From e649eed728014f8b87e07c92d1f73906c260854b Mon Sep 17 00:00:00 2001 From: Cary Phillips Date: Sun, 23 Jan 2022 11:46:02 -0800 Subject: [PATCH 1/3] Update release notes with v3.1.4 Signed-off-by: Cary Phillips --- CHANGES.md | 223 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 223 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 56c259252c..5bc29b288f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -52,6 +52,229 @@ * [Version 1.0.1](#version-101) * [Version 1.0](#version-10) +## Version 3.1.4 (January 26, 2022) + +Patch release that addresses various issues: + +* Several bug fixes to properly reject invalid input upon read +* A check to enable SSE2 when building with Visual Studio +* A check to fix building with VisualStudio on ARM64 +* Update the automatically-downloaded version of Imath to v3.1.4 +* Miscellaneous documentation improvements + +This addresses one public security vulnerability: + +* [CVE-2021-45942](https://nvd.nist.gov/vuln/detail/CVE-2021-45942) Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute + +Specific OSS-fuzz issues: + +* OSS-fuzz [43961](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43961) Heap-buffer-overflow in generic_unpack +* OSS-fuzz [43916](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43916) Heap-buffer-overflow in hufDecode +* OSS-fuzz [43763](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43763) Heap-buffer-overflow in internal_huf_decompress +* OSS-fuzz [43745](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43745) Floating-point-exception in internal_exr_compute_tile_information +* OSS-fuzz [43744](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43744) Divide-by-zero in internal_exr_compute_tile_information +* OSS-fuzz [42197](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42197) Out-of-memory in openexr_exrcheck_fuzzer +* OSS-fuzz [42001](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42001) Timeout in openexr_exrcheck_fuzzer +* OSS-fuzz [41999](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41999) Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute +* OSS-fuzz [41669](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41669) Integer-overflow in Imf_3_1::rleUncompress +* OSS-fuzz [41625](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41625) Heap-buffer-overflow in uncompress_b44_impl +* OSS-fuzz [41416](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416) Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute +* OSS-fuzz [41075](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41075) Integer-overflow in Imf_3_1::copyIntoDeepFrameBuffer +* OSS-fuzz [40704](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40704) Crash in Imf_3_1::DeepTiledInputFile::readPixelSampleCounts +* OSS-fuzz [40702](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40702) Null-dereference in bool Imf_3_1::readDeepTile +* OSS-fuzz [40701](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40701) Null-dereference in bool Imf_3_1::readDeepTile +* OSS-fuzz [40423](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40423) Out-of-memory in openexr_exrcheck_fuzzer +* OSS-fuzz [40234](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40234) Heap-buffer-overflow in generic_unpack +* OSS-fuzz [40231](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40231) Heap-buffer-overflow in hufDecode +* OSS-fuzz [40091](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40091) Heap-buffer-overflow in hufDecode + +Merged Pull Requests: + +* [1225](https://github.com/AcademySoftwareFoundation/openexr/pull/1225) +Bazel build: Update Imath +* [1224](https://github.com/AcademySoftwareFoundation/openexr/pull/1224) +Add error check to prevent corrupt files trying to unpack +* [1223](https://github.com/AcademySoftwareFoundation/openexr/pull/1223) +Fix issues with a a "short" huf table and checking boundary conditions, missing return value +* [1222](https://github.com/AcademySoftwareFoundation/openexr/pull/1222) +Fix OSS Fuzz 43763, 43745 +* [1218](https://github.com/AcademySoftwareFoundation/openexr/pull/1218) +OSS-Fuzz pass 15jan2022 +* [1217](https://github.com/AcademySoftwareFoundation/openexr/pull/1217) +Added missing check _M_IX86 or _M_X64 when using __lzcnt. +* [1216](https://github.com/AcademySoftwareFoundation/openexr/pull/1216) +Corrected the check to enable SSE2 when building with Visual Studio. +* [1214](https://github.com/AcademySoftwareFoundation/openexr/pull/1214) +prevent overflow in allocation of RLE buufer +* [1213](https://github.com/AcademySoftwareFoundation/openexr/pull/1213) +add check for decompressed deepscanline datasize +* [1209](https://github.com/AcademySoftwareFoundation/openexr/pull/1209) +enforce xSampling/ySampling==1 in CompositeDeepScanLine +* [1208](https://github.com/AcademySoftwareFoundation/openexr/pull/1208) +Reduce memory consumption with very large deepscanline images +* [1206](https://github.com/AcademySoftwareFoundation/openexr/pull/1206) +Update INSTALL.md +* [1205](https://github.com/AcademySoftwareFoundation/openexr/pull/1205) +DeepScanlineInputFile now uses chunk size test from DeepTiledInputFile +* [1200](https://github.com/AcademySoftwareFoundation/openexr/pull/1200) +Corrected Deep Docs & Example Code +* [1199](https://github.com/AcademySoftwareFoundation/openexr/pull/1199) +Fix