OpenEXR多个内存破坏漏洞

漏洞起因
设计错误
 
影响系统
Industrial Light & Magic OpenEXR 1.6
Industrial Light & Magic OpenEXR 1.2
 
不受影响系统
 
危害
远程攻击者可以利用漏洞以应用程序权限执行任意指令。
 
攻击所需条件
攻击者必须访问OpenEXR。
 
漏洞信息
OpenEXR是一款视觉效果行业使用的一种文件格式,适用于高动态范围图像。
OpenEXR存在多个内存破坏问题,远程攻击者可以利用漏洞以应用程序权限执行任意指令。
-"PreviewImage::PreviewImage()"函数存在整数溢出错误,可导致基于堆的缓冲区溢出。
-多个压缩构架模块存在整数溢出错误,可导致基于堆的缓冲区溢出。
-"Imf::hufUncompress()"存在错误可导致释放未初始化指针,导致内存破坏。
 
测试方法
 
厂商解决方案
Debian Linux用户可参考如下升级程序:
Debian Linux 4.0 amd64
Debian libopenexr-dev_1.2.2-4.3+etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.2.2-4.3+etch2_amd64.deb
Debian libopenexr2c2a_1.2.2-4.3+etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_ 1.2.2-4.3+etch2_amd64.deb
Debian openexr_1.2.2-4.3+etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4 .3+etch2_amd64.deb
Debian Linux 4.0 ia-32
Debian libopenexr-dev_1.2.2-4.3+etch2_i386.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.2.2-4.3+etch2_i386.deb
Debian libopenexr2c2a_1.2.2-4.3+etch2_i386.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_ 1.2.2-4.3+etch2_i386.deb
Debian openexr_1.2.2-4.3+etch2_i386.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4 .3+etch2_i386.deb
Debian Linux 4.0 arm
Debian libopenexr-dev_1.2.2-4.3+etch2_arm.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.2.2-4.3+etch2_arm.deb
Debian libopenexr2c2a_1.2.2-4.3+etch2_arm.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_ 1.2.2-4.3+etch2_arm.deb
Debian openexr_1.2.2-4.3+etch2_arm.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4 .3+etch2_arm.deb
Debian Linux 5.0 hppa
Debian libopenexr-dev_1.6.1-3+lenny3_hppa.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.6.1-3+lenny3_hppa.deb
Debian libopenexr6_1.6.1-3+lenny3_hppa.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6 .1-3+lenny3_hppa.deb
Debian openexr_1.6.1-3+lenny3_hppa.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3 +lenny3_hppa.deb
Debian Linux 5.0 ia-64
Debian libopenexr-dev_1.6.1-3+lenny3_ia64.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.6.1-3+lenny3_ia64.deb
Debian libopenexr6_1.6.1-3+lenny3_ia64.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6 .1-3+lenny3_ia64.deb
Debian openexr_1.6.1-3+lenny3_ia64.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3 +lenny3_ia64.deb
Debian Linux 4.0 hppa
Debian libopenexr-dev_1.2.2-4.3+etch2_hppa.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.2.2-4.3+etch2_hppa.deb
Debian libopenexr2c2a_1.2.2-4.3+etch2_hppa.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_ 1.2.2-4.3+etch2_hppa.deb
Debian openexr_1.2.2-4.3+etch2_hppa.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4 .3+etch2_hppa.deb
Debian Linux 4.0 sparc
Debian libopenexr-dev_1.2.2-4.3+etch2_sparc.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.2.2-4.3+etch2_sparc.deb
Debian libopenexr2c2a_1.2.2-4.3+etch2_sparc.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_ 1.2.2-4.3+etch2_sparc.deb
Debian openexr_1.2.2-4.3+etch2_sparc.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4 .3+etch2_sparc.deb
Debian Linux 4.0 s/390
Debian libopenexr-dev_1.2.2-4.3+etch2_s390.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.2.2-4.3+etch2_s390.deb
Debian libopenexr2c2a_1.2.2-4.3+etch2_s390.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_ 1.2.2-4.3+etch2_s390.deb
Debian openexr_1.2.2-4.3+etch2_s390.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4 .3+etch2_s390.deb
Debian Linux 5.0 arm
Debian libopenexr-dev_1.6.1-3+lenny3_arm.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.6.1-3+lenny3_arm.deb
Debian libopenexr6_1.6.1-3+lenny3_arm.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6 .1-3+lenny3_arm.deb
Debian openexr_1.6.1-3+lenny3_arm.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3 +lenny3_arm.deb
Debian Linux 4.0 powerpc
Debian libopenexr-dev_1.2.2-4.3+etch2_powerpc.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.2.2-4.3+etch2_powerpc.deb
Debian libopenexr2c2a_1.2.2-4.3+etch2_powerpc.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_ 1.2.2-4.3+etch2_powerpc.deb
Debian openexr_1.2.2-4.3+etch2_powerpc.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4 .3+etch2_powerpc.deb
Debian Linux 4.0 alpha
Debian libopenexr-dev_1.2.2-4.3+etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.2.2-4.3+etch2_alpha.deb
Debian libopenexr2c2a_1.2.2-4.3+etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_ 1.2.2-4.3+etch2_alpha.deb
Debian openexr_1.2.2-4.3+etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4 .3+etch2_alpha.deb
