{ "Definition": [ { "ID": "oval:org.altlinux.errata:def:20211933", "Version": "oval:org.altlinux.errata:def:20211933", "Class": "patch", "Metadata": { "Title": "ALT-PU-2021-1933: package `ilmbase` update to version 2.5.6-alt1", "AffectedList": [ { "Family": "unix", "Platforms": [ "ALT Linux branch p9" ], "Products": [ "ALT Server", "ALT Virtualization Server", "ALT Workstation", "ALT Workstation K", "ALT Education", "Simply Linux", "Starterkit" ] } ], "References": [ { "RefID": "ALT-PU-2021-1933", "RefURL": "https://errata.altlinux.org/ALT-PU-2021-1933", "Source": "ALTPU" }, { "RefID": "BDU:2021-01975", "RefURL": "https://bdu.fstec.ru/vul/2021-01975", "Source": "BDU" }, { "RefID": "BDU:2021-01976", "RefURL": "https://bdu.fstec.ru/vul/2021-01976", "Source": "BDU" }, { "RefID": "BDU:2021-01977", "RefURL": "https://bdu.fstec.ru/vul/2021-01977", "Source": "BDU" }, { "RefID": "BDU:2021-01978", "RefURL": "https://bdu.fstec.ru/vul/2021-01978", "Source": "BDU" }, { "RefID": "BDU:2021-01983", "RefURL": "https://bdu.fstec.ru/vul/2021-01983", "Source": "BDU" }, { "RefID": "BDU:2021-01984", "RefURL": "https://bdu.fstec.ru/vul/2021-01984", "Source": "BDU" }, { "RefID": "BDU:2021-05210", "RefURL": "https://bdu.fstec.ru/vul/2021-05210", "Source": "BDU" }, { "RefID": "BDU:2023-01678", "RefURL": "https://bdu.fstec.ru/vul/2023-01678", "Source": "BDU" }, { "RefID": "BDU:2023-01692", "RefURL": "https://bdu.fstec.ru/vul/2023-01692", "Source": "BDU" }, { "RefID": "BDU:2023-01699", "RefURL": "https://bdu.fstec.ru/vul/2023-01699", "Source": "BDU" }, { "RefID": "BDU:2023-01701", "RefURL": "https://bdu.fstec.ru/vul/2023-01701", "Source": "BDU" }, { "RefID": "CVE-2021-20296", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-20296", "Source": "CVE" }, { "RefID": "CVE-2021-20299", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-20299", "Source": "CVE" }, { "RefID": "CVE-2021-20300", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-20300", "Source": "CVE" }, { "RefID": "CVE-2021-20302", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-20302", "Source": "CVE" }, { "RefID": "CVE-2021-20303", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-20303", "Source": "CVE" }, { "RefID": "CVE-2021-3474", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-3474", "Source": "CVE" }, { "RefID": "CVE-2021-3475", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-3475", "Source": "CVE" }, { "RefID": "CVE-2021-3476", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-3476", "Source": "CVE" }, { "RefID": "CVE-2021-3477", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-3477", "Source": "CVE" }, { "RefID": "CVE-2021-3478", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-3478", "Source": "CVE" }, { "RefID": "CVE-2021-3479", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-3479", "Source": "CVE" } ], "Description": "This update upgrades ilmbase to version 2.5.6-alt1. \nSecurity Fix(es):\n\n * BDU:2021-01975: Уязвимость интерфейса Scanline API библиотеки OpenEXR, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-01976: Уязвимость реализации метода сжатия файла с использованием строки сканирования Zip (per scanline) (ImfScanLineInputFile.cpp) библиотеки OpenEXR, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-01977: Уязвимость функции DeepTiledInputFile::initialize() (src/lib/OpenEXR/ImfDeepTiledInputFile.cpp) библиотеки OpenEXR, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код\n\n * BDU:2021-01978: Уязвимость функции сжатия данных B44 (OpenEXR/IlmImf/ImfB44Compressor.cpp) библиотеки OpenEXR, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-01983: Уязвимость функции calculateNumTiles()(OpenEXR/IlmImf/ImfTiledMisc.cpp) библиотеки OpenEXR, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-01984: Уязвимость функции FastHufDecoder библиотеки OpenEXR, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-05210: Уязвимость функции декомпрессии Dwa библиотеки IlmImf программного обеспечения для хранения изображений с широкими динамическими диапазоном яркости OpenEXR, связанная с ошибками разыменования указателя, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-01678: Уязвимость функционала TiledInputFile программного обеспечения для хранения изображений с широкими динамическими диапазоном яркости OpenEXR, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-01692: Уязвимость функции hufUncompress компонента /IlmImf/ImfHuf.cpp программного обеспечения для хранения изображений с широкими динамическими диапазоном яркости