Skip to content

Commit 3173c7d

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-3h9h-qfvw-98hq GHSA-3p65-76g6-3w7r GHSA-57cw-j6vp-2p9m GHSA-q6vj-wxvf-5m8c GHSA-vh63-9mqx-wmjr
1 parent 6346d55 commit 3173c7d

5 files changed

Lines changed: 490 additions & 0 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-3h9h-qfvw-98hq/GHSA-3h9h-qfvw-98hq.json

Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-3h9h-qfvw-98hq",
4+
"modified": "2026-04-06T17:51:11Z",
5+
"published": "2026-04-06T17:51:11Z",
6+
"aliases": [
7+
"CVE-2025-64181"
8+
],
9+
"summary": "OpenEXR Makes Use of Uninitialized Memory",
10+
"details": "### Summary\nWhile fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory (CWE-457). The issue is reproducible with the current OSS-Fuzz harness and a single-file PoC.\n\n### Details\n\n**Environment:**\n- Tooling: `valgrind --tool=memcheck --track-origins=yes`\n- Target: `openexr_exrcheck_fuzzer`\n- OS: Ubuntu 20.04.6 LTS focal x86_64\n- openexr version and Git-commit hash: ` openexr 3.4.2 | commit fd657e8a41e157e5841c7cc2e2a5efe094b069a1 (grafted, HEAD -> main, origin/main, origin/HEAD)`\n\nFunction: `generic_unpack`\n\nPossible root cause (based on observed symptoms):\nThe unpacker is branching on bytes in a scratch buffer that were never written because the decode step didn’t fully populate it.\n- The first use flagged is in `generic_unpack()`. That function reads from the decompressed/expanded pixel buffer to scatter data into the framebuffer. A “conditional jump depends on uninitialised value(s)” means it’s consulting bytes in that buffer before they were written.\n- Valgrind says the uninitialised value “was created by a heap allocation (malloc)”, not the stack: this matches a per-tile/per-scanline decode scratch buffer allocated in `exr_decoding_run()`.\n\n**Valgrind Trace (top frames):**\n```bash\n==454== Conditional jump or move depends on uninitialised value(s)\n==454== at 0x4539BE: generic_unpack (in /out/openexr_exrcheck_fuzzer)\n==454== by 0x44B85F: exr_decoding_run (in /out/openexr_exrcheck_fuzzer)\n==454== by 0x38BC5F: Imf_4_0::(anonymous namespace)::TileProcess::run_decode(_priv_exr_context_t const*, int, Imf_4_0::FrameBuffer const*, std::__1::vector<Imf_4_0::Slice, std::__1::allocator<Imf_4_0::Slice> > const&) (in /out/openexr_exrcheck_fuzzer)\n==454== by 0x388BE1: Imf_4_0::TiledInputFile::Data::readTiles(int, int, int, int, int, int) (in /out/openexr_exrcheck_fuzzer)\n==454== by 0x388619: Imf_4_0::TiledInputFile::readTiles(int, int, int, int, int, int) (in /out/openexr_exrcheck_fuzzer)\n==454== by 0x353755: Imf_4_0::InputFile::Data::bufferedReadPixels(int, int) (in /out/openexr_exrcheck_fuzzer)\n==454== by 0x352286: Imf_4_0::InputFile::readPixels(int) (in /out/openexr_exrcheck_fuzzer)\n==454== by 0x3190FA: Imf_4_0::(anonymous namespace)::readMultiPart(Imf_4_0::MultiPartInputFile&, bool, bool) (in /out/openexr_exrcheck_fuzzer)\n==454== by 0x314C4D: Imf_4_0::checkOpenEXRFile(char const*, unsigned long, bool, bool, bool) (in /out/openexr_exrcheck_fuzzer)\n==454== Uninitialised value was created by a heap allocation at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)\n```\n\n### PoC\nIn the attached archive, you will find:\n- The executable used for our tests.\n- The testcase used to trigger the bug.