openexr (2.5.4-2+deb11u1) bullseye-security; urgency=high * Non-maintainer upload. * Fix CVE-2021-3598, CVE-2021-3605, CVE-2021-3933, CVE-2021-3941, CVE-2021-23215, CVE-2021-26260 and CVE-2021-45942. Multiple security vulnerabilities have been found in OpenEXR, command-line tools and a library for the OpenEXR image format. Buffer overflows or out-of-bound reads could lead to a denial of service (application crash) if a malformed image file is processed. (Closes: #992703, #990450, #990899, #1014828, #1014828) -- Markus Koschany Sat, 10 Dec 2022 14:53:33 +0100 openexr (2.5.4-2) unstable; urgency=high * debian/patches/: patchset updated - CVE-2021-23169.diff added (Closes: #988240) | This patch aims to fix CVE-2021-23169: | Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer | The patch applied is a reduced version of the upstream | commit, given the code base has changed in the meanwhile. -- Matteo F. Vescovi Tue, 18 May 2021 23:26:12 +0200 openexr (2.5.4-1) unstable; urgency=medium * New upstream release * debian/watch: parameters updated * debian/control: - S-V bump 4.5.0 -> 4.5.1 (no changes needed) - set minimal ilmbase lib to v2.5.4 -- Matteo F. Vescovi Thu, 21 Jan 2021 23:24:00 +0100 openexr (2.5.3-2) unstable; urgency=medium * Upload to unstable (Closes: #959444) -- Matteo F. Vescovi Fri, 21 Aug 2020 22:56:55 +0200 openexr (2.5.3-1) experimental; urgency=medium * New upstream release -- Matteo F. Vescovi Fri, 14 Aug 2020 20:54:17 +0200 openexr (2.5.2-2) experimental; urgency=medium * debian/control: strict versioning against libilmbase-dev -- Matteo F. Vescovi Thu, 06 Aug 2020 20:18:22 +0200 openexr (2.5.2-1) experimental; urgency=medium * New upstream release -- Matteo F. Vescovi Thu, 06 Aug 2020 17:38:22 +0200 openexr (2.5.1-2) experimental; urgency=medium * debian/rules: drop tests on all architectures -- Matteo F. Vescovi Fri, 12 Jun 2020 20:36:27 +0200 openexr (2.5.1-1) experimental; urgency=medium * New upstream release (Closes: #960439) - debian/control: SONAME bump 24 -> 25 * debian/rules: set cmake as build system -- Matteo F. Vescovi Thu, 21 May 2020 23:05:36 +0200 openexr (2.5.0-1) experimental; urgency=medium * New upstream release, fixing following security issues: + CVE-2020-11758: | An issue was discovered in OpenEXR before 2.4.1. There is an out-of- | bounds read in ImfOptimizedPixelReading.h. + CVE-2020-11759: | An issue was discovered in OpenEXR before 2.4.1. Because of integer | overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and | readSampleCountForLineBlock, an attacker can write to an out-of-bounds | pointer. + CVE-2020-11760: | An issue was discovered in OpenEXR before 2.4.1. There is an out-of- | bounds read during RLE uncompression in rleUncompress in ImfRle.cpp. + CVE-2020-11761: | An issue was discovered in OpenEXR before 2.4.1. There is an out-of- | bounds read during Huffman uncompression, as demonstrated by | FastHufDecoder::refill in ImfFastHuf.cpp. + CVE-2020-11762: | An issue was discovered in OpenEXR before 2.4.1. There is an out-of- | bounds read and write in DwaCompressor::uncompress in | ImfDwaCompressor.cpp when handling the UNKNOWN compression case. + CVE-2020-11763: | An issue was discovered in OpenEXR before 2.4.1. There is an | std::vector out-of-bounds read and write, as demonstrated by | ImfTileOffsets.cpp. + CVE-2020-11764: | An issue was discovered in OpenEXR before 2.4.1. There