CVE-2021-3941

Published: 3/25/2022 Last updated: 8/3/2024 Reserved: 11/9/2021

In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Opam packages affected (1)

conf-openimageio

Products affected (1)

Product	Vendor	Version
openexr	n/a	< 1.2.56

References (10)

https://bugzilla.redhat.com/show_bug.cgi?id=2019789
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2JSMJ7HLWFPYYV7IAQZD5ZUUUN7RWBN/
https://security.gentoo.org/glsa/202210-31
https://www.debian.org/security/2022/dsa-5299
https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html
https://bugzilla.redhat.com/show_bug.cgi?id=2019789
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2JSMJ7HLWFPYYV7IAQZD5ZUUUN7RWBN/
https://security.gentoo.org/glsa/202210-31
https://www.debian.org/security/2022/dsa-5299
https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html