search

PixarAnimationStudios / OpenUSD

Universal Scene Description
http://www.openusd.org
Other
6.03k stars 1.19k forks source link

Bundled OpenEXR 3.2.0 is affected by CVE-2023-5841 #2935

Open musicinmybrain opened 7 months ago

musicinmybrain commented 7 months ago

Description of Issue

See https://github.com/AcademySoftwareFoundation/openexr/issues/1625 and https://takeonme.org/cves/CVE-2023-5841.html.

A proposed fix is available in https://github.com/AcademySoftwareFoundation/openexr/pull/1627.

Steps to Reproduce

Observe that a slightly forked version of OpenEXR 3.2.0 is bundled in https://github.com/PixarAnimationStudios/OpenUSD/tree/v23.11/pxr/imaging/hio/OpenEXR, and compare with https://github.com/AcademySoftwareFoundation/openexr/issues/1625 and https://takeonme.org/cves/CVE-2023-5841.html.

System Information (OS, Hardware)

N/A

Package Versions

23.11

Build Flags

N/A

jesschimein commented 7 months ago

Filed as internal issue #USD-9261

meshula commented 7 months ago

Hi, thanks for the report. We can update our copy once the fix has been tagged in a release at the OpenEXR project.

Please note that the reported issue affects deep pixel tiled images; deep pixel images are not read or supported by Hydra as a texture input, so the code path addressed by this CVE and the proposed fix are not able to be exercised from OpenUSD. In the future it's possible we would support deep pixels, and picking up the fix when it is published will safe guard against that possibility.

musicinmybrain commented 7 months ago

Hi, thanks for the report. We can update our copy once the fix has been tagged in a release at the OpenEXR project.

Please note that the reported issue affects deep pixel tiled images; deep pixel images are not read or supported by Hydra as a texture input, so the code path addressed by this CVE and the proposed fix are not able to be exercised from OpenUSD. In the future it's possible we would support deep pixels, and picking up the fix when it is published will safe guard against that possibility.

Thanks for this detailed and useful assessment. As a co-maintainer of the usd package in Fedora, this helped me decide that I probably shouldn’t patch in the proposed fix right away, and I don’t necessarily need to do anything about CVE-2023-5841 other than wait for a future OpenUSD release to contain an updated OpenEXR.