CVE-2020-11762: 
NixOS vulnerability analysis and mitigation

An issue was discovered in OpenEXR before 2.4.1 involving an out-of-bounds read and write vulnerability in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case. The vulnerability was assigned CVE-2020-11762 and was fixed in OpenEXR version 2.4.1 released on February 11, 2020 (OpenEXR Release).

The vulnerability is classified as a buffer overflow issue that allows both out-of-bounds read and write operations. The CVSS v3.1 base score is 5.5 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerability specifically occurs in the DwaCompressor::uncompress function within ImfDwaCompressor.cpp when processing the UNKNOWN compression case (NVD).

If exploited, this vulnerability could lead to denial of service and potentially allow arbitrary code execution when processing malformed EXR image files (Debian Advisory).

The vulnerability was fixed in OpenEXR version 2.4.1. Users are advised to upgrade to this version or later. Multiple operating system vendors have released security updates including Ubuntu, Debian, and Apple. For Ubuntu users, the fix is available in version 2.3.0-6ubuntu0.1 for Ubuntu 20.04, version 2.2.1-4.1ubuntu1.1 for Ubuntu 19.10, and version 2.2.0-11.1ubuntu1.2 for Ubuntu 18.04 (Ubuntu Advisory).