Accepting request 715498 from graphics

- security update - added patches CVE-2017-14988 [bsc#1061305] + openexr-CVE-2017-14988.patch OBS-URL: https://build.opensuse.org/request/show/715498 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openexr?expand=0&rev=30
2019-07-17 12:23:43 +00:00 · 2019-07-17 12:23:43 +00:00 · bd1a34f946
commit bd1a34f946
parent 50c99e20b2 3c840ae9b8
3 changed files with 26 additions and 0 deletions
--- a/openexr-CVE-2017-14988.patch
+++ b/openexr-CVE-2017-14988.patch
@ -0,0 +1,15 @@
+--- a/IlmImf/ImfHeader.cpp
+++ b/IlmImf/ImfHeader.cpp
+@@ -1185,6 +1185,11 @@ Header::readFrom (OPENEXR_IMF_INTERNAL_NAMESPACE::IStream &is, int &version)
+ 	checkIsNullTerminated (typeName, "attribute type name");
+ 	OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, size);
+ 
+    if( size < 0 )
+    {
+        throw IEX_NAMESPACE::InputExc("Invalid size field in header attribute");
+    }
+
+ 	AttributeMap::iterator i = _map.find (name);
+ 
+ 	if (i != _map.end())
+
--- a/openexr.changes
+++ b/openexr.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Jul 15 14:06:20 UTC 2019 - pgajdos@suse.com
+
+- security update
+- added patches
+  CVE-2017-14988 [bsc#1061305]
+  + openexr-CVE-2017-14988.patch
+
 -------------------------------------------------------------------
 Fri Jun 14 19:30:32 UTC 2019 - pgajdos@suse.com

--- a/openexr.spec
+++ b/openexr.spec
@ -40,6 +40,8 @@ Patch0:         openexr-CVE-2018-18444.patch
 # https://github.com/openexr/openexr/pull/401
 # CVE-2017-9111 [bsc#1040109], CVE-2017-9113 [bsc#1040113], CVE-2017-9115 [bsc#1040115]
 Patch1:         openexr-CVE-2017-9111,9113,9115.patch
+# CVE-2017-14988 [bsc#1061305]
+Patch2:         openexr-CVE-2017-14988.patch
 BuildRequires:  automake
 BuildRequires:  fltk-devel
 BuildRequires:  freeglut-devel
@ -140,6 +142,7 @@ This package contains documentation.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1

 %build
 export PTHREAD_LIBS="-lpthread"