OpenEXR Information Disclosure Vulnerability in PXR24 Decompression

A vulnerability allowing sensitive information from heap memory to be leaked through decoded pixel data has been identified in OpenEXR versions 3.4.0 prior to 3.4.8. This issue arises in the PXR24 decompression function, which improperly handles the actual size of decompressed data, leading to the inclusion of uninitialized memory in the output. The vulnerability can be exploited by simply reading a malicious EXR file, without any user interaction.

Impact

Exploitation of this vulnerability results in the unauthorized disclosure of sensitive information from heap memory, which is incorporated into the decoded pixel data of the EXR file.

Reproduction

The vulnerability can be reproduced by crafting a PXR24 EXR file that contains a valid but truncated zlib stream. This can be done by manipulating the file's compression data to create a scenario where the decompressed output is shorter than expected, without corrupting the overall integrity of the zlib stream. Once such a file is created, it can be read using the OpenEXR library, triggering the information disclosure by allowing the decoder to access uninitialized heap memory.

Remediation

Users can upgrade to OpenEXR version 3.4.8, where this vulnerability has been patched.