CVE-2009-1720

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors that trigger heap-based buffer overflows, related to (1) the Imf::PreviewImage::PreviewImage function and (2) compressor constructors. NOTE: some of these details are obtained from third party information.

References

http://lists.apple.com/archives/security-announce/2009/Aug/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00000.html

http://release.debian.org/proposed-updates/stable_diffs/openexr_1.6.1-3%2Blenny3.debdiff

http://secunia.com/advisories/36030

http://secunia.com/advisories/36032

http://secunia.com/advisories/36096

http://secunia.com/advisories/36123

http://secunia.com/advisories/36753

http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2.diff.gz

http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3.diff.gz

http://support.apple.com/kb/HT3757

http://www.debian.org/security/2009/dsa-1842

http://www.mandriva.com/security/advisories?name=MDVSA-2009:190

http://www.mandriva.com/security/advisories?name=MDVSA-2009:191

http://www.securityfocus.com/bid/35838

http://www.securitytracker.com/id?1022674

http://www.ubuntu.com/usn/USN-831-1

http://www.us-cert.gov/cas/techalerts/TA09-218A.html

http://www.vupen.com/english/advisories/2009/2035

http://www.vupen.com/english/advisories/2009/2172

https://github.com/openexr/openexr/blob/master/CHANGES.md#version-170-july-23-2010

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01286.html

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01290.html

Details

Source: MITRE

Published: 2009-07-31

Updated: 2012-10-23

Type: CWE-189

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

Tenable Plugins

View all (16 total)

IDNameProductFamilySeverity
71259GLSA-201312-07 : OpenEXR: Multiple VulnerabilitiesNessusGentoo Local Security Checks
high
44707Debian DSA-1842-1 : openexr - several vulnerabilitiesNessusDebian Local Security Checks
high
43075Mandriva Linux Security Advisory : OpenEXR (MDVSA-2009:191-1)NessusMandriva Local Security Checks
high
41987openSUSE 10 Security Update : OpenEXR (OpenEXR-6393)NessusSuSE Local Security Checks
high
41472SuSE 10 Security Update : OpenEXR (ZYPP Patch Number 6392)NessusSuSE Local Security Checks
high
41360SuSE 11 Security Update : OpenEXR (SAT Patch Number 1155)NessusSuSE Local Security Checks
high
40982Ubuntu 8.04 LTS / 8.10 / 9.04 : openexr vulnerabilities (USN-831-1)NessusUbuntu Local Security Checks
high
40845openSUSE Security Update : OpenEXR (OpenEXR-1157)NessusSuSE Local Security Checks
high
40841openSUSE Security Update : OpenEXR (OpenEXR-1157)NessusSuSE Local Security Checks
high
800789Mac OS X 10.5 < 10.5.8 Multiple VulnerabilitiesLog Correlation EngineOperating System Detection
high
5122Mac OS X 10.5 < 10.5.8 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
40502Mac OS X 10.5.x < 10.5.8 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
40501Mac OS X Multiple Vulnerabilities (Security Update 2009-003)NessusMacOS X Local Security Checks
critical
40465Mandriva Linux Security Advisory : OpenEXR (MDVSA-2009:190)NessusMandriva Local Security Checks
high
40453Fedora 10 : OpenEXR-1.6.1-8.fc10 (2009-8136)NessusFedora Local Security Checks
high
40452Fedora 11 : OpenEXR-1.6.1-8.fc11 (2009-8132)NessusFedora Local Security Checks
high