openexr - Debian Package Tracker

general

source: openexr (main)
version: 2.5.7-1
maintainer: Debian PhotoTools Maintainers (archive) (DMD)
uploaders: Matteo F. Vescovi [DMD] – Mathieu Malaterre [DMD]
arch: all any
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.2.0-11
o-o-sec: 2.2.0-11+deb9u4
oldstable: 2.2.1-4.1+deb10u1
old-sec: 2.2.1-4.1+deb10u1
stable: 2.5.4-2
testing: 2.5.7-1
unstable: 2.5.7-1
exp: 3.1.5-1

versioned links

2.2.0-11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.0-11+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.1-4.1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.5.4-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.5.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libopenexr-dev (1 bugs: 1, 0, 0, 0)
libopenexr25
openexr
openexr-doc

action needed

Marked for autoremoval on 30 June due to nvidia-graphics-drivers-tesla-470: #1011146 high

Version 2.5.7-1 of openexr is marked for autoremoval from testing on Thu 30 Jun 2022. It depends (transitively) on nvidia-graphics-drivers-tesla-470, affected by #1011146. You should try to prevent the removal by fixing these RC bugs.

Created: 2022-05-24 Last update: 2022-05-24 20:10

A new upstream version is available: 3.1.5 high

A new upstream version 3.1.5 is available, you should consider packaging it.

Created: 2021-02-15 Last update: 2022-05-24 17:27

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2021-3933: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.
CVE-2021-3941: In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.
CVE-2021-45942: OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

Created: 2021-11-10 Last update: 2022-03-27 04:08

22 security issues in buster high

There are 22 open security issues in buster.

5 important issues:

CVE-2021-3933: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.
CVE-2021-3941: In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.
CVE-2021-20299: A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability.
CVE-2021-20300: A flaw was found in OpenEXR's hufUncompress functionality in OpenEXR/IlmImf/ImfHuf.cpp. This flaw allows an attacker who can submit a crafted file that is processed by OpenEXR, to trigger an integer overflow. The highest threat from this vulnerability is to system availability.
CVE-2021-20303: A flaw found in function dataWindowForTile() of IlmImf/ImfTiledMisc.cpp. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, leading to an out-of-bounds write on the heap. The greatest impact of this flaw is to application availability, with some potential impact to data integrity as well.

14 issues left for the package maintainer to handle:

CVE-2021-3474: (needs triaging) There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application availability.
CVE-2021-3475: (needs triaging) There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow, potentially leading to problems with application availability.
CVE-2021-3476: (needs triaging) A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially affecting application availability.
CVE-2021-3477: (needs triaging) There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability.
CVE-2021-3478: (needs triaging) There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.
CVE-2021-3479: (needs triaging) There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.
CVE-2021-3598: (needs triaging) There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
CVE-2021-3605: (needs triaging) There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
CVE-2020-16587: (needs triaging) A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file.
CVE-2020-16588: (needs triaging) A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service via a crafted EXR file.
CVE-2020-16589: (needs triaging) A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of service via a crafted EXR file.
CVE-2021-20296: (needs triaging) A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted input file supplied by an attacker, that is processed by the Dwa decompression functionality of OpenEXR's IlmImf library, could cause a NULL pointer dereference. The highest threat from this vulnerability is to system availability.
CVE-2021-26260: (needs triaging) An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.
CVE-2021-45942: (needs triaging) OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

You can find information about how to handle these issues in the security team's documentation.

3 ignored issues:

CVE-2021-20298:
CVE-2021-20302: A flaw was found in OpenEXR's TiledInputFile functionality. This flaw allows an attacker who can submit a crafted single-part non-image to be processed by OpenEXR, to trigger a floating-point exception error. The highest threat from this vulnerability is to system availability.
CVE-2021-23215: An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.

Created: 2021-02-19 Last update: 2022-03-27 04:08

7 security issues in bullseye high

There are 7 open security issues in bullseye.

4 important issues:

CVE-2021-3605: There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
CVE-2021-3933: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.
CVE-2021-3941: In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.
CVE-2021-45942: OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

2 issues left for the package maintainer to handle:

CVE-2021-3598: (needs triaging) There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
CVE-2021-26260: (needs triaging) An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2021-23215: An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.

