An update for OpenEXR is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1238 Final 1.0 1.0 2021-06-26 Initial 2021-06-26 2021-06-26 openEuler SA Tool V1.0 2021-06-26 OpenEXR security update An update for OpenEXR is now available for openEuler-20.03-LTS-SP1. OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications. Security Fix(es): An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.(CVE-2021-26260) An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.(CVE-2021-23215) A heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR.(CVE-2021-23169) An update for OpenEXR is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High OpenEXR https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1238 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-26260 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-23215 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-23169 https://nvd.nist.gov/vuln/detail/CVE-2021-26260 https://nvd.nist.gov/vuln/detail/CVE-2021-23215 https://nvd.nist.gov/vuln/detail/CVE-2021-23169 openEuler-20.03-LTS-SP1 OpenEXR-devel-2.2.0-20.oe1.aarch64.rpm OpenEXR-2.2.0-20.oe1.aarch64.rpm OpenEXR-libs-2.2.0-20.oe1.aarch64.rpm OpenEXR-debugsource-2.2.0-20.oe1.aarch64.rpm OpenEXR-debuginfo-2.2.0-20.oe1.aarch64.rpm OpenEXR-2.2.0-20.oe1.src.rpm OpenEXR-2.2.0-20.oe1.x86_64.rpm OpenEXR-libs-2.2.0-20.oe1.x86_64.rpm OpenEXR-devel-2.2.0-20.oe1.x86_64.rpm OpenEXR-debugsource-2.2.0-20.oe1.x86_64.rpm OpenEXR-debuginfo-2.2.0-20.oe1.x86_64.rpm An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215. 2021-06-26 CVE-2021-26260 openEuler-20.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H OpenEXR security update 2021-06-26 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1238 An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. 2021-06-26 CVE-2021-23215 openEuler-20.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H OpenEXR security update 2021-06-26 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1238 A heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR. 2021-06-26 CVE-2021-23169 openEuler-20.03-LTS-SP1 High 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H OpenEXR security update 2021-06-26 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1238