CVE-2021-3941

2021-11-1100:00:00

ubuntu.com

openexr

divide-by-zero

bug

rgbtoxyz

availability

redhat

chromium

fuzz.

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

EPSS

Percentile

14.2%

JSON

In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division
operations such as float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y; and chroma.green.y * (X + Z))) / d; but the divisor is
not checked for a 0 value. A specially crafted file could trigger a
divide-by-zero condition which could affect the availability of programs
linked with OpenEXR.

Bugs

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchopenexr< 2.2.0-11.1ubuntu1.9UNKNOWN
ubuntu20.04noarchopenexr< 2.3.0-6ubuntu0.5+esm1UNKNOWN
ubuntu22.04noarchopenexr< 2.5.7-1ubuntu0.1~esm1UNKNOWN
ubuntu16.04noarchopenexr< 2.2.0-10ubuntu2.6+esm3UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	openexr	< 2.2.0-11.1ubuntu1.9	UNKNOWN
ubuntu	20.04	noarch	openexr	< 2.3.0-6ubuntu0.5+esm1	UNKNOWN
ubuntu	22.04	noarch	openexr	< 2.5.7-1ubuntu0.1~esm1	UNKNOWN
ubuntu	16.04	noarch	openexr	< 2.2.0-10ubuntu2.6+esm3	UNKNOWN