is an out-of- | bounds write in copyIntoFrameBuffer in ImfMisc.cpp. + CVE-2020-11765: | An issue was discovered in OpenEXR before 2.4.1. There is an off-by- | one error in use of the ImfXdr.h read function by | DwaCompressor::Classifier::Classifier, leading to an out-of-bounds | read. * debian/watch: upstream URL updated * debian/control: - S-V bump 4.4.0 -> 4.5.0 (no changes needed) - RRR set - debhelper bump 12 -> 13 - cmake b-dep added * debian/patches/: patchset refreshed against v2.5.0 * debian/copyright: entries updated and refreshed * debian/libopenexr-dev.install: useless files dropped * debian/libopenexr-dev.dirs: useless file dropped * debian/openexr-doc.docs: installation path updated * debian/openexr.install: executables path updated * debian/libopenexr-dev.install: cmake helpers added * debian/openexr-doc.examples: installation paths updated -- Matteo F. Vescovi Mon, 11 May 2020 16:33:24 +0200 openexr (2.3.0-6) unstable; urgency=medium * Upload to unstable (Closes: #919036) * debian/: debhelper bump 11 -> 12 * debian/control: S-V bump 4.3.0 -> 4.4.0 (no changes needed) -- Matteo F. Vescovi Mon, 02 Sep 2019 16:23:00 +0200 openexr (2.3.0-5) experimental; urgency=medium * debian/control: Provide a clean upgrade path. Closes: #918382 * debian/copyright: Update incomplete file. Closes: #917953 * debian/control: Make sure to pick libilmbase24 -- Mathieu Malaterre Wed, 09 Jan 2019 11:00:54 +0100 openexr (2.3.0-4) experimental; urgency=medium * debian/control: SONAME bump 23 -> 24 to reflect libtool numbering * debian/: filenames adapted to SONAME bump * debian/control: S-V bump 4.2.1 -> 4.3.0 (no changes needed) * debian/control: bump dependency on ilmbase to "-3" revision -- Matteo F. Vescovi Mon, 31 Dec 2018 15:37:38 +0100 openexr (2.3.0-3) experimental; urgency=medium * Make sure to use float-store when compiling tests. Closes: #909865 -- Mathieu Malaterre Wed, 19 Dec 2018 21:41:08 +0100 openexr (2.3.0-2) experimental; urgency=medium [ Andreas Metzler ] * am_foreign_set_global.diff: Patch AM_INIT_AUTOMAKE in configure.ac to run automake with --foreign. (Needed for running autoreconf without specifying this option.) * Add a build-dependency on pkg-config, which is also need for running autoreconf. * Undo downgrade of debhelper version in previous upload. + Undo path changes in debian/openexr-doc.doc-base.*, with compat level 11 dh_installdocs installs to /usr/share/doc/openexr/. * Delete unapplied patch 20_autoreconf.diff. * Build with hardening=+bindnow. -- Matteo F. Vescovi Thu, 15 Nov 2018 22:06:35 +0100 openexr (2.3.0-1) experimental; urgency=medium * New upstream release - debian/: debhelper version downgrade 11 -> 9 - debian/watch: path and parameters updated - debian/upstream/signing-key.asc: new signing key * debian/control: - S-V bump 4.1.3 -> 4.2.1 (no changes needed) - b-dep version bump for libilmbase-dev - b-dep version bump for libilmbase-dev * debian/openexr-doc.doc-base.