CVE-2021-3474

Published: Mar 30, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application availability.

Affected (4)

Products: Openexr: Openexr · Debian: Debian Linux

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Openexr Openexr	Before 2.4.3
Openexr Openexr	From 2.5.0 to 2.5.4

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Related CWEs

CWE-190

Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

References (10)

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24831

Source: secalert@redhat.com

Issue TrackingMailing ListThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1939142

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2021/07/msg00001.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202107-27

Source: secalert@redhat.com

Third Party Advisory

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24831