OpenEXR, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-01699: Уязвимость функции dataWindowForTile() компонента IlmImf/ImfTiledMisc.cpp программного обеспечения для хранения изображений с широкими динамическими диапазоном яркости OpenEXR, позволяющая нарушителю нарушить целостность данных, а также вызвать отказ в обслуживании\n\n * BDU:2023-01701: Уязвимость программного обеспечения для хранения изображений с широкими динамическими диапазоном яркости OpenEXR, связанная с ошибками разыменования указателя, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2021-20296: A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted input file supplied by an attacker, that is processed by the Dwa decompression functionality of OpenEXR's IlmImf library, could cause a NULL pointer dereference. The highest threat from this vulnerability is to system availability.\n\n * CVE-2021-20299: A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability.\n\n * CVE-2021-20300: A flaw was found in OpenEXR's hufUncompress functionality in OpenEXR/IlmImf/ImfHuf.cpp. This flaw allows an attacker who can submit a crafted file that is processed by OpenEXR, to trigger an integer overflow. The highest threat from this vulnerability is to system availability.\n\n * CVE-2021-20302: A flaw was found in OpenEXR's TiledInputFile functionality. This flaw allows an attacker who can submit a crafted single-part non-image to be processed by OpenEXR, to trigger a floating-point exception error. The highest threat from this vulnerability is to system availability.\n\n * CVE-2021-20303: A flaw found in function dataWindowForTile() of IlmImf/ImfTiledMisc.cpp. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, leading to an out-of-bounds write on the heap. The greatest impact of this flaw is to application availability, with some potential impact to data integrity as well.\n\n * CVE-2021-3474: There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application availability.\n\n * CVE-2021-3475: There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow, potentially leading to problems with application availability.\n\n * CVE-2021-3476: A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially affecting application availability.\n\n * CVE-2021-3477: There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability.\n\n * CVE-2021-3478: There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.\n\n * CVE-2021-3479: There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.", "Advisory": { "From": "errata.altlinux.org", "Severity": "High", "Rights": "Copyright 2024 BaseALT Ltd.", "Issued": { "Date": "2021-06-04" }, "Updated": { "Date": "2021-06-04" }, "BDUs": [ { "ID": "BDU:2021-01975", "CVSS": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "CVSS3": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "CWE": "CWE-400", "Href": "https://bdu.fstec.ru/vul/2021-01975", "Impact": "Low", "Public": "20200902" }, { "ID": "BDU:2021-01976", "CVSS": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "CVSS3": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "CWE": "CWE-400", "Href": "https://bdu.fstec.ru/vul/2021-01976", "Impact": "Low", "Public": "20201111" }, { "ID": "BDU:2021-01977", "CVSS": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "CVSS3": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "CWE": "CWE-125, CWE-190", "Href": "https://bdu.fstec.ru/vul/2021-01977", "Impact": "Low", "Public": "20201104" }, { "ID": "BDU:2021-01978", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "CWE": "CWE-190", "Href": "https://bdu.fstec.ru/vul/2021-01978", "Impact": "Low", "Public": "20201006" }, { "ID": "BDU:2021-01983", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "CWE": "CWE-190", "Href": "https://bdu.fstec.ru/vul/2021-01983", "Impact": "Low", "Public": "20200831" }, { "ID": "BDU:2021-01984", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "CWE": "CWE-190", "Href": "https://bdu.fstec.ru/vul/2021-01984", "Impact": "Low", "Public": "20200817" }, { "ID": "BDU:2021-05210", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "CWE": "CWE-476", "Href": "https://bdu.fstec.ru/vul/2021-05210", "Impact": "Low", "Public": "20200813" }, { "ID": "BDU:2023-01678", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "CVSS3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "CWE": "CWE-20", "Href": "https://bdu.fstec.ru/vul/2023-01678", "Impact": "Low", "Public": "20200923" }, { "ID": "BDU:2023-01692", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "CVSS3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "CWE": "CWE-190", "Href": "https://bdu.fstec.ru/vul/2023-01692", "Impact": "Low", "Public": "20200911" }, { "ID": "BDU:2023-01699", "CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:C", "CVSS3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H", "CWE": "CWE-190", "Href": "https://bdu.fstec.ru/vul/2023-01699", "Impact": "Low", "Public": "20200909" }, { "ID": "BDU:2023-01701", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-476", "Href": "https://bdu.fstec.ru/vul/2023-01701", "Impact": "Low", "Public": "20200917" } ], "CVEs": [ { "ID": "CVE-2021-20296", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "CWE": "CWE-476", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-20296", "Impact": "Low", "Public": "20210401" }, { "ID": "CVE-2021-20299", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-476", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-20299", "Impact": "High", "Public": "20220316" }, { "ID": "CVE-2021-20300", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "CWE": "CWE-190", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-20300", "Impact": "Low", "Public": "20220304" }, { "ID": "CVE-2021-20302", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "CWE": "NVD-CWE-noinfo", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-20302", "Impact": "Low", "Public": "20220304" }, { "ID": "CVE-2021-20303", "CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "CWE": "CWE-190", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-20303", "Impact": "Low", "Public": "20220304" }, { "ID": "CVE-2021-3474", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "CWE": "CWE-190", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-3474", "Impact": "Low", "Public": "20210330" }, { "ID": "CVE-2021-3475", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "CWE": "CWE-190", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-3475", "Impact": "Low", "Public": "20210330" }, { "ID": "CVE-2021-3476", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "CWE": "CWE-190", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-3476", "Impact": "Low", "Public": "20210330" }, { "ID": "CVE-2021-3477", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "CWE": "CWE-190", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-3477", "Impact": "Low", "Public": "20210331" }, { "ID": "CVE-2021-3478", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "CWE": "CWE-400", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-3478", "Impact": "Low", "Public": "20210331" }, { "ID": "CVE-2021-3479", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "CWE": "CWE-400", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-3479", "Impact": "Low", "Public": "20210331" } ], "AffectedCPEs": { "CPEs": [ "cpe:/o:alt:kworkstation:9", "cpe:/o:alt:workstation:9", "cpe:/o:alt:server:9", "cpe:/o:alt:server-v:9", "cpe:/o:alt:education:9", "cpe:/o:alt:slinux:9", "cpe:/o:alt:starterkit:p9", "cpe:/o:alt:kworkstation:9.1", "cpe:/o:alt:workstation:9.1", "cpe:/o:alt:server:9.1", "cpe:/o:alt:server-v:9.1", "cpe:/o:alt:education:9.1", "cpe:/o:alt:slinux:9.1", "cpe:/o:alt:starterkit:9.1", "cpe:/o:alt:kworkstation:9.2", "cpe:/o:alt:workstation:9.2", "cpe:/o:alt:server:9.2", "cpe:/o:alt:server-v:9.2", "cpe:/o:alt:education:9.2", "cpe:/o:alt:slinux:9.2", "cpe:/o:alt:starterkit:9.2" ] } } }, "Criteria": { "Operator": "AND", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:1001", "Comment": "ALT Linux must be installed" } ], "Criterias": [ { "Operator": "OR", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:20211933001", "Comment": "ilmbase is earlier than 0:2.5.6-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20211933002", "Comment": "ilmbase-devel is earlier than 0:2.5.6-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20211933003", "Comment": "ilmbase25-common is earlier than 0:2.5.6-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20211933004", "Comment": "libhalf25 is earlier than 0:2.5.6-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20211933005", "Comment": "libiex25 is earlier than 0:2.5.6-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20211933006", "Comment": "libiexmath25 is earlier than 0:2.5.6-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20211933007", "Comment": "libilmthread25 is earlier than 0:2.5.6-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20211933008", "Comment": "libimath25 is earlier than 0:2.5.6-alt1" } ] } ] } } ] }