*: paths updated -- Matteo F. Vescovi Sat, 10 Nov 2018 22:38:31 +0100 openexr (2.2.1-4) unstable; urgency=medium * Upload to unstable -- Matteo F. Vescovi Sun, 11 Mar 2018 14:10:23 +0100 openexr (2.2.1-3) experimental; urgency=medium * debian/control: fix Breaks/Replaces to allow co-installation -- Matteo F. Vescovi Sat, 10 Mar 2018 18:34:36 +0100 openexr (2.2.1-2) experimental; urgency=medium * debian/: SONAME bump 22 -> 23 * debian/control: add Breaks and Replaces for library replacement * debian/control: Vcs-* fields updated to use salsa * debian/copyright: http:// -> https:// for copyright format * debian/: manpages files moved to manpages/ directory -- Matteo F. Vescovi Thu, 08 Mar 2018 10:46:17 +0100 openexr (2.2.1-1) experimental; urgency=medium * New upstream release This release addresses: - CVE-2017-9111 - CVE-2017-9113 - CVE-2017-9114 - CVE-2017-9115 - CVE-2017-12596 - debian/patches/series: CVE-2017-911x.patch disabled (since already applied upstream) * debian/watch: move to https:// URL * debian/control: S-V bump 3.9.8 -> 4.1.3 (no changes needed) * debian/: autoreconf usage dropped * debian/: dh bump 9 -> 11 * debian/openexr-doc.doc-base.*: fix paths -- Matteo F. Vescovi Wed, 10 Jan 2018 15:50:11 +0100 openexr (2.2.0-11.1) unstable; urgency=high * Non-maintainer upload. * Fix CVE-2017-9110, CVE-2017-9112 and CVE-2017-9116. Brandon Perry discovered that openexr was affected by an integer overflow vulnerability and missing boundary checks that would allow a remote attacker to cause a denial of service (application crash) via specially crafted image files. (Closes: #864078) -- Markus Koschany Thu, 31 Aug 2017 23:52:03 +0200 openexr (2.2.0-11) unstable; urgency=medium * Remove symbols files. Closes: #807079 * Bump Std-Vers to 3.9.8. No changes needed -- Mathieu Malaterre Tue, 19 Jul 2016 08:53:26 +0200 openexr (2.2.0-10) unstable; urgency=medium * debian/patches/: patchset updated - bug815594.patch added (Closes: #815594) * debian/control: S-V bump 3.9.6 -> 3.9.7 (no changes needed) -- Matteo F. Vescovi Sat, 27 Feb 2016 13:44:05 +0100 openexr (2.2.0-9) unstable; urgency=medium * Upload to unstable * debian/control: git:// -> https:// for Vcs-* fields -- Matteo F. Vescovi Mon, 01 Feb 2016 12:28:18 +0100 openexr (2.2.0-8) experimental; urgency=medium * Make sure to use latest of ilmbase -- Mathieu Malaterre Mon, 18 Jan 2016 21:16:32 +0100 openexr (2.2.0-7) experimental; urgency=medium * Fix symbols on armel/powerpc/armhf -- Mathieu Malaterre Mon, 19 Oct 2015 14:47:28 +0200 openexr (2.2.0-6) experimental; urgency=medium * Update symbols for s390x * Do not run the test suite on mips/alpha/hppa -- Mathieu Malaterre Fri, 16 Oct 2015 21:35:26 +0200 openexr (2.2.0-5) experimental; urgency=medium * Fix tests on big endian arches -- Mathieu Malaterre Mon, 05 Oct 2015 15:32:06 +0200 openexr (2.2.0-4) experimental; urgency=medium * debian/*.maintscript: new path added. (Closes: #782098) Thanks to Andreas Beckmann (anbe) for the hint. -- Matteo F. Vescovi Fri, 25 Sep 2015 10:30:16 +0200 openexr (2.2.0-3) experimental; urgency=medium * Update symbol file for arm64 * Fix 32bits arch symbol file (gcc5 transition) * Update symbol file for ppc64el -- Mathieu Malaterre Sun, 13 Sep 2015 14:54:22 +0200 openexr (2.2.0-2) experimental; urgency=medium [ Andreas Beckmann ] * openexr-doc: add missing Replaces: openexr (<< 1.6.1-9) * openexr, libopenexr-dev: Transition /usr/share/doc/$PACKAGE from symlink to directory. (Closes: #782098) [ Mathieu Malaterre ] * Fix compilation on arm64. Closes: #793041 * Fix test-suite on some 32bits archs. Closes: #791478 * Fix test-suite on some big-endian archs. Closes: #793040 * Update symbols file -- Mathieu Malaterre Sun, 23 Aug 2015 15:22:44 +0200 openexr (2.2.0-1) experimental; urgency=medium [ Mathieu Malaterre ] * New upstream. Closes: #773027, #666396 * Remove all CVE patches, applied upstream * Remove bogus tests for now. Closes: #790495 * Fix symbol file on 32/64bits arch [ Matteo F. Vescovi ] * debian/libopenexr22.symbols: debian revision stripped * debian/copyright: DEP-5 compliance added -- Mathieu Malaterre Fri, 10 Jul 2015 14:09:39 +0200 openexr (1.6.1-12) experimental; urgency=medium * Fix symbols, make it 32 vs 64 bits -- Mathieu Malaterre Fri, 05 Jun 2015 15:12:01 +0200 openexr (1.6.1-11) experimental; urgency=medium * Add missing Breaks/Replace. Closes: #782106 * Remove old *.postinst files. Closes: #782098 * Update symbols file, using getbuildlog -- Mathieu Malaterre Wed, 27 May 2015 10:31:18 +0200 openexr (1.6.1-10) experimental; urgency=low [ Matteo F. Vescovi ] * debian/control: add myself to Uploaders [ Mathieu Malaterre ] * Fix Vcs-* back to pkg-phototools * Update symbol files -- Mathieu Malaterre Sat, 09 May 2015 14:50:04 +0200 openexr (1.6.1-9) experimental; urgency=low * Add an openexr-doc package (arch: all) + move examples and documentation * Fix a minor typo detected by lintian * Remove reference to ia64 from d/rules * Bump Std-Vers to 3.9.6, no changes needed * Add symbols file, do not install *.la anymore -- Mathieu Malaterre Tue, 20 Jan 2015 16:55:07 +0100 openexr (1.6.1-8) unstable; urgency=medium * QA upload. * Orphan package, set maintainer to QA. * Add 20_autoreconf.diff by Andreas Barth to let autoreconf run successfully and use dh-autoreconf. Closes: #759719 * Point Vcs-* to anonscm.debian.org. -- Andreas Metzler Sun, 31 Aug 2014 07:56:20 +0200 openexr (1.6.1-7) unstable; urgency=low * Convert to multi-arch. + Use debhelper v9 compat, bump build-dep. Drop unneeded invocation of dpkg-buildflags. + Update *.install. + Add Pre-Depends: ${misc:Pre-Depends}. + Runtime library is Multi-Arch: same, cmd-line utils Multi-Arch: foreign. -- Andreas Metzler Sat, 08 Dec 2012 14:23:33 +0100 openexr (1.6.1-6) unstable; urgency=low * nonlinuxlargestack.diff Fix FTBFS when large stacks are disabled. Bug-report, diagnosis and patch by Pino Toscano. Closes: #680509 -- Andreas Metzler Sat, 07 Jul 2012 08:58:08 +0200 openexr (1.6.1-5) unstable; urgency=low * Update package short description, openexr does not contain a viewer. Closes: #471783 * Use 3.0 (quilt) source format. * Re-enable doc-base support. At least dhelp works without problems. * Use dh $@ --with autotools_dev. Version autotools-dev b-d. * The latter three changes add support for build-arch target, fixing FTBFS. Closes: #666297 * Change override_dh_auto_test target to invoke dh_auto_test, otherwise the testsuite is run twice. (Once for build and binary). * Add myself to uploaders, remove Cyril. (Thanks for you work!) * Empty dependency_libs in libtool la file. * Fix doc-base ids. (lowercase, no underscore.) * Drop Section: graphics from binary package stanza in debian/control. * Fix typo mutiple in exrmaketiled.1. * Use 'dpkg-buildflags --export=configure' to get hardening-flags. (Thanks, Moritz Muehlenhoff). Add required b-d on dpkg-dev (>= 1.16.1). Closes: #656506 -- Andreas Metzler Sun, 01 Apr 2012 08:45:13 +0200 openexr (1.6.1-4.1) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fixed CVE-2009-1720: Integer overflows in Imf::PreviewImage::PreviewImage and integer overflows in compressor constructors * Fixed CVE-2009-1721: uninitialized pointers in Imf::hufUncompress * Patch stolen from stable-security, thanks