[ASA-202107-14] openexr: arbitrary code execution
diabonas at archlinux.org
Fri Jul 9 14:16:04 UTC 2021
Arch Linux Security Advisory ASA-202107-14
Date : 2021-07-06
CVE-ID : CVE-2021-3598
Package : openexr
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2071
The package openexr before version 3.0.5-1 is vulnerable to arbitrary
Upgrade to 3.0.5-1.
# pacman -Syu "openexr>=3.0.5-1"
The problem has been fixed upstream in version 3.0.5.
A heap-buffer overflow was found in the readChars function of OpenEXR
before version 3.0.5. An attacker could use this flaw to execute
arbitrary code with the permissions of the user running the application
compiled against OpenEXR.
An attacker could execute arbitrary code through a crafted EXR image
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security