C++ DeepTile reading in Imf::CheckFile +* [1195](https://github.com/AcademySoftwareFoundation/openexr/pull/1195) +Fix bugs in ImfCheckFile.cpp:readDeepTile() +* [1193](https://github.com/AcademySoftwareFoundation/openexr/pull/1193) +mention multipart files in multiview doc +* [1191](https://github.com/AcademySoftwareFoundation/openexr/pull/1191) +Replace Doxygen/Sphinx targets with "docs" +* [1190](https://github.com/AcademySoftwareFoundation/openexr/pull/1190) +Add Compression section to "Reading and Writing Image Files" doc +* [1189](https://github.com/AcademySoftwareFoundation/openexr/pull/1189) +Fix typo in readthedocs url + + +## Version 3.1.3 (October 27, 2021) + +Patch release with a change to default zip compression level: + +* Default zip compression level is now 4 (instead of 6), which in our + tests improves compression times by 2x with only a tiny drop in + compression ratio. +* ``setDefaultZipCompression()`` and ``setDefaultDwaCompression()`` + now set default compression levels for writing. +* The Header how has ``zipCompressionLevel()`` and + ``dwaCompressionLevel()`` to return the levels used for writing. + +Also, various bug fixes, build improvements, and documentation +updates. In particular: + +* Fixes a build failure with Imath prior to v3.1 +* Fixes a bug in detecting invalid chromaticity values + +Specific OSS-fuzz issues: + +* OSS-fuzz [40091](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40091) + Heap-buffer-overflow in hufDecode +* OSS-fuzz [39997](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39997) + Null-dereference in Imf_3_1::readCoreScanlinePart +* OSS-fuzz [39996](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39996) + Heap-buffer-overflow in generic_unpack +* OSS-fuzz [39936](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39936) + Heap-buffer-overflow in Imf_3_1::memstream_read +* OSS-fuzz [39836](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39836) + Heap-buffer-overflow in internal_huf_decompress +* OSS-fuzz [39799](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39799) + Heap-buffer-overflow in unpack_32bit +* OSS-fuzz [39754](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39754) + Abrt in internal_decode_alloc_buffer +* OSS-fuzz [39737](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39737) + Heap-buffer-overflow in unpack_16bit +* OSS-fuzz [39683](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39683) + Null-dereference in Imf_3_1::readCoreScanlinePart +* OSS-fuzz [39630](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39630) + Direct-leak in internal_decode_alloc_buffer +* OSS-fuzz [39623](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39623) + Heap-buffer-overflow in unpack_16bit +* OSS-fuzz [39616](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39616) + Heap-buffer-overflow in Imf_3_1::memstream_read +* OSS-fuzz [39604](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39604) + Abrt in internal_decode_free_buffer +* OSS-fuzz [39601](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39601) + Heap-buffer-overflow in internal_huf_decompress +* OSS-fuzz [39591](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39591) + Integer-overflow in Imf_3_1::readCoreTiledPart +* OSS-fuzz [39579](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39579) + Undefined-shift in internal_huf_decompress +* OSS-fuzz [39571](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39571) + Heap-buffer-overflow in generic_unpack +* OSS-fuzz [39568](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39568) + Null-dereference in Imf_3_1::readCoreScanlinePart +* OSS-fuzz [39542](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39542) + Heap-buffer-overflow in Imf_3_1::memstream_read +* OSS-fuzz [39538](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39538) + Heap-buffer-overflow in unpack_16bit_4chan_planar +* OSS-fuzz [39532](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39532) + Heap-buffer-overflow in unpack_16bit_4chan_planar +* OSS-fuzz [39529](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39529) + Null-dereference in Imf_3_1::readCoreTiledPart +* OSS-fuzz [39526](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39526) + Integer-overflow in exr_read_tile_chunk_info +* OSS-fuzz [39522](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39522) + Direct-leak in internal_decode_alloc_buffer +* OSS-fuzz [39472](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39472) + Heap-buffer-overflow in unpack_16bit +* OSS-fuzz [39421](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39421) + Stack-overflow in Imf_3_1::memstream_read +* OSS-fuzz [39399](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39399) + Direct-leak in exr_attr_preview_init +* OSS-fuzz [39397](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39397) + Timeout in openexr_exrcheck_fuzzer +* OSS-fuzz [39343](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39343) + Null-dereference READ in ubsan_GetStackTrace +* OSS-fuzz [39342](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39342) + Direct-leak in Imf_3_1::OpaqueAttribute::copy +* OSS-fuzz [39340](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39340) + Stack-overflow in Imf_3_1::memstream_read +* OSS-fuzz [39332](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39332) + Out-of-memory in openexr_exrcheck_fuzzer +* OSS-fuzz [39329](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39329) + Negative-size-param in Imf_3_1::memstream_read +* OSS-fuzz [39328](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39328) + Undefined-shift in internal_exr_compute_tile_information +* OSS-fuzz [39323](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39323) + Integer-overflow in Imf_3_1::readCoreTiledPart + +Merged Pull Requests: +* [1187](https://github.com/AcademySoftwareFoundation/openexr/pull/1187) + Add size check to memory stream check program +* [1186](https://github.com/AcademySoftwareFoundation/openexr/pull/1186) + Add extra tile validation +* [1185](https://github.com/AcademySoftwareFoundation/openexr/pull/1185) + Fix test for bad chunk data to allow for 0-sample deep chunks +* [1184](https://github.com/AcademySoftwareFoundation/openexr/pull/1184) + Fixes an issue computing the unpacked size of a chunk +* [1183](https://github.com/AcademySoftwareFoundation/openexr/pull/1183) + Fix decoding of piz when y sampling is not the same for all channels +* [1182](https://github.com/AcademySoftwareFoundation/openexr/pull/1182) + Require at least one channel +* [1180](https://github.com/AcademySoftwareFoundation/openexr/pull/1180) + reduce iterations in testIDManifest to speed up +* [1178](https://github.com/AcademySoftwareFoundation/openexr/pull/1178) + use std::abs in chromaticity sanity tests (fixes #1177) +* [1176](https://github.com/AcademySoftwareFoundation/openexr/pull/1176) + Update CI builds +* [1174](https://github.com/AcademySoftwareFoundation/openexr/pull/1174) + Update docs with link to EasyCLA +* [1173](https://github.com/AcademySoftwareFoundation/openexr/pull/1173) + Fix misc issues due to OSS-fuzz +* [1172](https://github.com/AcademySoftwareFoundation/openexr/pull/1172) + fix casts in readUInt shifts +* [1169](https://github.com/AcademySoftwareFoundation/openexr/pull/1169) + Clean up error messages, check against packed size of 0, integer overflow +* [1168](https://github.com/AcademySoftwareFoundation/openexr/pull/1168) + Refactor attribute size checks +* [1167](https://github.com/AcademySoftwareFoundation/openexr/pull/1167) + Fix loop iterators in ImfCheckFile.cpp +* [1166](https://github.com/AcademySoftwareFoundation/openexr/pull/1166) + fix int overflow in calc_level_size +* [1165](https://github.com/AcademySoftwareFoundation/openexr/pull/1165) + Prevent read when offset past the end of the memstream +* [1164](https://github.com/AcademySoftwareFoundation/openexr/pull/1164) + Also fail when the user provides a preview image that has a zero size coordinate +* [1163](https://github.com/AcademySoftwareFoundation/openexr/pull/1163) + don't validate chunk size when file_size unknown +* [1161](https://github.com/AcademySoftwareFoundation/openexr/pull/1161) + validate filesize before allocating chunk memory +* [1160](https://github.com/AcademySoftwareFoundation/openexr/pull/1160) + validate dwaCompressionLevel attribute type +* [1150](https://github.com/AcademySoftwareFoundation/openexr/pull/1150) + Enable Google OSS Fuzz to also test Core library +* [1149](https://github.com/AcademySoftwareFoundation/openexr/pull/1145) + Enable ephemeral compression levels +* [1145](https://github.com/AcademySoftwareFoundation/openexr/pull/1145) + Fix when compiling against pre-3.1 version of Imath +* [1125](https://github.com/AcademySoftwareFoundation/openexr/pull/1125) + Zip: switch to compression level 4 instead of default 6 + ## Version 3.1.2 (October 4, 2021) Patch release with various bug fixes, build improvements, and From c1ea7163ec8a317abd9c4d94c4d5f704847153cf Mon Sep 17 00:00:00 2001 From: Cary Phillips Date: Fri, 21 Jan 2022 13:21:29 -0800 Subject: [PATCH 2/3] Reference to CVE-2021-45942 Signed-off-by: Cary Phillips --- SECURITY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SECURITY.md b/SECURITY.md index e2d23528ce..5e6eeb4924 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -16,6 +16,7 @@ post patches as quickly as possible. These vulnerabilities are present in the given versions: +* [CVE-2021-45942](https://nvd.nist.gov/vuln/detail/CVE-2021-45942) 3.1.0, 3.1.1, 3.1.2, 3.1.3 * [CVE-2021-20296](https://nvd.nist.gov/vuln/detail/CVE-2021-20296) 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3 * [CVE-2021-3479](https://nvd.nist.gov/vuln/detail/CVE-2021-3479) 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3 * [CVE-2021-3478](https://nvd.nist.gov/vuln/detail/CVE-2021-3478) 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3 From 9e5ba4f57191033b65775a97d86cf00f95b00339 Mon Sep 17 00:00:00 2001 From: Cary Phillips Date: Wed, 26 Jan 2022 18:24:42 -0800 Subject: [PATCH 3/3] Add links to 3.1.2 and 3.1.3 Signed-off-by: Cary Phillips --- CHANGES.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 5bc29b288f..533c0dbe09 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,5 +1,7 @@ # OpenEXR Release Notes +* [Version 3.1.4](#version-314-january-26-2022) January 27, 2022 +* [Version 3.1.3](#version-313-october-27-2021) October 27, 2021 * [Version 3.1.2](#version-312-october-4-2021) October 4, 2021 * [Version 3.1.1](#version-311-august-2-2021) August 2, 2021 * [Version 3.1.0](#version-310-july-22-2021) July 22, 2021