to Cyril Brulebois (Closes: #550424) -- Giuseppe Iuculano Wed, 21 Oct 2009 23:54:35 +0200 openexr (1.6.1-4) unstable; urgency=low * Adopt the package within pkg-phototools (Closes: #494877): - Thanks to Adeodato Simó et al. for having taken care of it until now! - Set Maintainer to the group. - Set Uploaders to myself. - Update Vcs-{Git,Browser}. - Remove XS-X-Collab-Maint field, no longer relevant. Patches are still welcome, though! * Switch to debhelper 7: - Bump debian/compat to 7. - Version the B-D on debhelper: >= 7.0.50 to allow the use of overrides. - Specify some overrides to tweak as needed for the build: - dh_auto_configure: pass the --with-openexr flag to configure script. - dh_auto_test: don't run “check” on arm and ia64 for now, and bypass dh_auto_test due to bad target detection. - dh_compress: no longer compress .h/.cpp examples. - dh_link: needed since libopenexr-dev's and openexr's /us/s/d directories are symlinks to libopenexr6's one. - dh_makeshlibs: keep on using -V. - dh_installdeb: add a call to dh_buildinfo to keep on storing the versions of packages installed during the build. - Specify some targets: - build and clean to handle patching/unpatching and updating/cleaning config.{guess,sub}. * Now compress PDF documentation. Any sane PDF viewer should be able to handle decompression. * Remove .gitignore file. * Add ${misc:Depends} to all binaries. * Bump Standards-Version from 3.7.3 to 3.8.1 (no changes needed). -- Cyril Brulebois Sat, 11 Apr 2009 22:00:04 +0200 openexr (1.6.1-3) unstable; urgency=medium * Disable (hopefully temporarily) the test suite on arm and ia64. -- Adeodato Simó Mon, 24 Mar 2008 23:00:21 +0100 openexr (1.6.1-2) unstable; urgency=low * Upload to unstable. * Fix FTBFS with gcc 4.3, thanks Cyril Brulebois for the patch (closes: #441573). Add quilt to Build-Depends. * Update Standards-Version to 3.7.3 (no changes needed). * Swap Maintainer and Uploaders in debian/control. * Move packaging to a git repository under collab-maint. Add a X-Collab-Maint header. -- Adeodato Simó Sun, 16 Mar 2008 15:16:05 +0100 openexr (1.6.1-1) experimental; urgency=low * New upstream release. (Closes: #405783, #437494) + New soname: rename package to libopenexr6, and drop old conflicts and replaces. + Build-depend on libilmbase-dev (Imath, Half et al. are now there). Make libopenexr-dev depend on it as well, and drop bits from description that allude to these other libraries. * The exrdisplay binary is no longer shipped by upstream in the openexr tarball (it has moved to openexr_viewers): do not install it, nor its manpage, drop build-dependencies on libfltk1.1-dev and OpenGL stuff, and README.Debian as well, since they all were only needed for this program. * Adding myself as an uploader; add VCS-Bzr header. * Do some housekeeping: + update debian/watch. + bump debian/compat to 5. + use ${binary:Version} instead of ${Source-Version}. + bump Standards-Version to 3.7.2 (no changes needed). + use a Homepage header, instead of the pseudo-header. * Run tests after building. * Drop all patches, unnecessary. -- Adeodato Simó Fri, 02 Nov 2007 22:20:53 +0100 openexr (1.2.2-4.4) unstable; urgency=low * Non-maintainer upload. * Rename libopenexr2c2a to libopenexr2ldbl for the long double transition. (Closes: #430286) -- Adeodato Simó Mon, 23 Jul 2007 16:34:02 +0200 openexr (1.2.2-4.3) unstable; urgency=medium * Non-maintainer