CVE-2009-1720

Name of the Vulnerable Software and Affected Versions OpenEXR versions 1.2.2 through 1.6.1 OpenEXR versions prior to 1.7.0

Description The issue involves multiple integer overflows that can be exploited by context-dependent attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors that trigger heap-based buffer overflows. This is related to the Imf::PreviewImage::PreviewImage function and compressor constructors. The vulnerability can be exploited remotely and may lead to a violation of confidentiality, integrity, and availability of protected information.

Recommendations For OpenEXR versions 1.2.2 through 1.6.1, update to version 1.7.0 or later to resolve the issue. For OpenEXR versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue. As a temporary workaround, consider disabling the Imf::PreviewImage::PreviewImage function and compressor constructors until a patch is available. Restrict access to the affected OpenEXR components to minimize the risk of exploitation.