CVE-2017-12596

NameCVE-2017-12596
DescriptionIn OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled execution; it may result in denial of service or possibly unspecified other impact.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs877352

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openexr (PTS)wheezy1.6.1-6vulnerable
wheezy (security)1.6.1-6+deb7u1fixed
jessie1.6.1-8vulnerable
stretch2.2.0-11vulnerable
buster, sid2.2.0-11.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openexrsource(unstable)(unfixed)medium877352
openexrsourcewheezy1.6.1-6+deb7u1medium

Notes

https://github.com/openexr/openexr/issues/238
Upstream fix https://github.com/openexr/openexr/commit/f09f5f26c1924c4f7e183428ca79c9881afaf53c

Search for package or bug name: Reporting problems