\n\nTo observe the bug, simply run the OSS-Fuzz helper script:\n```bash\ngit clone https://github.com/google/oss-fuzz.git\ncd oss-fuzz\n\npython3 infra/helper.py build_image openexr\npython3 infra/helper.py build_fuzzers --sanitizer=none openexr\npython3 infra/helper.py shell openexr\n\napt update && apt install -y valgrind\nulimit -n 65535\nvalgrind --tool=memcheck --track-origins=yes /out/openexr_exrcheck_fuzzer /path/to/poc\n```\n\n### Impact\n- Undefined Behavior\n- Potential crash\n- Denial of Service\n\n**Credit:** Aldo Ristori\n[archive0.zip](https://github.com/user-attachments/files/23024726/archive0.zip)\n\n\n\n### Update Note:\nOther saved testcases from the fuzzing campaign trigger the same underlying bug, but with a different manifestation. So there is one root cause (missing post-decode validation / zero-init before any unpack), with different call-sites. Below there are several archives, formatted like the previous one, that reproduce the other test cases.\n\n**Other observed sinks (distinct manifestations of the same bug):**\n\n**Deep pointers path:**\ngeneric_unpack_deep_pointers (deep scanline/tiled)\n[archive1.zip](https://github.com/user-attachments/files/23024736/archive1.zip)\n\n\n**Deep sample table path:**\nunpack_sample_table (deep scanline)\n[archive2.zip](https://github.com/user-attachments/files/23024740/archive2.zip)\n\n\n**Half conversion path:**\nhalf_to_float_buffer_f16c via unpack_half_to_float_3chan_planar\n[archive3.zip](https://github.com/user-attachments/files/23024744/archive3.zip)\n\n\n**Deep compositing:**\nCompositeDeepScanLine::readPixels → ThreadPool::addTask → LineCompositeTask::execute\n[archive4.zip](https://github.com/user-attachments/files/23024746/archive4.zip)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
},
16+
{
17+
"type": "CVSS_V4",
18+
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "PyPI",
25+
"name": "OpenEXR"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "3.3.0"
33+
},
34+
{
35+
"fixed": "3.3.6"
36+
}
37+
]
38+
}
39+
]
40+
},
41+
{
42+
"package": {
43+
"ecosystem": "PyPI",
44+
"name": "OpenEXR"
45+
},
46+
"ranges": [
47+
{
48+
"type": "ECOSYSTEM",
49+
"events": [
50+
{
51+
"introduced": "3.4.0"
52+
},
53+
{
54+
"fixed": "3.4.3"
55+
}
56+
]
57+
}
58+
]
59+
}
60+
],
61+
"references": [
62+
{
63+
"type": "WEB",
64+
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq"
65+
},
66+
{
67+
"type": "ADVISORY",
68+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64181"
69+
},
70+
{
71+
"type": "PACKAGE",
72+
"url": "https://github.com/AcademySoftwareFoundation/openexr"
73+
},
74+
{
75+
"type": "WEB",
76+
"url": "https://github.com/user-attachments/files/23024726/archive0.zip"
77+
},
78+
{
79+
"type": "WEB",
80+
"url": "https://github.com/user-attachments/files/23024736/archive1.zip"
81+
},
82+
{
83+
"type": "WEB",
84+
"url": "https://github.com/user-attachments/files/23024740/archive2.zip"
85+
},
86+
{
87+
"type": "WEB",
88+
"url": "https://github.com/user-attachments/files/23024744/archive3.zip"
89+
},
90+
{
91+
"type": "WEB",
92+
"url": "https://github.com/user-attachments/files/23024746/archive4.zip"
93+
}
94+
],
95+
"database_specific": {
96+
"cwe_ids": [
97+
"CWE-457"
98+
],
99+
"severity": "LOW",
100+
"github_reviewed": true,
101+
"github_reviewed_at": "2026-04-06T17:51:11Z",
102+
"nvd_published_at": "2025-11-10T22:15:36Z"
103+
}
104+
}

