CVE-2021-23169

NameCVE-2021-23169
DescriptionA heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs988240

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openexr (PTS)stretch2.2.0-11fixed
stretch (security)2.2.0-11+deb9u4fixed
buster, buster (security)2.2.1-4.1+deb10u1fixed
bullseye2.5.4-2fixed
bookworm, sid2.5.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openexrsourcestretch(not affected)
openexrsourcebuster(not affected)
openexrsource(unstable)2.5.4-2988240

Notes

[buster] - openexr <not-affected> (Vulnerable code not present)
[stretch] - openexr <not-affected> (Vulnerable code not present)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28051
https://github.com/AcademySoftwareFoundation/openexr/commit/ae6d203892cc9311917a7f4f05354ef792b3e58e

Search for package or bug name: Reporting problems