Debian Linux 5.0 armel
Debian libopenexr-dev_1.6.1-3+lenny3_armel.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.6.1-3+lenny3_armel.deb
Debian libopenexr6_1.6.1-3+lenny3_armel.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6 .1-3+lenny3_armel.deb
Debian openexr_1.6.1-3+lenny3_armel.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3 +lenny3_armel.deb
Debian Linux 4.0 mipsel
Debian libopenexr-dev_1.2.2-4.3+etch2_mipsel.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.2.2-4.3+etch2_mipsel.deb
Debian libopenexr2c2a_1.2.2-4.3+etch2_mipsel.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_ 1.2.2-4.3+etch2_mipsel.deb
Debian openexr_1.2.2-4.3+etch2_mipsel.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4 .3+etch2_mipsel.deb
Debian Linux 5.0 amd64
Debian libopenexr-dev_1.6.1-3+lenny3_amd64.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.6.1-3+lenny3_amd64.deb
Debian libopenexr6_1.6.1-3+lenny3_amd64.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6 .1-3+lenny3_amd64.deb
Debian openexr_1.6.1-3+lenny3_amd64.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3 +lenny3_amd64.deb
Debian Linux 5.0 alpha
Debian libopenexr-dev_1.6.1-3+lenny3_alpha.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.6.1-3+lenny3_alpha.deb
Debian libopenexr6_1.6.1-3+lenny3_alpha.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6 .1-3+lenny3_alpha.deb
Debian openexr_1.6.1-3+lenny3_alpha.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3 +lenny3_alpha.deb
Debian Linux 5.0 ia-32
Debian libopenexr-dev_1.6.1-3+lenny3_i386.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.6.1-3+lenny3_i386.deb
Debian libopenexr6_1.6.1-3+lenny3_i386.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6 .1-3+lenny3_i386.deb
Debian openexr_1.6.1-3+lenny3_i386.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3 +lenny3_i386.deb
Debian Linux 5.0 mips
Debian libopenexr-dev_1.6.1-3+lenny3_mips.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.6.1-3+lenny3_mips.deb
Debian libopenexr6_1.6.1-3+lenny3_mips.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6 .1-3+lenny3_mips.deb
Debian openexr_1.6.1-3+lenny3_mips.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3 +lenny3_mips.deb
Debian Linux 5.0 s/390
Debian libopenexr-dev_1.6.1-3+lenny3_s390.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.6.1-3+lenny3_s390.deb
Debian libopenexr6_1.6.1-3+lenny3_s390.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6 .1-3+lenny3_s390.deb
Debian openexr_1.6.1-3+lenny3_s390.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3 +lenny3_s390.deb
Debian Linux 5.0 mipsel
Debian libopenexr-dev_1.6.1-3+lenny3_mipsel.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.6.1-3+lenny3_mipsel.deb
Debian libopenexr6_1.6.1-3+lenny3_mipsel.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6 .1-3+lenny3_mipsel.deb
Debian openexr_1.6.1-3+lenny3_mipsel.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3 +lenny3_mipsel.deb
Debian Linux 5.0 powerpc
Debian libopenexr-dev_1.6.1-3+lenny3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.6.1-3+lenny3_powerpc.deb
Debian libopenexr6_1.6.1-3+lenny3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6 .1-3+lenny3_powerpc.deb
Debian openexr_1.6.1-3+lenny3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3 +lenny3_powerpc.deb
Debian Linux 4.0 ia-64
Debian libopenexr-dev_1.2.2-4.3+etch2_ia64.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.2.2-4.3+etch2_ia64.deb
Debian libopenexr2c2a_1.2.2-4.3+etch2_ia64.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_ 1.2.2-4.3+etch2_ia64.deb
Debian openexr_1.2.2-4.3+etch2_ia64.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4 .3+etch2_ia64.deb
Debian Linux 4.0 mips
Debian libopenexr-dev_1.2.2-4.3+etch2_mips.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.2.2-4.3+etch2_mips.deb
Debian libopenexr2c2a_1.2.2-4.3+etch2_mips.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr2c2a_ 1.2.2-4.3+etch2_mips.deb
Debian openexr_1.2.2-4.3+etch2_mips.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4 .3+etch2_mips.deb
Debian Linux 5.0 sparc
Debian libopenexr-dev_1.6.1-3+lenny3_sparc.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr-dev_ 1.6.1-3+lenny3_sparc.deb
Debian libopenexr6_1.6.1-3+lenny3_sparc.deb
http://security.debian.org/pool/updates/main/o/openexr/libopenexr6_1.6 .1-3+lenny3_sparc.deb
Debian openexr_1.6.1-3+lenny3_sparc.deb
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3 +lenny3_sparc.deb
 
漏洞提供者
Drew Yao

发表评论?

0 条评论。

发表评论