[BUG][UNIX]

[mariamarutunian]

Summary

Vulnerabilities identified as CVE-2021-45942 and CVE-2021-20304 were discovered and fixed in OpenEXR's. However, related files are not updated in the POV-Ray project.

POV-Ray Version

Affected build version: < 3.7.0.10

Details

They were fixed on OpenEXR's with the following commits: - AcademySoftwareFoundation/openexr@db217f2
-, AcademySoftwareFoundation/openexr@51a92d6.
But, the POV-Ray project contains an old version of OpenEXR's.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-45942
• https://nvd.nist.gov/vuln/detail/CVE-2021-20304
• AcademySoftwareFoundation/openexr@db217f2
• AcademySoftwareFoundation/openexr@51a92d6

Report Origin

The bug is reported by a tool developed at CAST.

[wfpokorny]

Hi Chris,
On seeing you've self assigned this issue and #461, I thought to mention - that by default - Linux/Unix builds will use libraries which are installed as part of the linux/unix distribution. On my Ubuntu system, for example, the libraries shipped with the distribution are already patched.

The libraries which are code controlled and part of what one gets when one clones the POV-Ray repository are for windows builds. They perhaps need to be updated in any case, but I don't think #461 and #462 are Unix/Linux issues.