CVE-2020-11765: 
NixOS vulnerability analysis and mitigation

An off-by-one error was discovered in OpenEXR before version 2.4.1, specifically in the use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read. The vulnerability was identified and tracked as CVE-2020-11765, and was disclosed in February 2020 (OpenEXR Release).

The vulnerability is characterized as an off-by-one error that occurs in the DwaCompressor::Classifier::Classifier component when using the ImfXdr.h read function. This results in an out-of-bounds read condition, which could potentially lead to information disclosure or program crashes. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium), with attack vector being Local, attack complexity Low, requiring no privileges but user interaction, and potentially impacting system availability (Ubuntu CVE).

The vulnerability could allow an attacker to cause unexpected application termination through a denial of service condition when processing maliciously crafted EXR image files. The primary impact is on system availability, with no direct impact on confidentiality or integrity (OpenSUSE Security).

The vulnerability was fixed in OpenEXR version 2.4.1. Users and organizations are strongly recommended to upgrade to this version or later. Multiple operating system vendors have released security updates to address this vulnerability, including Ubuntu, Debian, and Fedora (Debian Security, Fedora Update).