OpenImageIO-2.4.5.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12477 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z OpenImageIO-2.4.5.0-1.1 on GA media These are all security issues fixed in the OpenImageIO-2.4.5.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12477 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12477 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-36354/ SUSE CVE CVE-2022-36354 page https://www.suse.com/security/cve/CVE-2022-38143/ SUSE CVE CVE-2022-38143 page https://www.suse.com/security/cve/CVE-2022-41639/ SUSE CVE CVE-2022-41639 page https://www.suse.com/security/cve/CVE-2022-41684/ SUSE CVE CVE-2022-41684 page https://www.suse.com/security/cve/CVE-2022-41794/ SUSE CVE CVE-2022-41794 page https://www.suse.com/security/cve/CVE-2022-41838/ SUSE CVE CVE-2022-41838 page https://www.suse.com/security/cve/CVE-2022-41977/ SUSE CVE CVE-2022-41977 page https://www.suse.com/security/cve/CVE-2022-4198/ SUSE CVE CVE-2022-4198 page https://www.suse.com/security/cve/CVE-2022-41988/ SUSE CVE CVE-2022-41988 page https://www.suse.com/security/cve/CVE-2022-41999/ SUSE CVE CVE-2022-41999 page openSUSE Tumbleweed OpenImageIO-2.4.5.0-1.1 OpenImageIO-devel-2.4.5.0-1.1 libOpenImageIO2_4-2.4.5.0-1.1 libOpenImageIO_Util2_4-2.4.5.0-1.1 python3-OpenImageIO-2.4.5.0-1.1 OpenImageIO-2.4.5.0-1.1 as a component of openSUSE Tumbleweed OpenImageIO-devel-2.4.5.0-1.1 as a component of openSUSE Tumbleweed libOpenImageIO2_4-2.4.5.0-1.1 as a component of openSUSE Tumbleweed libOpenImageIO_Util2_4-2.4.5.0-1.1 as a component of openSUSE Tumbleweed python3-OpenImageIO-2.4.5.0-1.1 as a component of openSUSE Tumbleweed A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability. CVE-2022-36354 openSUSE Tumbleweed:OpenImageIO-2.4.5.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.5.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-36354.html CVE-2022-36354 https://bugzilla.suse.com/1205021 SUSE Bug 1205021 https://bugzilla.suse.com/1205023 SUSE Bug 1205023 https://bugzilla.suse.com/1205027 SUSE Bug 1205027 https://bugzilla.suse.com/1205028 SUSE Bug 1205028 A heap out-of-bounds write vulnerability exists in the way OpenImageIO v2.3.19.0 processes RLE encoded BMP images. A specially-crafted bmp file can write to arbitrary out of bounds memory, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. CVE-2022-38143 openSUSE Tumbleweed:OpenImageIO-2.4.5.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.5.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-38143.html CVE-2022-38143 https://bugzilla.suse.com/1205024 SUSE Bug 1205024 A heap based buffer overflow vulnerability exists in tile decoding code of TIFF image parser in OpenImageIO master-branch-9aeece7a and v2.3.19.0. A specially-crafted TIFF file can lead to an out of bounds memory corruption, which can result in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. CVE-2022-41639 openSUSE Tumbleweed:OpenImageIO-2.4.5.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.5.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41639.html CVE-2022-41639 https://bugzilla.suse.com/1205021 SUSE Bug 1205021 https://bugzilla.suse.com/1205023 SUSE Bug 1205023 https://bugzilla.suse.com/1205028 SUSE Bug 1205028 https://bugzilla.suse.com/1205031 SUSE Bug 1205031 A heap out of bounds read vulnerability exists in the OpenImageIO master-branch-9aeece7a when parsing the image file directory part of a PSD image file. A specially-crafted .psd file can cause a read of arbitrary memory address which can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability. CVE-2022-41684 openSUSE Tumbleweed:OpenImageIO-2.4.5.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.5.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41684.html CVE-2022-41684 https://bugzilla.suse.com/1205029 SUSE Bug 1205029 A heap based buffer overflow vulnerability exists in the PSD thumbnail resource parsing code of OpenImageIO 2.3.19.0. A specially-crafted PSD file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. CVE-2022-41794 openSUSE Tumbleweed:OpenImageIO-2.4.5.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.5.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41794.html CVE-2022-41794 https://bugzilla.suse.com/1205026 SUSE Bug 1205026 A code execution vulnerability exists in the DDS scanline parsing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially-crafted .dds can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. CVE-2022-41838 openSUSE Tumbleweed:OpenImageIO-2.4.5.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.5.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41838.html CVE-2022-41838 https://bugzilla.suse.com/1205021 SUSE Bug 1205021 An out of bounds read vulnerability exists in the way OpenImageIO version v2.3.19.0 processes string fields in TIFF image files. A specially-crafted TIFF file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability. CVE-2022-41977 openSUSE Tumbleweed:OpenImageIO-2.4.5.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.5.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41977.html CVE-2022-41977 https://bugzilla.suse.com/1205021 SUSE Bug 1205021 https://bugzilla.suse.com/1205023 SUSE Bug 1205023 https://bugzilla.suse.com/1205028 SUSE Bug 1205028 https://bugzilla.suse.com/1205030 SUSE Bug 1205030 The WP Social Sharing WordPress plugin through 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVE-2022-4198 openSUSE Tumbleweed:OpenImageIO-2.4.5.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.5.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-4198.html CVE-2022-4198 https://bugzilla.suse.com/1205028 SUSE Bug 1205028 An information disclosure vulnerability exists in the OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability. CVE-2022-41988 openSUSE Tumbleweed:OpenImageIO-2.4.5.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.5.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41988.html CVE-2022-41988 https://bugzilla.suse.com/1205021 SUSE Bug 1205021 https://bugzilla.suse.com/1205023 SUSE Bug 1205023 https://bugzilla.suse.com/1205028 SUSE Bug 1205028 A denial of service vulnerability exists in the DDS native tile reading functionality of OpenImageIO Project OpenImageIO v2.3.19.0 and v2.4.4.2. A specially-crafted .dds can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability. CVE-2022-41999 openSUSE Tumbleweed:OpenImageIO-2.4.5.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.5.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.5.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41999.html CVE-2022-41999 https://bugzilla.suse.com/1205023 SUSE Bug 1205023