<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OpenEXR - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/openexr/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/openexr/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenEXR PIZ Decoder Integer Overflow Leads to OOB Read/Write</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-openexr-overflow/</link><pubDate>Tue, 02 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-openexr-overflow/</guid><description>A crafted OpenEXR file can trigger out-of-bounds memory access during PIZ decompression due to a signed 32-bit overflow in the `internal_exr_undo_piz()` function, leading to out-of-bounds reads and writes and potentially causing process crashes or memory corruption; affects OpenEXR versions 3.1.0 to 3.2.6, 3.3.0 to 3.3.8, and 3.4.0 to 3.4.8.</description><content:encoded><![CDATA[<p>A signed 32-bit integer overflow vulnerability exists in the PIZ decoder of OpenEXR, specifically within the <code>internal_exr_undo_piz()</code> function. This function advances a wavelet pointer using signed 32-bit arithmetic. By crafting a malicious EXR file, attackers can cause the product of <code>nx</code>, <code>ny</code>, and <code>wcount</code> to overflow and wrap around. This leads to the subsequent channel decoding from an incorrect memory address. Given that the wavelet decode path operates in place, this vulnerability results in both out-of-bounds reads and out-of-bounds writes. This issue has been identified in OpenEXR versions 3.1.0 to 3.2.6, 3.3.0 to 3.3.8, and 3.4.0 to 3.4.8. A proof-of-concept exploit exists, and successful exploitation could lead to crashes and memory corruption.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The victim opens a specially crafted <code>.exr</code> file using an application that utilizes the OpenEXR library.</li>
<li>The application calls <code>internal_exr_undo_piz()</code> to decompress the image data.</li>
<li>Within <code>internal_exr_undo_piz()</code>, <code>wavbuf</code> is set to <code>decode-&gt;scratch_buffer_1</code>.</li>
<li>For each channel, the function calls <code>wav_2D_decode (wavbuf + j, ...)</code>.</li>
<li><code>wavbuf</code> is advanced with <code>wavbuf += nx * ny * wcount;</code>, where nx, ny, and wcount are attacker-controlled integers from the crafted EXR file.</li>
<li>The multiplication of <code>nx</code>, <code>ny</code>, and <code>wcount</code> overflows, wrapping the <code>wavbuf</code> pointer to an out-of-bounds memory location.</li>
<li>The next channel's wavelet decode runs on the incorrect, out-of-bounds address.</li>
<li><code>wdec14_4()</code> attempts to read and write to the out-of-bounds memory location, leading to memory corruption or a crash.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows for arbitrary out-of-bounds read/write operations. The impact ranges from simple process crashes to memory corruption, potentially leading to arbitrary code execution. The severity depends on the allocator layout, surrounding memory protections, and the specific application using the vulnerable OpenEXR library. Exploitation may allow an attacker to overwrite program code or data, leading to a loss of confidentiality, integrity, or availability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OpenEXR to a patched version (&gt;= 3.2.7, &gt;= 3.3.9, &gt;= 3.4.9) to remediate the vulnerability.</li>
<li>Monitor for the use of the <code>exrcheck</code> tool against potentially malicious <code>.exr</code> files, especially those originating from untrusted sources.</li>
<li>Inspect network traffic for downloads of <code>.exr</code> files from untrusted sources.</li>
<li>Implement the provided fix recommendations, such as validating the <code>nx * ny * wcount</code> calculation and buffer sizes, within the OpenEXR library where feasible.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>openexr</category><category>memory-corruption</category><category>out-of-bounds</category><category>cve-2026-34588</category></item></channel></rss>