CVE-2017-12596

Publication date 7 August 2017

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

7.8 · High

Score breakdown

In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled execution; it may result in denial of service or possibly unspecified other impact.

Read the notes from the security team

Status

Package Ubuntu Release Status
openexr 19.04 disco
Not affected
18.10 cosmic
Not affected
18.04 LTS bionic
Not affected
17.10 artful Ignored end of life
17.04 zesty Ignored end of life
16.04 LTS xenial
Fixed 2.2.0-10ubuntu2.1
14.04 LTS trusty Not in release

Notes


mdeslaur

same patch as CVE-2017-9110

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
openexr

Severity score breakdown

Parameter Value
Base score 7.8 · High
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

    • USN-4148-1
    • OpenEXR vulnerabilities
    • 7 October 2019

Other references