CVE-2020-11762: Buffer Overflow
First published: Tue Apr 14 2020(Updated: )
An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case.
Credit: Xingwei Lin Ant cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/openexr | 2.5.4-2+deb11u1 3.1.5-5 3.1.5-5.1 | |
| tvOS | <13.4.8 | 13.4.8 |
| macOS Catalina | <10.15.6 | 10.15.6 |
| macOS Mojave | ||
| macOS High Sierra | ||
| Apple iOS, iPadOS, and watchOS | <13.6 | 13.6 |
| Apple iOS, iPadOS, and watchOS | <13.6 | 13.6 |
| Apple iOS, iPadOS, and watchOS | <6.2.8 | 6.2.8 |
| Apple iCloud | <11.3 | 11.3 |
| Apple iCloud | <7.20 | 7.20 |
| Apple iTunes | <12.10.8 | 12.10.8 |
| OpenEXR | <2.4.1 | |
| Fedora | =32 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.10 | |
| Ubuntu | =20.04 | |
| openSUSE | =15.1 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Apple iCloud for Windows | <7.20 | |
| Apple iCloud for Windows | >=10.0<11.3 | |
| Apple iTunes for Windows | <12.10.8 | |
| Apple iOS, iPadOS, and watchOS | <13.6 | |
| iOS | <13.6 | |
| Apple iOS and macOS | <10.15.6 | |
| Apple iOS and macOS | >=10.13.0<10.13.6 | |
| Apple iOS and macOS | >=10.14.0<10.14.6 | |
| Apple iOS and macOS | =10.13.6 | |
| Apple iOS and macOS | =10.13.6-security_update_2018-002 | |
| Apple iOS and macOS | =10.13.6-security_update_2018-003 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-001 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-002 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-003 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-004 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-005 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-006 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-007 | |
| Apple iOS and macOS | =10.13.6-security_update_2020-001 | |
| Apple iOS and macOS | =10.13.6-security_update_2020-002 | |
| Apple iOS and macOS | =10.13.6-security_update_2020-003 | |
| Apple iOS and macOS | =10.14.6 | |
| Apple iOS and macOS | =10.14.6-security_update_2019-001 | |
| Apple iOS and macOS | =10.14.6-security_update_2019-002 | |
| Apple iOS and macOS | =10.14.6-security_update_2019-004 | |
| Apple iOS and macOS | =10.14.6-security_update_2019-005 | |
| Apple iOS and macOS | =10.14.6-security_update_2019-006 | |
| Apple iOS and macOS | =10.14.6-security_update_2019-007 | |
| Apple iOS and macOS | =10.14.6-security_update_2020-001 | |
| Apple iOS and macOS | =10.14.6-security_update_2020-002 | |
| Apple iOS and macOS | =10.14.6-security_update_2020-003 | |
| tvOS | <13.4.8 | |
| Apple iOS, iPadOS, and watchOS | <6.2.8 |
Remedy
https://github.com/AcademySoftwareFoundation/openexr/commit/3eda5d70aba127bae9bd6bae9956fcf024b64031
Remedy
https://github.com/AcademySoftwareFoundation/openexr/commit/2ae5f8376b0a6c3e2bb100042f5de79503ba837a
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
- https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1
- https://usn.ubuntu.com/4339-1/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4KFGDQG5PVYAU7TS5MZ7XCS6EMPVII3/
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00051.html
- https://www.debian.org/security/2020/dsa-4755
- https://lists.debian.org/debian-lts-announce/2020/08/msg00056.html
- https://support.apple.com/kb/HT211288
- https://support.apple.com/kb/HT211289
- https://support.apple.com/kb/HT211290
- https://support.apple.com/kb/HT211291
- https://support.apple.com/kb/HT211293
- https://support.apple.com/kb/HT211294
- https://support.apple.com/kb/HT211295
- https://security.gentoo.org/glsa/202107-27
- https://launchpad.net/bugs/cve/CVE-2020-11762
- https://github.com/AcademySoftwareFoundation/openexr/commit/3eda5d70aba127bae9bd6bae9956fcf024b64031
- https://github.com/AcademySoftwareFoundation/openexr/commit/2ae5f8376b0a6c3e2bb100042f5de79503ba837a
- https://github.com/AcademySoftwareFoundation/openexr/commit/7f0c9e256f34cac5a31e9d9cce00ccc898f49f3b
- https://security-tracker.debian.org/tracker/CVE-2020-11762
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11762
- https://nvd.nist.gov/vuln/detail/CVE-2020-11762
- https://ubuntu.com/security/CVE-2020-11762
- https://support.apple.com/en-us/HT211290 (Advisory)
- https://support.apple.com/en-us/HT211289 (Advisory)
- https://support.apple.com/en-us/HT211288 (Advisory)
- https://support.apple.com/en-us/HT211291 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4KFGDQG5PVYAU7TS5MZ7XCS6EMPVII3/
- https://support.apple.com/en-us/HT211294 (Advisory)
- https://support.apple.com/en-us/HT211295 (Advisory)
- https://support.apple.com/kb/HT211294
- https://support.apple.com/en-us/HT211293 (Advisory)
- https://support.apple.com/kb/HT211293
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2020-9884
- CVE-2020-9889
- CVE-2020-9888
- CVE-2020-9890
- CVE-2020-9891
- CVE-2020-9907
- CVE-2020-9883
- CVE-2020-9865
- CVE-2020-9900
- CVE-2020-9980
- CVE-2020-9933
- CVE-2020-9914
- CVE-2020-27933
- CVE-2020-11758
- CVE-2020-11759
