security/vuxml: document OpenEXR < 3.1.4 vuln

Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute

Security:	b6ef8a53-8062-11ec-9af3-fb232efe4d2e
Security:	CVE-2021-45942

1 files changed, 33 insertions, 0 deletions

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index e11b932683af..9337a4faab3e 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,36 @@
+  <vuln vid="b6ef8a53-8062-11ec-9af3-fb232efe4d2e">
+    <topic>OpenEXR -- Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute</topic>
+    <affects>
+      <package>
+	<name>openexr</name>
+	<range><lt>3.1.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Cary Phillips reports:</p>
+	<blockquote cite="https://github.com/AcademySoftwareFoundation/openexr/blob/v3.1.4/CHANGES.md#version-314-january-26-2022">
+	  <p>[OpenEXR Version 3.1.4 is a] patch release that [...]
+	    addresses one public security vulnerability:
+	    CVE-2021-45942 Heap-buffer-overflow in
+	    Imf_3_1::LineCompositeTask::execute [and several]
+	    specific OSS-fuzz issues [...].</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2021-45942</cvename>
+      <url>https://github.com/AcademySoftwareFoundation/openexr/blob/v3.1.4/CHANGES.md#version-314-january-26-2022</url>
+      <url>https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416</url> <!-- reported for dates.discovery below -->
+      <url>https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41999</url> <!-- reported 2021-12-04 -->
+      <url>https://github.com/AcademySoftwareFoundation/openexr/pull/1209</url> <!-- fix for CVE-inducing issue -->
+    </references>
+    <dates>
+      <discovery>2021-11-26</discovery>
+      <entry>2022-01-28</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="1aaaa5c6-804d-11ec-8be6-d4c9ef517024">
     <topic>OpenSSL -- BN_mod_exp incorrect results on MIPS</topic>
     <affects>