upload. * Fix build system not to create libraries with undefined symbols. Added patch 01-libadd_to_prevent_undef_syms to properly define libImath_la_LIBADD and libIlmImf_la_LIBADD in Makefile.am. (Closes: #370193) -- Adeodato Simó Sat, 10 Jun 2006 13:36:15 +0200 openexr (1.2.2-4.2) unstable; urgency=high * Non-maintainer upload. * Add zlib1g-dev as build-dep (Closes: #356014). -- Luk Claes Mon, 27 Mar 2006 21:12:22 +0200 openexr (1.2.2-4.1) unstable; urgency=low * Non-maintainer upload. * libstdc++ allocator transition: rename libopenexr2c2 to libopenexr2c2a. (Closes: #339241) + debian/control: rename package, make it replace and conflict libopenexr2c2, update libopenexr-dev dependency. + debian/*: s/libopenexr2c2/libopenexr2c2a/g + mv debian/libopenexr2c2{,a}.install -- Adeodato Simó Sat, 26 Nov 2005 01:31:40 +0100 openexr (1.2.2-4) unstable; urgency=medium * FTBFS fix: Remove usage "ld --as-needed". (closes: #323973) -- Andrew Lau Sat, 20 Aug 2005 00:52:05 +1000 openexr (1.2.2-3) unstable; urgency=medium * C++ transition - Rename libopenexr2 to libopenexr2c2. (closes: #317520) - Patch to build with g++-4.0 + [debian/patches/00_g++-4.0_compile.patch] Thanks: Daniel Schepler (closes: #316198) * [debian/control]: - Switch depend on XFree86's xlibmesa-glu-dev to X.Org's libglu1-xorg-dev. - Debian Standards-Version: 3.6.2 * [debian/rules]: - Record compile-time dependency versions using dh_buildinfo. - Fix documentation symlinks. -- Andrew Lau Sun, 17 Jul 2005 00:57:57 +1000 openexr (1.2.2-2) unstable; urgency=low * Documentation fixes - Remove stale doc-base entries. (closes: #303226) -- Andrew Lau Mon, 9 May 2005 01:16:15 +1000 openexr (1.2.2-1) unstable; urgency=medium * New upstream release. * [debian/rules]: - Deflate dependencies via ld's --as-needed option. -- Andrew Lau Sun, 13 Mar 2005 15:47:49 +1100 openexr (1.2.1-3) unstable; urgency=low * Documentation fixes - Removed non-Linux README files. (closes: #267856) - Registered API and overview with doc-base. -- Andrew Lau Thu, 20 Jan 2005 02:53:59 +1100 openexr (1.2.1-2) unstable; urgency=medium * Correct libopenexr-dev's dependency on libopenexr0 to libopenexr2. -- Andrew Lau Tue, 17 Aug 2004 14:32:17 +1000 openexr (1.2.1-1) unstable; urgency=low * New upstream (stable) release. - SONAME bumped up to 2. libopenexr2 now replaces/conflicts with libopenexr0. -- Andrew Lau Sat, 14 Aug 2004 02:46:58 +1000 openexr (1.1.1-1) unstable; urgency=low * New upstream release. - Builds on 64-bit architectures. (closes: #239732) - Note that this is a development release and the tiled file format has changed. See the ReleaseNotes file for more details. -- Andrew Lau Wed, 31 Mar 2004 12:17:48 +1000 openexr (1.1.0-1) unstable; urgency=low * New upstream release. -- Andrew Lau Wed, 11 Feb 2004 00:58:58 +1100 openexr (1.0.7-1) unstable; urgency=low * New upstream release. -- Andrew Lau Tue, 20 Jan 2004 00:44:12 +1100 openexr (1.0.6-1) unstable; urgency=low * New upstream release. * Switch from Debhelper to Common Debian Build System. -- Andrew Lau Wed, 8 Oct 2003 02:04:38 +1000 openexr (1.0.5-2) unstable; urgency=low * Fixed FTBFS by replacing instances of FL/*.h with FL/*.H in acinclude.m4, aclocal.m4 and configure. (closes: #196708) -- Andrew Lau Sun, 22 Jun 2003 00:37:27 +1000 openexr (1.0.5-1) unstable; urgency=low * Initial Release (closes: #178317). -- Andrew Lau Thu, 22 May 2003 11:12:24 +1000