Executive Summary

Informations
Name CVE-2009-1722 First vendor Publication 2009-07-31
Vendor Cve Last vendor Modification 2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Heap-based buffer overflow in the compression implementation in OpenEXR 1.2.2 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1722

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13999
 
Oval ID: oval:org.mitre.oval:def:13999
Title: USN-831-1 -- openexr vulnerabilities
Description: Drew Yao discovered several flaws in the way OpenEXR handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. It was discovered that OpenEXR did not properly handle certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 8.04 LTS
Family: unix Class: patch
Reference(s): USN-831-1
CVE-2009-1720
CVE-2009-1721
CVE-2009-1722
 Version: 5
Platform(s): Ubuntu 8.10
Ubuntu 8.04
Ubuntu 9.04
 Product(s): openexr
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7863
 
Oval ID: oval:org.mitre.oval:def:7863
Title: DSA-1842 openexr -- several vulnerabilities
Description: Several vulnerabilities have been discovered in the OpenEXR image library, which can lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered integer overflows in the preview and compression code. Drew Yao discovered that an uninitialised pointer could be freed in the decompression code. A buffer overflow was discovered in the compression code.
Family: unix Class: patch
Reference(s): DSA-1842
CVE-2009-1720
CVE-2009-1721
CVE-2009-1722
 Version: 3
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
 Product(s): openexr
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

OpenVAS Exploits

Date Description
2010-05-12 Name : Mac OS X 10.5.8 Update / Mac OS X Security Update 2009-003
File : nvt/macosx_upd_10_5_8_secupd_2009-003.nasl
2009-12-14 Name : Mandriva Security Advisory MDVSA-2009:191-1 (OpenEXR)
File : nvt/mdksa_2009_191_1.nasl
2009-09-15 Name : Ubuntu USN-831-1 (openexr)
File : nvt/ubuntu_831_1.nasl
2009-08-17 Name : Mandrake Security Advisory MDVSA-2009:191 (OpenEXR)
File : nvt/mdksa_2009_191.nasl
2009-07-29 Name : Debian Security Advisory DSA 1842-1 (openexr)
File : nvt/deb_1842_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
56709 OpenEXR Compression Implementation Unspecified Overflow

An unspecified buffer overflow exists in OpenEXR. The compression implementation fails to validate unspecified data resulting in a buffer overflow. With a specially crafted request, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.

Nessus® Vulnerability Scanner

Date Description
2010-02-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1842.nasl - Type : ACT_GATHER_INFO
2009-12-09 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-191.nasl - Type : ACT_GATHER_INFO
2009-09-15 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-831-1.nasl - Type : ACT_GATHER_INFO
2009-08-05 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_10_5_8.nasl - Type : ACT_GATHER_INFO
2009-08-05 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2009-003.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

http://lists.apple.com/archives/security-announce/2009/Aug/msg00001.html
http://secunia.com/advisories/36032
http://secunia.com/advisories/36096
http://secunia.com/advisories/36753
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch...
http://support.apple.com/kb/HT3757
http://www.debian.org/security/2009/dsa-1842
http://www.mandriva.com/security/advisories?name=MDVSA-2009:191
http://www.securityfocus.com/bid/35838
http://www.securitytracker.com/id?1022674
http://www.ubuntu.com/usn/USN-831-1
http://www.us-cert.gov/cas/techalerts/TA09-218A.html
http://www.vupen.com/english/advisories/2009/2035
http://www.vupen.com/english/advisories/2009/2172
https://github.com/openexr/openexr/blob/master/CHANGES.md#version-170-july-23...
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
Date Informations
2024-11-28 23:10:46
  • Multiple Updates
2024-11-28 12:19:00
  • Multiple Updates
2021-05-04 12:09:35
  • Multiple Updates
2021-04-22 01:09:56
  • Multiple Updates
2020-05-23 00:23:48
  • Multiple Updates
2019-09-27 12:02:54
  • Multiple Updates
2016-04-26 18:50:17
  • Multiple Updates
2014-02-17 10:50:08
  • Multiple Updates
2013-05-10 23:50:53
  • Multiple Updates