Created: 2021-06-06 Last update: 2022-03-27 04:08

3 security issues in bookworm high

There are 3 open security issues in bookworm.

3 important issues:

CVE-2021-3933: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.
CVE-2021-3941: In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.
CVE-2021-45942: OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

Created: 2021-11-10 Last update: 2022-03-27 04:08

lintian reports 7 warnings normal

Lintian reports 7 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-09-06 Last update: 2022-01-01 04:34

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2019-09-03 Last update: 2020-08-22 04:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.5.1).

Created: 2021-08-18 Last update: 2022-05-11 23:25

testing migrations

This package will soon be part of the auto-openexr transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2022-04-30] Accepted openexr 3.1.5-1 (source) into experimental (Matteo F. Vescovi)
[2022-02-03] Accepted openexr 3.1.4-1 (source) into experimental (Matteo F. Vescovi)
[2021-12-03] Accepted openexr 3.1.3-2 (source) into experimental (Matteo F. Vescovi)
[2021-12-02] Accepted openexr 3.1.3-1 (source amd64 all) into experimental, experimental (Debian FTP Masters) (signed by: Matteo F. Vescovi)
[2021-09-03] openexr 2.5.7-1 MIGRATED to testing (Debian testing watch)
[2021-09-03] openexr 2.5.7-1 MIGRATED to testing (Debian testing watch)
[2021-08-28] Accepted openexr 2.5.7-1 (source) into unstable (Matteo F. Vescovi)
[2021-08-04] Accepted openexr 2.2.0-11+deb9u4 (source) into oldstable (Sylvain Beucler)
[2021-07-03] Accepted openexr 2.2.0-11+deb9u3 (source) into oldstable (Sylvain Beucler)
[2021-05-25] openexr 2.5.4-2 MIGRATED to testing (Debian testing watch)
[2021-05-19] Accepted openexr 2.5.4-2 (source) into unstable (Matteo F. Vescovi)
[2021-01-27] openexr 2.5.4-1 MIGRATED to testing (Debian testing watch)
[2021-01-21] Accepted openexr 2.5.4-1 (source) into unstable (Matteo F. Vescovi)
[2020-12-13] Accepted openexr 2.2.0-11+deb9u2 (source amd64 all) into oldstable (Chris Lamb)
[2020-09-05] Accepted openexr 2.2.1-4.1+deb10u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2020-08-30] Accepted openexr 2.2.0-11+deb9u1 (source) into oldstable (Adrian Bunk)
[2020-08-29] Accepted openexr 2.2.1-4.1+deb10u1 (source amd64 all) into stable->embargoed, stable (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2020-08-27] openexr 2.5.3-2 MIGRATED to testing (Debian testing watch)
[2020-08-21] Accepted openexr 2.5.3-2 (source) into unstable (Matteo F. Vescovi)
[2020-08-15] Accepted openexr 2.5.3-1 (source) into experimental (Matteo F. Vescovi)
[2020-08-06] Accepted openexr 2.5.2-2 (source) into experimental (Matteo F. Vescovi)
[2020-08-06] Accepted openexr 2.5.2-1 (source) into experimental (Matteo F. Vescovi)
[2020-06-12] Accepted openexr 2.5.1-2 (source) into experimental (Matteo F. Vescovi)
[2020-06-10] Accepted openexr 2.5.1-1 (source amd64 all) into experimental, experimental (Debian FTP Masters) (signed by: Matteo F. Vescovi)
[2020-05-11] Accepted openexr 2.5.0-1 (source) into experimental (Matteo F. Vescovi)
[2019-09-08] openexr 2.3.0-6 MIGRATED to testing (Debian testing watch)
[2019-09-02] Accepted openexr 2.3.0-6 (source) into unstable (Matteo F. Vescovi)
[2019-04-02] openexr 2.2.1-4.1 MIGRATED to testing (Debian testing watch)
[2019-03-27] Accepted openexr 2.2.1-4.1 (source i386 all) into unstable (Steinar H. Gunderson)
[2019-01-09] Accepted openexr 2.3.0-5 (source) into experimental (Mathieu Malaterre)

bugs [bug history graph]

all: 3
RC: 1
I&N: 0
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 7)
buildd: logs, exp, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.5.7-1
1 bug