- CVE-2020-11760
- CVE-2020-11761
- CVE-2020-11762
- CVE-2020-11763
- CVE-2020-11764
- CVE-2020-11765
- CVE-2020-9871
- CVE-2020-9872
- CVE-2020-9874
- CVE-2020-9879
- CVE-2020-9936
- CVE-2020-9937
- CVE-2020-9919
- CVE-2020-9876
- CVE-2020-9873
- CVE-2020-9938
- CVE-2020-9984
- CVE-2020-9877
- CVE-2020-9875
- CVE-2019-14899
- CVE-2020-9909
- CVE-2020-9904
- CVE-2020-9863
- CVE-2020-9892
- CVE-2020-9902
- CVE-2020-9905
- CVE-2020-9926
- CVE-2020-9880
- CVE-2020-9878
- CVE-2020-9940
- CVE-2020-9868
- CVE-2020-9901
- CVE-2020-9894
- CVE-2020-9915
- CVE-2020-9925
- CVE-2020-9893
- CVE-2020-9895
- CVE-2020-9910
- CVE-2020-9916
- CVE-2020-9862
- CVE-2020-6514
- CVE-2020-9918
- CVE-2020-9927
- CVE-2020-9928
- CVE-2020-9929
- CVE-2020-9870
- CVE-2020-9866
- CVE-2020-9869
- CVE-2020-9949
- CVE-2020-9934
- CVE-2020-9799
- CVE-2020-9913
- CVE-2020-9887
- CVE-2020-9908
- CVE-2020-9990
- CVE-2020-9921
- CVE-2020-9924
- CVE-2020-9997
- CVE-2020-9994
- CVE-2020-9935
- CVE-2019-19906
- CVE-2020-9920
- CVE-2020-9922
- CVE-2020-9885
- CVE-2020-9881
- CVE-2020-9882
- CVE-2020-9985
- CVE-2020-12243
- CVE-2020-10878
- CVE-2020-12723
- CVE-2014-9512
- CVE-2020-9930
- CVE-2020-9939
- CVE-2020-9864
- CVE-2020-9854
- CVE-2019-20807
- CVE-2020-9898
- CVE-2020-9899
- CVE-2020-9906
- CVE-2020-9931
- CVE-2020-9923
- CVE-2020-9903
- CVE-2020-9911
- CVE-2020-9917
Frequently Asked Questions
What is CVE-2020-11762?
CVE-2020-11762 is a vulnerability in ImageIO that was addressed with improved checks in openEXR.
Which software versions are affected by CVE-2020-11762?
Software versions affected by CVE-2020-11762 include macOS Catalina 10.15.6, Apple Mojave, Apple High Sierra, iOS up to 13.6, iPadOS up to 13.6, watchOS up to 6.2.8, iCloud for Windows up to 7.20, tvOS up to 13.4.8, and iTunes for Windows up to 12.10.8.
How severe is CVE-2020-11762?
The severity of CVE-2020-11762 is not specified in the provided information.
How can I fix CVE-2020-11762?
To fix CVE-2020-11762, update your software to the latest available version provided by Apple.
Where can I find more information about CVE-2020-11762?
You can find more information about CVE-2020-11762 on the Apple support website.
- agent/type
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/severity
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- agent/event
- agent/first-publish-date
- agent/description
- agent/last-modified-date
- agent/trending
- agent/source
- collector/apple-support
- alias/CVE-2020-11759
- alias/CVE-2020-11760
- alias/CVE-2020-11761
- alias/CVE-2020-11762
- alias/CVE-2020-11763
- alias/CVE-2020-11764
- alias/CVE-2020-11765
- agent/software-canonical-lookup-request
- agent/author
- agent/references
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/debian
- vendor/apple
- canonical/tvos
- canonical/macos catalina
- canonical/macos mojave
- canonical/macos high sierra
- canonical/apple ios, ipados, and watchos
- canonical/apple icloud
- canonical/apple itunes
- vendor/openexr
- canonical/openexr
- vendor/fedoraproject
- canonical/fedora
- version/fedora/32
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/19.10
- version/ubuntu/20.04
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.1
- vendor/debian
- canonical/debian
- version/debian/9.0
- version/debian/10.0
- canonical/apple icloud for windows
- version/apple icloud for windows/10.0
- canonical/apple itunes for windows
- canonical/ios
- canonical/apple ios and macos
- version/apple ios and macos/10.13.0
- version/apple ios and macos/10.14.0
- version/apple ios and macos/10.13.6
- version/apple ios and macos/10.13.6-security_update_2018-002
- version/apple ios and macos/10.13.6-security_update_2018-003
- version/apple ios and macos/10.13.6-security_update_2019-001
- version/apple ios and macos/10.13.6-security_update_2019-002
- version/apple ios and macos/10.13.6-security_update_2019-003
- version/apple ios and macos/10.13.6-security_update_2019-004
- version/apple ios and macos/10.13.6-security_update_2019-005
- version/apple ios and macos/10.13.6-security_update_2019-006
- version/apple ios and macos/10.13.6-security_update_2019-007
- version/apple ios and macos/10.13.6-security_update_2020-001
- version/apple ios and macos/10.13.6-security_update_2020-002
- version/apple ios and macos/10.13.6-security_update_2020-003
- version/apple ios and macos/10.14.6
- version/apple ios and macos/10.14.6-security_update_2019-001
- version/apple ios and macos/10.14.6-security_update_2019-002
- version/apple ios and macos/10.14.6-security_update_2019-004
- version/apple ios and macos/10.14.6-security_update_2019-005
- version/apple ios and macos/10.14.6-security_update_2019-006
- version/apple ios and macos/10.14.6-security_update_2019-007
- version/apple ios and macos/10.14.6-security_update_2020-001
- version/apple ios and macos/10.14.6-security_update_2020-002
- version/apple ios and macos/10.14.6-security_update_2020-003