Arch Linux Security Advisory ASA-202107-14 ========================================== Severity: Medium Date : 2021-07-06 CVE-ID : CVE-2021-3598 Package : openexr Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2071 Summary ======= The package openexr before version 3.0.5-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 3.0.5-1. # pacman -Syu "openexr>=3.0.5-1" The problem has been fixed upstream in version 3.0.5. Workaround ========== None. Description =========== A heap-buffer overflow was found in the readChars function of OpenEXR before version 3.0.5. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR. Impact ====== An attacker could execute arbitrary code through a crafted EXR image file. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=1970987 https://github.com/AcademySoftwareFoundation/openexr/issues/1033 https://github.com/AcademySoftwareFoundation/openexr/pull/1037 https://github.com/AcademySoftwareFoundation/openexr/commit/b054116e57ebf62739a17217f922359b174d1332 https://security.archlinux.org/CVE-2021-3598