OpenEXR vulnerabilities

[wqh17101]

OpenCV 4.5.5/3.4.17: disabled OpenEXR in runtime: #21327

---

System information (version)

• OpenCV => 4.5.2
• Operating System / Platform => Linux
• Compiler => gcc 7.3.0

Detailed description

For openexr
according to http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openexr

CVE-2021-23169
CVE-2021-3479
CVE-2020-15306
CVE-2020-15304
CVE-2020-11758
CVE-2021-3605
CVE-2021-23215
CVE-2020-15305
CVE-2020-11760
CVE-2020-11765

For openjpeg
according to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29338

 CVE-2021-29338

Steps to reproduce

build for default

Issue submission checklist

• I report the issue, it's not a question
• I checked the problem with documentation, FAQ, open issues,
  forum.opencv.org, Stack Overflow, etc and have not found solution
• I updated to latest OpenCV version and the issue is still there
• There is reproducer code and related data files: videos, images, onnx, etc

[alalek]

Why is it so hard to put text information as text? Text screenshots are ridiculous.
Do you understand that this blocks searching?

[wqh17101]

Why is it so hard to put text information as text? Text screenshots are ridiculous. Do you understand that this blocks searching?

Sorry for that.
according to http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openexr

CVE-2021-23169
CVE-2021-3479
CVE-2020-15306
CVE-2020-15304
CVE-2020-11758
CVE-2021-3605
CVE-2021-23215
CVE-2020-15305
CVE-2020-11760
CVE-2020-11765

[alalek]

Thank you! Updated the initial post.

[wqh17101]

Also openjpeg v2.4.0 you bundled has a Vulnerability which is CVE-2021-29338.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29338 @alalek

[alalek]

CVE-2021-29338
This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.

Probably not applicable to OpenCV. We don't use OpenJPEG tools or apps. OpenCV uses decoder/encoder API subset only.

Also there are no new releases yet: https://github.com/uclouvain/openjpeg/releases

[wqh17101]

CVE-2021-29338
This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files.

Probably not applicable to OpenCV. We don't use OpenJPEG tools or apps. OpenCV uses decoder/encoder API subset only.

Also there are no new releases yet: https://github.com/uclouvain/openjpeg/releases

I think so. You'd better have an eye on it.

[alalek]

I have prepared PR #21327 which disables bundled-in OpenEXR in runtime with link on this issue. So lets keep OpenEXR only problems in this issue.

If you have concerns about openjpeg please open another new issue. Initial analyzing shows that OpenCV is not affected by OpenJPEG issue, see the comment above. More analyzing requires more input/details (which we don't have).

[wqh17101]

to fix openexr maybe you can update it to 3.x

[alalek]

New OpenEXR requires C++11, OpenCV 3.4 is C++98. So no upgrade is planned here.
OpenEXR upgrade PR for OpenCV 4.x is here: #21324 (to be discussed after NY holidays).

[fschiffers]

Hi,
I ran into this issue:

Hence I wanted to bump this issue and ask if there's any solution (like downgrading openCV to solve this issue in the meantime)

[alalek]

If you still need OpenEXR functionality and ensure that provided inputs are valid (from trusted sources) then you may turn off mentioned flag through environment variables (check internet how to use them).

Any downgrading attempt is a security hole. Not recommended in general.

---

Avoid posting text information through screenshots in internet. It is ridiculous.

[reunanen]

@alalek Wouldn't merging #21324 help fix the security issues?