CVE-2009-1720

NameCVE-2009-1720
DescriptionMultiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors that trigger heap-based buffer overflows, related to (1) the Imf::PreviewImage::PreviewImage function and (2) compressor constructors. NOTE: some of these details are obtained from third party information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1842-1
NVD severityhigh (attack range: remote)
Debian Bugs540424

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openexr (PTS)wheezy1.6.1-6fixed
wheezy (security)1.6.1-6+deb7u1fixed
jessie1.6.1-8fixed
stretch2.2.0-11fixed
buster, sid2.2.0-11.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openexrsource(unstable)1.6.1-4.1medium540424
openexrsourceetch1.2.2-4.3+etch2highDSA-1842-1
openexrsourcelenny1.6.1-3+lenny3highDSA-1842-1

Search for package or bug name: Reporting problems