CVE-2021-23169

NameCVE-2021-23169
DescriptionA heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs988240

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openexr (PTS)bullseye (security), bullseye2.5.4-2+deb11u1fixed
bookworm3.1.5-5fixed
sid, trixie3.1.5-5.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openexrsourcestretch(not affected)
openexrsourcebuster(not affected)
openexrsource(unstable)2.5.4-2988240

Notes

[buster] - openexr <not-affected> (Vulnerable code not present)
[stretch] - openexr <not-affected> (Vulnerable code not present)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28051
https://github.com/AcademySoftwareFoundation/openexr/commit/ae6d203892cc9311917a7f4f05354ef792b3e58e

Search for package or bug name: Reporting problems