openexr - Debian Package Tracker

general

source: openexr (main)
version: 2.5.7-1
maintainer: Debian PhotoTools Maintainers (archive) (DMD)
uploaders: Matteo F. Vescovi [DMD] – Mathieu Malaterre [DMD]
arch: all any
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.2.0-11
o-o-sec: 2.2.0-11+deb9u4
oldstable: 2.2.1-4.1+deb10u1
old-sec: 2.2.1-4.1+deb10u1
stable: 2.5.4-2
testing: 2.5.7-1
unstable: 2.5.7-1

versioned links

2.2.0-11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.0-11+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.1-4.1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.3.0-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.5.4-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.5.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libopenexr-dev
libopenexr25
openexr
openexr-doc

action needed

A new upstream version is available: 3.1.1 high

A new upstream version 3.1.1 is available, you should consider packaging it.

Created: 2021-02-15 Last update: 2021-09-20 09:58

19 security issues in buster high

There are 19 open security issues in buster.

3 important issues:

CVE-2021-20299:
CVE-2021-20300:
CVE-2021-20303:

13 issues left for the package maintainer to handle:

CVE-2020-16587: (needs triaging) A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file.
CVE-2020-16588: (needs triaging) A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service via a crafted EXR file.
CVE-2020-16589: (needs triaging) A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of service via a crafted EXR file.
CVE-2021-20296: (needs triaging) A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted input file supplied by an attacker, that is processed by the Dwa decompression functionality of OpenEXR's IlmImf library, could cause a NULL pointer dereference. The highest threat from this vulnerability is to system availability.
CVE-2021-26260: (needs triaging) An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.
CVE-2021-3474: (needs triaging) There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application availability.
CVE-2021-3475: (needs triaging) There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow, potentially leading to problems with application availability.
CVE-2021-3476: (needs triaging) A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially affecting application availability.
CVE-2021-3477: (needs triaging) There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability.
CVE-2021-3478: (needs triaging) There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.
CVE-2021-3479: (needs triaging) There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.
CVE-2021-3598: (needs triaging) There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
CVE-2021-3605: (needs triaging) There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.

You can find information about how to handle these issues in the security team's documentation.

3 ignored issues:

CVE-2021-20298:
CVE-2021-20302:
CVE-2021-23215: An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.

Created: 2021-02-19 Last update: 2021-09-03 04:35

4 security issues in bullseye high

There are 4 open security issues in bullseye.

1 important issue:

CVE-2021-3605: There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.

2 issues left for the package maintainer to handle:

CVE-2021-26260: (needs triaging) An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.
CVE-2021-3598: (needs triaging) There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2021-23215: An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.

Created: 2021-06-06 Last update: 2021-09-03 04:35

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-09-06 Last update: 2021-09-06 18:34

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2019-09-03 Last update: 2020-08-22 04:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 4.5.1).

Created: 2021-08-18 Last update: 2021-08-29 07:36

news

[rss feed]

[2021-09-03] openexr 2.5.7-1 MIGRATED to testing (Debian testing watch)
[2021-09-03] openexr 2.5.7-1 MIGRATED to testing (Debian testing watch)
[2021-08-28] Accepted openexr 2.5.7-1 (source) into unstable (Matteo F. Vescovi)
[2021-08-04] Accepted openexr 2.2.0-11+deb9u4 (source) into oldstable (Sylvain Beucler)
[2021-07-03] Accepted openexr 2.2.0-11+deb9u3 (source) into oldstable (Sylvain Beucler)
[2021-05-25] openexr 2.5.4-2 MIGRATED to testing (Debian testing watch)
[2021-05-19] Accepted openexr 2.5.4-2 (source) into unstable (Matteo F. Vescovi)
[2021-01-27] openexr 2.5.4-1 MIGRATED to testing (Debian testing watch)
[2021-01-21] Accepted openexr 2.5.4-1 (source) into unstable (Matteo F. Vescovi)
[2020-12-13] Accepted openexr 2.2.0-11+deb9u2 (source amd64 all) into oldstable (Chris Lamb)
[2020-09-05] Accepted openexr 2.2.1-4.1+deb10u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2020-08-30] Accepted openexr 2.2.0-11+deb9u1 (source) into oldstable (Adrian Bunk)
[2020-08-29] Accepted openexr 2.2.1-4.1+deb10u1 (source amd64 all) into stable->embargoed, stable (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2020-08-27] openexr 2.5.3-2 MIGRATED to testing (Debian testing watch)
[2020-08-21] Accepted openexr 2.5.3-2 (source) into unstable (Matteo F. Vescovi)
[2020-08-15] Accepted openexr 2.5.3-1 (source) into experimental (Matteo F. Vescovi)
[2020-08-06] Accepted openexr 2.5.2-2 (source) into experimental (Matteo F. Vescovi)
[2020-08-06] Accepted openexr 2.5.2-1 (source) into experimental (Matteo F. Vescovi)
[2020-06-12] Accepted openexr 2.5.1-2 (source) into experimental (Matteo F. Vescovi)
[2020-06-10] Accepted openexr 2.5.1-1 (source amd64 all) into experimental, experimental (Debian FTP Masters) (signed by: Matteo F. Vescovi)
[2020-05-11] Accepted openexr 2.5.0-1 (source) into experimental (Matteo F. Vescovi)
[2019-09-08] openexr 2.3.0-6 MIGRATED to testing (Debian testing watch)
[2019-09-02] Accepted openexr 2.3.0-6 (source) into unstable (Matteo F. Vescovi)
[2019-04-02] openexr 2.2.1-4.1 MIGRATED to testing (Debian testing watch)
[2019-03-27] Accepted openexr 2.2.1-4.1 (source i386 all) into unstable (Steinar H. Gunderson)
[2019-01-09] Accepted openexr 2.3.0-5 (source) into experimental (Mathieu Malaterre)
[2019-01-01] Accepted openexr 2.3.0-4 (source amd64 all) into experimental, experimental (Matteo F. Vescovi)
[2018-12-19] Accepted openexr 2.3.0-3 (source) into experimental (Mathieu Malaterre)
[2018-11-15] Accepted openexr 2.3.0-2 (source) into experimental (Matteo F. Vescovi)
[2018-11-10] Accepted openexr 2.3.0-1 (source) into experimental (Matteo F. Vescovi)

bugs [bug history graph]

all: 2
RC: 0
I&N: 0
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 3)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.5.4-2
1 bug