community/openexr: fix CVE-2018-18444

Fixes https://gitlab.alpinelinux.org/alpine/aports/issues/10394
2026-05-07 21:36:41 +02:00 · 2019-07-21 16:55:19 -03:00 · 2019-07-21 16:55:19 -03:00 · c898c3b7eb
commit c898c3b7eb
parent 161149cf67
2 changed files with 33 additions and 3 deletions
--- a/community/openexr/APKBUILD
+++ b/community/openexr/APKBUILD
@ -2,7 +2,7 @@
 # Maintainer: Mark Riedesel <mark+alpine@klowner.com>
 pkgname=openexr
 pkgver=2.2.1
-pkgrel=0
+pkgrel=1
 pkgdesc="A high dynamic-range image file format library"
 url="http://www.openexr.com/"
 arch="all"
@ -10,9 +10,15 @@ license="BSD"
 depends=""
 makedepends="ilmbase-dev zlib-dev"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
-source="http://download.savannah.nongnu.org/releases/openexr/${pkgname}-${pkgver}.tar.gz"
+source="http://download.savannah.nongnu.org/releases/openexr/${pkgname}-${pkgver}.tar.gz
+	CVE-2018-18444.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"

+# secfixes:
+#   2.2.1-r1:
+#     - CVE-2018-18444
+
 build() {
 	cd "$builddir"
 	./configure \
@ -37,4 +43,5 @@ tools() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }

-sha512sums="192100c6ac47534f3a93c55327d2ab90b07a8265156855086b326184328c257dcde12991b3f3f1831e2df4226fe884adcfe481c2f02a157c715aee665e89a480  openexr-2.2.1.tar.gz"
+sha512sums="192100c6ac47534f3a93c55327d2ab90b07a8265156855086b326184328c257dcde12991b3f3f1831e2df4226fe884adcfe481c2f02a157c715aee665e89a480  openexr-2.2.1.tar.gz
+c88f42bf9cb4fb2ccff493a3fded1a6efc67dedbe9475c0fa16e2bde8970fd6a03c5684558203cc7261b91c1f4521b0e007a653233ba16dfa3153320c7efe93d  CVE-2018-18444.patch"
--- a/community/openexr/CVE-2018-18444.patch
+++ b/community/openexr/CVE-2018-18444.patch
@ -0,0 +1,23 @@
+From 1b0f1e5d7dcf2e9d6cbb4e005e803808b010b1e0 Mon Sep 17 00:00:00 2001
+From: pgajdos <pgajdos@suse.cz>
+Date: Fri, 14 Jun 2019 22:19:30 +0200
+Subject: [PATCH] fix CVE-2018-18444
+
+---
+ exrmultiview/Image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/OpenEXR/exrmultiview/Image.h b/OpenEXR/exrmultiview/Image.h
+index 5d718f5d..c465d380 100644
+--- a/exrmultiview/Image.h
+++ b/exrmultiview/Image.h
+@@ -227,7 +227,7 @@ template <class T>
+ void
+ TypedImageChannel<T>::black ()
+ {
+-    memset(&_pixels[0][0],0,image().width()/_xSampling*image().height()/_ySampling*sizeof(T));
+    memset(&_pixels[0][0],0,image().width()/_xSampling*(image().height()/_ySampling)*sizeof(T));
+ }
+ 
+ 
+