified
    other impact.(CVE-2017-12596)In OpenEXR 2.2.0, an
    invalid write of size 1 in the bufferedReadPixels
    function in ImfInputFile.cpp could cause the
    application to crash or execute arbitrary
    code.(CVE-2017-9113)In OpenEXR 2.2.0, an invalid read
    of size 1 in the uncompress function in ImfZip.cpp
    could cause the application to crash.(CVE-2017-9116)In
    OpenEXR 2.2.0, an invalid read of size 1 in the refill
    function in ImfFastHuf.cpp could cause the application
    to crash.(CVE-2017-9114)In OpenEXR 2.2.0, an invalid
    read of size 1 in the getBits function in ImfHuf.cpp
    could cause the application to crash.(CVE-2017-9112)In
    OpenEXR 2.2.0, an invalid read of size 2 in the
    hufDecode function in ImfHuf.cpp could cause the
    application to crash.(CVE-2017-9110)Header::readfrom in
    IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote
    attackers to cause a denial of service (excessive
    memory allocation) via a crafted file that is accessed
    with the ImfOpenInputFile function in
    IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and
    multiple third parties believe that this vulnerability
    isn't valid.(CVE-2017-14988)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1584
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?78467a42");
  script_set_attribute(attribute:"solution", value:
"Update the affected OpenEXR packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9115");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"patch_publication_date", value:"2020/05/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:OpenEXR-libs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["OpenEXR-libs-2.2.0-15.h1.eulerosv2r8"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenEXR");
}