openexr - Debian Package Tracker

general

source: openexr (main)
version: 2.5.7-1
maintainer: Debian PhotoTools Maintainers (archive) (DMD)
uploaders: Matteo F. Vescovi [DMD] – Mathieu Malaterre [DMD]
arch: all any
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.2.0-11
o-o-sec: 2.2.0-11+deb9u4
oldstable: 2.2.1-4.1+deb10u1
old-sec: 2.2.1-4.1+deb10u1
stable: 2.5.4-2
testing: 2.5.7-1
unstable: 2.5.7-1
exp: 3.1.5-1

versioned links

2.2.0-11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.0-11+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.1-4.1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.5.4-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.5.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libopenexr-dev (1 bugs: 1, 0, 0, 0)
libopenexr25
openexr
openexr-doc

action needed

A new upstream version is available: 3.1.5 high

A new upstream version 3.1.5 is available, you should consider packaging it.

Created: 2021-02-15 Last update: 2022-08-11 23:34

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2021-3933: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.
CVE-2021-3941: In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.
CVE-2021-45942: OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

Created: 2022-07-04 Last update: 2022-08-01 13:40

22 security issues in buster high

There are 22 open security issues in buster.

5 important issues:

CVE-2021-3933: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.
CVE-2021-3941: In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.
CVE-2021-20299: A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability.
CVE-2021-20300: A flaw was found in OpenEXR's hufUncompress functionality in OpenEXR/IlmImf/ImfHuf.cpp. This flaw allows an attacker who can submit a crafted file that is processed by OpenEXR, to trigger an integer overflow. The highest threat from this vulnerability is to system availability.
CVE-2021-20303: A flaw found in function dataWindowForTile() of IlmImf/ImfTiledMisc.cpp. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, leading to an out-of-bounds write on the heap. The greatest impact of this flaw is to application availability, with some potential impact to data integrity as well.

14 issues postponed or untriaged:

CVE-2021-3474: (needs triaging) There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application availability.
CVE-2021-3475: (needs triaging) There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow, potentially leading to problems with application availability.
CVE-2021-3476: (needs triaging) A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially affecting application availability.
CVE-2021-3477: (needs triaging) There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability.
CVE-2021-3478: (needs triaging) There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.
CVE-2021-3479: (needs triaging) There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.
CVE-2021-3598: (needs triaging) There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
CVE-2021-3605: (needs triaging) There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
CVE-2020-16587: (needs triaging) A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file.
CVE-2020-16588: (needs triaging) A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service via a crafted EXR file.
CVE-2020-16589: (needs triaging) A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of service via a crafted EXR file.
CVE-2021-20296: (needs triaging) A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted input file supplied by an attacker, that is processed by the Dwa decompression functionality of OpenEXR's IlmImf library, could cause a NULL pointer dereference. The highest threat from this vulnerability is to system availability.
CVE-2021-26260: (needs triaging) An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.
CVE-2021-45942: (needs triaging) OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

3 ignored issues:

CVE-2021-20298:
CVE-2021-20302: A flaw was found in OpenEXR's TiledInputFile functionality. This flaw allows an attacker who can submit a crafted single-part non-image to be processed by OpenEXR, to trigger a floating-point exception error. The highest threat from this vulnerability is to system availability.
CVE-2021-23215: An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.

Created: 2022-07-04 Last update: 2022-08-01 13:40

7 security issues in bullseye high

There are 7 open security issues in bullseye.

4 important issues:

CVE-2021-3605: There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
CVE-2021-3933: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.
CVE-2021-3941: In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.
CVE-2021-45942: OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

2 issues left for the package maintainer to handle:

CVE-2021-3598: (needs triaging) There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
CVE-2021-26260: (needs triaging) An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2021-23215: An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.

Created: 2022-07-04 Last update: 2022-08-01 13:40

3 security issues in bookworm high

There are 3 open security issues in bookworm.

