OpenImageIO-2.4.6.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12589 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z OpenImageIO-2.4.6.0-1.1 on GA media These are all security issues fixed in the OpenImageIO-2.4.6.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12589 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12589 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-43592/ SUSE CVE CVE-2022-43592 page https://www.suse.com/security/cve/CVE-2022-43593/ SUSE CVE CVE-2022-43593 page https://www.suse.com/security/cve/CVE-2022-43594/ SUSE CVE CVE-2022-43594 page https://www.suse.com/security/cve/CVE-2022-43595/ SUSE CVE CVE-2022-43595 page https://www.suse.com/security/cve/CVE-2022-43596/ SUSE CVE CVE-2022-43596 page https://www.suse.com/security/cve/CVE-2022-43597/ SUSE CVE CVE-2022-43597 page https://www.suse.com/security/cve/CVE-2022-43599/ SUSE CVE CVE-2022-43599 page https://www.suse.com/security/cve/CVE-2022-43603/ SUSE CVE CVE-2022-43603 page openSUSE Tumbleweed OpenImageIO-2.4.6.0-1.1 OpenImageIO-devel-2.4.6.0-1.1 libOpenImageIO2_4-2.4.6.0-1.1 libOpenImageIO_Util2_4-2.4.6.0-1.1 python3-OpenImageIO-2.4.6.0-1.1 OpenImageIO-2.4.6.0-1.1 as a component of openSUSE Tumbleweed OpenImageIO-devel-2.4.6.0-1.1 as a component of openSUSE Tumbleweed libOpenImageIO2_4-2.4.6.0-1.1 as a component of openSUSE Tumbleweed libOpenImageIO_Util2_4-2.4.6.0-1.1 as a component of openSUSE Tumbleweed python3-OpenImageIO-2.4.6.0-1.1 as a component of openSUSE Tumbleweed An information disclosure vulnerability exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. An attacker can provide malicious input to trigger this vulnerability. CVE-2022-43592 openSUSE Tumbleweed:OpenImageIO-2.4.6.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.6.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.6.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-43592.html CVE-2022-43592 A denial of service vulnerability exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to null pointer dereference. An attacker can provide malicious input to trigger this vulnerability. CVE-2022-43593 openSUSE Tumbleweed:OpenImageIO-2.4.6.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.6.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.6.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-43593.html CVE-2022-43593 https://bugzilla.suse.com/1211839 SUSE Bug 1211839 Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. An attacker can provide malicious multiple inputs to trigger these vulnerabilities.This vulnerability applies to writing .bmp files. CVE-2022-43594 openSUSE Tumbleweed:OpenImageIO-2.4.6.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.6.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.6.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-43594.html CVE-2022-43594 Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. An attacker can provide malicious multiple inputs to trigger these vulnerabilities.This vulnerability applies to writing .fits files. CVE-2022-43595 openSUSE Tumbleweed:OpenImageIO-2.4.6.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.6.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.6.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-43595.html CVE-2022-43595 An information disclosure vulnerability exists in the IFFOutput channel interleaving functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. An attacker can provide malicious input to trigger this vulnerability. CVE-2022-43596 openSUSE Tumbleweed:OpenImageIO-2.4.6.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.6.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.6.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-43596.html CVE-2022-43596 Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary code execution. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `m_spec.format` is `TypeDesc::UINT8`. CVE-2022-43597 openSUSE Tumbleweed:OpenImageIO-2.4.6.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.6.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.6.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-43597.html CVE-2022-43597 Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `xmax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8` CVE-2022-43599 openSUSE Tumbleweed:OpenImageIO-2.4.6.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.6.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.6.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-43599.html CVE-2022-43599 A denial of service vulnerability exists in the ZfileOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability. CVE-2022-43603 openSUSE Tumbleweed:OpenImageIO-2.4.6.0-1.1 openSUSE Tumbleweed:OpenImageIO-devel-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO2_4-2.4.6.0-1.1 openSUSE Tumbleweed:libOpenImageIO_Util2_4-2.4.6.0-1.1 openSUSE Tumbleweed:python3-OpenImageIO-2.4.6.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-43603.html CVE-2022-43603 https://bugzilla.suse.com/1206695 SUSE Bug 1206695