Vulnerabilities > CVE-2018-18444 - Out-of-bounds Write vulnerability in ILM Openexr 2.3.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possibly unspecified other impact.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-1962-1.NASL description This update for openexr fixes the following issues : Security issue fixed : CVE-2017-9111: Fixed an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h (bsc#1040109). CVE-2017-9113: Fixed an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp (bsc#1040113). CVE-2017-9115: Fixed an invalid write of size 2 in the = operator function inhalf.h (bsc#1040115). CVE-2018-18444: Fixed Out-of-bounds write in makeMultiView.cpp (bsc#1113455). CVE-2017-9112: Fixed invalid read of size 1 in the getBits function in ImfHuf.cpp (bsc#1040112). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 127039 published 2019-07-25 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127039 title SUSE SLED12 / SLES12 Security Update : openexr (SUSE-SU-2019:1962-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2019:1962-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(127039); script_version("1.3"); script_cvs_date("Date: 2020/01/06"); script_cve_id("CVE-2017-9111", "CVE-2017-9112", "CVE-2017-9113", "CVE-2017-9115", "CVE-2018-18444"); script_name(english:"SUSE SLED12 / SLES12 Security Update : openexr (SUSE-SU-2019:1962-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for openexr fixes the following issues : Security issue fixed : CVE-2017-9111: Fixed an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h (bsc#1040109). CVE-2017-9113: Fixed an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp (bsc#1040113). CVE-2017-9115: Fixed an invalid write of size 2 in the = operator function inhalf.h (bsc#1040115). CVE-2018-18444: Fixed Out-of-bounds write in makeMultiView.cpp (bsc#1113455). CVE-2017-9112: Fixed invalid read of size 1 in the getBits function in ImfHuf.cpp (bsc#1040112). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1040109" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1040112" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1040113" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1040115" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1113455" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-9111/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-9112/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-9113/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-9115/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-18444/" ); # https://www.suse.com/support/update/announcement/2019/suse-su-20191962-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f622ca6f" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Workstation Extension 12-SP4:zypper in -t patch SUSE-SLE-WE-12-SP4-2019-1962=1 SUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-1962=1 SUSE Linux Enterprise Server 12-SP4:zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-1962=1 SUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-1962=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libIlmImf-Imf_2_1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libIlmImf-Imf_2_1-21"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libIlmImf-Imf_2_1-21-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openexr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openexr-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openexr-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/21"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/25"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP4", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"4", reference:"libIlmImf-Imf_2_1-21-2.1.0-6.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"4", reference:"libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"4", reference:"openexr-2.1.0-6.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"4", reference:"openexr-debuginfo-2.1.0-6.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"4", reference:"openexr-debugsource-2.1.0-6.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"libIlmImf-Imf_2_1-21-2.1.0-6.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"libIlmImf-Imf_2_1-21-32bit-2.1.0-6.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"libIlmImf-Imf_2_1-21-debuginfo-32bit-2.1.0-6.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"openexr-2.1.0-6.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"openexr-debuginfo-2.1.0-6.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"openexr-debugsource-2.1.0-6.10.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openexr"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2019-5B062C4A3B.NASL description This update backports fixes for CVE-2018-18443 and CVE-2018-18444. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131199 published 2019-11-22 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131199 title Fedora 31 : mingw-OpenEXR / mingw-ilmbase (2019-5b062c4a3b) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-5b062c4a3b. # include("compat.inc"); if (description) { script_id(131199); script_version("1.2"); script_cvs_date("Date: 2019/12/09"); script_cve_id("CVE-2018-18443", "CVE-2018-18444"); script_xref(name:"FEDORA", value:"2019-5b062c4a3b"); script_name(english:"Fedora 31 : mingw-OpenEXR / mingw-ilmbase (2019-5b062c4a3b)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update backports fixes for CVE-2018-18443 and CVE-2018-18444. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-5b062c4a3b" ); script_set_attribute( attribute:"solution", value:"Update the affected mingw-OpenEXR and / or mingw-ilmbase packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mingw-OpenEXR"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mingw-ilmbase"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:31"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/17"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^31([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 31", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC31", reference:"mingw-OpenEXR-2.3.0-3.fc31")) flag++; if (rpm_check(release:"FC31", reference:"mingw-ilmbase-2.3.0-3.fc31")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mingw-OpenEXR / mingw-ilmbase"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2019-CE3385517B.NASL description This update backports fixes for CVE-2018-18443 and CVE-2018-18444. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131205 published 2019-11-22 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131205 title Fedora 30 : mingw-OpenEXR (2019-ce3385517b) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_E4D9DFFB2A3211EA9693E1B3F6FEEC79.NASL description Cary Phillips reports : OpenEXR (IlmBase) v2.4.0 fixes the following security vulnerabilities : - CVE-2018-18444 Issue #351 Out of Memory - CVE-2018-18443 Issue #350 heap-buffer-overflow The relevant patches have been backported to the FreeBSD ports. last seen 2020-06-01 modified 2020-06-02 plugin id 132429 published 2019-12-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132429 title FreeBSD : OpenEXR -- heap buffer overflow, and out-of-memory bugs (e4d9dffb-2a32-11ea-9693-e1b3f6feec79) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1265.NASL description This update for openexr fixes the following issues : Security issue fixed : - CVE-2018-18444: Fixed Out-of-bounds write in makeMultiView.cpp (bsc#1113455). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 124292 published 2019-04-25 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124292 title openSUSE Security Update : openexr (openSUSE-2019-1265) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0954-1.NASL description This update for openexr fixes the following issues : Security issue fixed : CVE-2018-18444: Fixed Out-of-bounds write in makeMultiView.cpp (bsc#1113455). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124109 published 2019-04-17 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124109 title SUSE SLED15 / SLES15 Security Update : openexr (SUSE-SU-2019:0954-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4339-1.NASL description Brandon Perry discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115) Tan Jie discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2018-18444) Samuel Gross discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764) It was discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service. (CVE-2020-11765). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-03 modified 2020-04-28 plugin id 136028 published 2020-04-28 reporter Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136028 title Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : openexr vulnerabilities (USN-4339-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4148-1.NASL description It was discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-12596) Brandon Perry discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-9110, CVE-2017-9112, CVE-2017-9116) Brandon Perry discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115) Tan Jie discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. (CVE-2018-18444). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 129712 published 2019-10-08 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129712 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : openexr vulnerabilities (USN-4148-1)
References
- https://github.com/openexr/openexr/issues/351
- https://github.com/openexr/openexr/issues/351
- https://github.com/openexr/openexr/releases/tag/v2.4.0
- https://github.com/openexr/openexr/releases/tag/v2.4.0
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5E2OZU4ZSF5W4ODBU4L547HX5A4WOBFV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5E2OZU4ZSF5W4ODBU4L547HX5A4WOBFV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZN7WUH3SR6DSRODRB4SLFTBKP74FVC5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZN7WUH3SR6DSRODRB4SLFTBKP74FVC5/
- https://usn.ubuntu.com/4148-1/
- https://usn.ubuntu.com/4148-1/
- https://usn.ubuntu.com/4339-1/
- https://usn.ubuntu.com/4339-1/