advisories/github-reviewed/2026/04/GHSA-3p65-76g6-3w7r/GHSA-3p65-76g6-3w7r.json

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-3p65-76g6-3w7r",
4+
"modified": "2026-04-06T17:52:52Z",
5+
"published": "2026-04-06T17:52:52Z",
6+
"aliases": [
7+
"CVE-2026-33540"
8+
],
9+
"summary": "Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm",
10+
"details": "commit: 40594bd98e6d6ed993b5c6021c93fdf96d2e5851 (as-of 2026-01-31)\ncontact: GitHub Security Advisory (https://github.com/distribution/distribution/security/advisories/new)\n\n## summary\n\nin pull-through cache mode, distribution discovers token auth endpoints by parsing `WWW-Authenticate` challenges returned by the configured upstream registry. the `realm` URL from a bearer challenge is used without validating that it matches the upstream registry host. as a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled `realm` URL.\n\nthis is the same vulnerability class as CVE-2020-15157 (containerd), but in distribution’s pull-through cache proxy auth flow.\n\n## severity\n\nHIGH\n\nnote: the baseline impact is credential disclosure of the configured upstream credentials. if a deployment uses broader credentials for upstream auth (for example cloud iam credentials), the downstream impact can be higher; i am not claiming this as default for all deployments.\n\n## impact\n\ncredential exfiltration of the upstream authentication material configured for the pull-through cache.\n\nattacker starting positions that make this realistic:\n- supply chain / configuration: an operator configures a proxy cache to use an upstream that becomes attacker-controlled (compromised registry, stale domain, or a malicious mirror)\n- network: MitM on the upstream connection in environments where the upstream is reachable over insecure transport or a compromised network path\n\n## affected components\n\n- `registry/proxy/proxyauth.go:66-81` (`getAuthURLs`): extracts bearer `realm` from upstream `WWW-Authenticate` without validating destination\n- `internal/client/auth/session.go:485-510` (`fetchToken`): uses the realm URL directly for token fetch\n- `internal/client/auth/session.go:429-434` (`fetchTokenWithBasicAuth`): sends credentials via basic auth to the realm URL\n\n## reproduction\n\nattachment: `poc.zip` (local harness) with canonical and control runs.\n\nthe harness is local and does not contact a real registry: it uses two local HTTP servers (upstream + attacker token service) to demonstrate whether basic auth is sent to an attacker-chosen realm.\n\n```bash\nunzip -q -o poc.zip -d poc\ncd poc\nmake canonical\nmake control\n```\n\nexpected output (excerpt):\n\n```\n[CALLSITE_HIT]: getAuthURLs::configureAuth\n[PROOF_MARKER]: basic_auth_sent=true realm_host=127.0.0.1 account_param=user authorization_prefix=Basic\n```\n\ncontrol output (excerpt):\n\n```\n[CALLSITE_HIT]: getAuthURLs::configureAuth\n[NC_MARKER]: realm_validation=PASS basic_auth_sent=false\n```\n\n## suggested remediation\n\nvalidate that the token `realm` destination is within the intended trust boundary before associating credentials with it or sending any authentication to it. one conservative option is strict same-host binding: only accept a realm whose host matches the configured upstream host.\n\n## fix accepted when\n\n- distribution does not send configured upstream credentials to an attacker-chosen realm URL\n- a regression test covers the canonical and blocked cases\n\n[addendum.md](https://github.com/user-attachments/files/24984637/addendum.md)\n[poc.zip](https://github.com/user-attachments/files/24984638/poc.zip)\n[PR_DESCRIPTION.md](https://github.com/user-attachments/files/24984639/PR_DESCRIPTION.md)\n[RUNNABLE_POC.md](https://github.com/user-attachments/files/24984640/RUNNABLE_POC.md)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/distribution/distribution/v3"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "3.1.0"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/distribution/distribution"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"last_affected": "2.8.3"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r"
61+
},
62+
{
63+
"type": "ADVISORY",
64+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33540"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://github.com/distribution/distribution/commit/cc5d5fa4ba02157501e6afa2cc6a903ad0338e7b"
69+
},
70+
{
71+
"type": "PACKAGE",
72+
"url": "https://github.com/distribution/distribution"
73+
}
74+
],
75+
"database_specific": {
76+
"cwe_ids": [
77+
"CWE-918"
78+
],
79+
"severity": "HIGH",
80+
"github_reviewed": true,
81+
"github_reviewed_at": "2026-04-06T17:52:52Z",
82+
"nvd_published_at": "2026-04-06T15:17:10Z"
83+
}
84+
}

0 commit comments

Comments
 (0)