3 important issues:

CVE-2021-3933: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.
CVE-2021-3941: In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.
CVE-2021-45942: OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

Created: 2022-07-04 Last update: 2022-08-01 13:40

lintian reports 7 warnings normal

Lintian reports 7 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-09-06 Last update: 2022-01-01 04:34

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2019-09-03 Last update: 2020-08-22 04:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.5.1).

Created: 2021-08-18 Last update: 2022-05-11 23:25

testing migrations

This package will soon be part of the auto-openexr transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2022-04-30] Accepted openexr 3.1.5-1 (source) into experimental (Matteo F. Vescovi)
[2022-02-03] Accepted openexr 3.1.4-1 (source) into experimental (Matteo F. Vescovi)
[2021-12-03] Accepted openexr 3.1.3-2 (source) into experimental (Matteo F. Vescovi)
[2021-12-02] Accepted openexr 3.1.3-1 (source amd64 all) into experimental, experimental (Debian FTP Masters) (signed by: Matteo F. Vescovi)
[2021-09-03] openexr 2.5.7-1 MIGRATED to testing (Debian testing watch)
[2021-09-03] openexr 2.5.7-1 MIGRATED to testing (Debian testing watch)
[2021-08-28] Accepted openexr 2.5.7-1 (source) into unstable (Matteo F. Vescovi)
[2021-08-04] Accepted openexr 2.2.0-11+deb9u4 (source) into oldstable (Sylvain Beucler)
[2021-07-03] Accepted openexr 2.2.0-11+deb9u3 (source) into oldstable (Sylvain Beucler)
[2021-05-25] openexr 2.5.4-2 MIGRATED to testing (Debian testing watch)
[2021-05-19] Accepted openexr 2.5.4-2 (source) into unstable (Matteo F. Vescovi)
[2021-01-27] openexr 2.5.4-1 MIGRATED to testing (Debian testing watch)
[2021-01-21] Accepted openexr 2.5.4-1 (source) into unstable (Matteo F. Vescovi)
[2020-12-13] Accepted openexr 2.2.0-11+deb9u2 (source amd64 all) into oldstable (Chris Lamb)
[2020-09-05] Accepted openexr 2.2.1-4.1+deb10u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2020-08-30] Accepted openexr 2.2.0-11+deb9u1 (source) into oldstable (Adrian Bunk)
[2020-08-29] Accepted openexr 2.2.1-4.1+deb10u1 (source amd64 all) into stable->embargoed, stable (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2020-08-27] openexr 2.5.3-2 MIGRATED to testing (Debian testing watch)
[2020-08-21] Accepted openexr 2.5.3-2 (source) into unstable (Matteo F. Vescovi)
[2020-08-15] Accepted openexr 2.5.3-1 (source) into experimental (Matteo F. Vescovi)
[2020-08-06] Accepted openexr 2.5.2-2 (source) into experimental (Matteo F. Vescovi)
[2020-08-06] Accepted openexr 2.5.2-1 (source) into experimental (Matteo F. Vescovi)
[2020-06-12] Accepted openexr 2.5.1-2 (source) into experimental (Matteo F. Vescovi)
[2020-06-10] Accepted openexr 2.5.1-1 (source amd64 all) into experimental, experimental (Debian FTP Masters) (signed by: Matteo F. Vescovi)
[2020-05-11] Accepted openexr 2.5.0-1 (source) into experimental (Matteo F. Vescovi)
[2019-09-08] openexr 2.3.0-6 MIGRATED to testing (Debian testing watch)
[2019-09-02] Accepted openexr 2.3.0-6 (source) into unstable (Matteo F. Vescovi)
[2019-04-02] openexr 2.2.1-4.1 MIGRATED to testing (Debian testing watch)
[2019-03-27] Accepted openexr 2.2.1-4.1 (source i386 all) into unstable (Steinar H. Gunderson)
[2019-01-09] Accepted openexr 2.3.0-5 (source) into experimental (Mathieu Malaterre)

bugs [bug history graph]

all: 4
RC: 2
I&N: 0
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 7)
buildd: logs, exp, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.5.7-1
1 bug