|
6 | 6 | ## Reporting a Vulnerability
|
7 | 7 |
|
8 | 8 | If you think you've found a potential vulnerability in OpenEXR, please
|
9 |
| -report it by emailing [email protected]. Only Technical Steering |
10 |
| -Committee members and Academy Software Foundation project management |
11 |
| -have access to these messages. Include detailed steps to reproduce the |
12 |
| -issue, and any other information that could aid an investigation. Our |
13 |
| -policy is to respond to vulnerability reports within 14 days. |
14 |
| - |
15 |
| -Our policy is to address critical security vulnerabilities rapidly and |
16 |
| -post patches as quickly as possible. If you do not get a response to a |
17 |
| -message sent to [email protected] within 48 hours, contact the |
18 |
| -project maintainers via a GitHub |
19 |
| -[Issue](https://github.com/AcademySoftwareFoundation/openexr/issues). |
| 9 | +report it by filing a GitHub [security |
| 10 | +advisory](https://github.com/AcademySoftwareFoundation/openexr/security/advisories/new). Alternatively, |
| 11 | +email [email protected] and provide your contact info for further |
| 12 | +private/secure discussion. If your email does not receive a prompt |
| 13 | +acknowledgement, your address may be blocked. |
| 14 | + |
| 15 | +Our policy is to acknowledge the receipt of vulnerability reports |
| 16 | +within 48 hours. Our policy is to address critical security vulnerabilities |
| 17 | +rapidly and post patches within 14 days if possible. |
20 | 18 |
|
21 | 19 | ## Known Vulnerabilities
|
22 | 20 |
|
@@ -61,3 +59,108 @@ These vulnerabilities are present in the given versions:
|
61 | 59 |
|
62 | 60 | See the [release notes](CHANGES.md) for more information.
|
63 | 61 |
|
| 62 | +## Supported Versions |
| 63 | + |
| 64 | +This gives guidance about which branches are supported with patches to |
| 65 | +security vulnerabilities. |
| 66 | + |
| 67 | +| Version / branch | Supported | |
| 68 | +| --------- | ---------------------------------------------------- | |
| 69 | +| main | :white_check_mark: :construction: ALL fixes immediately, but this is a branch under development with a frequently unstable ABI and occasionally unstable API. | |
| 70 | +| 3.2.x | :white_check_mark: All fixes that can be backported without breaking ABI compatibility. | |
| 71 | +| 3.1.x | :warning: Only the most critical fixes, only if they can be easily backported. | |
| 72 | +| 3.0.x | :warning: Only the most critical fixes, only if they can be easily backported. | |
| 73 | +| 2.5.x | :warning: Only the most critical fixes, only if they can be easily backported. | |
| 74 | +| <= 1.x | :x: No longer receiving patches of any kind. | |
| 75 | + |
| 76 | +## Security Expectations |
| 77 | + |
| 78 | +### Software Features |
| 79 | + |
| 80 | +- The OpenEXR project implements the EXR image file format, used |
| 81 | + throughout the motion picture industry and beyond, on Linux, macOS, |
| 82 | + and Windows. |
| 83 | + |
| 84 | +- The project consists of a software run-time library, implemented in |
| 85 | + C/C++ and built via cmake, that reads and writes image data |
| 86 | + files. The project also distributes python wrappings for the C/C++ |
| 87 | + I/O API. |
| 88 | + |
| 89 | +- The library reads and writes binary image data and text-based |
| 90 | + metadata, treated as blind data, none of which is executable code. |
| 91 | + |
| 92 | +- Other than the website and online technical documentation, the |
| 93 | + project implements no web/online services or network communication |
| 94 | + protocols. The library never requests any security or |
| 95 | + authentication credentials or login information from users. |
| 96 | + |
| 97 | + The website implements no interactive features and requires no login |
| 98 | + credentials. |
| 99 | + |
| 100 | +- The library reads and writes only to file paths specificly requested |
| 101 | + via the C/C++ API. The runtime library uses no system configuration |
| 102 | + files or sidecar data files. Access to data files uses only standard |
| 103 | + file I/O system calls. |
| 104 | + |
| 105 | +- The library compresses/decompresses data via standard compression |
| 106 | + algorithms but uses no cryptographic or confidentiality protocols. |
| 107 | + |
| 108 | +### Software Dependencies |
| 109 | + |
| 110 | +OpenEXR depends on |
| 111 | +[Imath](https://github.com/AcademySoftwareFoundation/Imath), a library |
| 112 | +of basic math operations also maintained and distributed by the |
| 113 | +OpenEXR project. Imath follows the same security conventions |
| 114 | +documented here for OpenEXR itself. The core Imath library has no |
| 115 | +external dependencies. The Imath python bindings depend on python and |
| 116 | +boost. |
| 117 | + |
| 118 | +The only |
| 119 | +external library dependency of OpenEXR is |
| 120 | +[libdeflate](https://github.com/ebiggers/libdeflate), which implements |
| 121 | +standard deflate/zlib/gzip compression and decompression. |
| 122 | + |
| 123 | +The project uses |
| 124 | +[Snyk](https://github.com/AcademySoftwareFoundation/openexr/blob/main/.github/workflows/snyk-scan-pr.yml) |
| 125 | +to scan for dependency vulnerability. |
| 126 | + |
| 127 | +### Potential Vulnerabilities |
| 128 | + |
| 129 | +Potential entry points are images being loaded using the |
| 130 | +library. Malformed images could caused issues such as heap buffer |
| 131 | +overflows, out-of-memory faults, or segmentation faults that could be |
| 132 | +exploitable as denial-of-service attacks. |
| 133 | + |
| 134 | +### Hardening |
| 135 | + |
| 136 | +#### Testing |
| 137 | + |
| 138 | +The OpenEXR project implements a comprehensive suite of validation |
| 139 | +tests, including fuzz testing to harden against malicious input |
| 140 | +data. Note that fuzz testing hardens only against *small* input data |
| 141 | +files and is not a comprehensive test against all potential input. |
| 142 | + |
| 143 | +Note that the |
| 144 | +[exrcheck](https://github.com/AcademySoftwareFoundation/openexr/tree/main/src/bin/exrcheck) |
| 145 | +utility is intended to be used by testers to demonstrate a particular |
| 146 | +proof-of-concept input file exposes a vulnerability, and it is very |
| 147 | +helpful to let us know if a vulnerability can be reproduced using that |
| 148 | +tool. |
| 149 | + |
| 150 | +The project also uses the [OSS |
| 151 | +Fuzz](https://bugs.chromium.org/p/oss-fuzz) service for continuous |
| 152 | +fuzz testing. |
| 153 | + |
| 154 | +#### Development Cycle and Distribution |
| 155 | + |
| 156 | +OpenEXR is downloadable and buildable by C/C++ source via GitHub. Only |
| 157 | +members of the project's Technical Steering Committee, all veteran |
| 158 | +software engineers at major motion picture studios or vendors, have |
| 159 | +write permissions on the source code repository. All critical software |
| 160 | +changes are reviewed by multiple TSC members. |
| 161 | + |
| 162 | +The library is distributed in binary form via many common package |
| 163 | +managers across all platforms. |
| 164 | + |
| 165 | + |
| 166 | + |
0 commit comments