openimageio - Debian Package Tracker

general

source: openimageio (main)
version: 2.5.18.0+dfsg-1
maintainer: Debian PhotoTools Maintainers (archive) (DMD)
uploaders: Matteo F. Vescovi [DMD]
arch: all any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.0.5~dfsg0-1
o-o-sec: 2.0.5~dfsg0-1+deb10u2
oldstable: 2.2.10.1+dfsg-1+deb11u1
old-sec: 2.2.10.1+dfsg-1+deb11u1
stable: 2.4.7.1+dfsg-2
testing: 2.5.18.0+dfsg-1
unstable: 2.5.18.0+dfsg-1

versioned links

2.0.5~dfsg0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.0.5~dfsg0-1+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.10.1+dfsg-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.7.1+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.5.18.0+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libopenimageio-dev
libopenimageio-doc
libopenimageio2.5
openimageio-tools
python3-openimageio

action needed

Marked for autoremoval on 30 May due to openvdb: #1103363 high

Version 2.5.18.0+dfsg-1 of openimageio is marked for autoremoval from testing on Fri 30 May 2025. It depends (transitively) on openvdb, affected by #1103363. You should try to prevent the removal by fixing these RC bugs.

Created: 2025-04-23 Last update: 2025-05-07 16:33

A new upstream version is available: 3.0.6.1 high

A new upstream version 3.0.6.1 is available, you should consider packaging it.

Created: 2024-10-02 Last update: 2025-05-07 15:31

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2025-02-16 Last update: 2025-05-02 14:00

3 security issues in trixie high

There are 3 open security issues in trixie.

3 important issues:

CVE-2024-55192: OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via the component OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*).
CVE-2024-55193: OpenImageIO v3.1.0.0dev was discovered to contain a segmentation violation via the component /OpenImageIO/string_view.h.
CVE-2024-55194: OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via the component /OpenImageIO/fmath.h.

Created: 2025-01-26 Last update: 2025-02-27 05:02

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2024-55192: OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via the component OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*).
CVE-2024-55193: OpenImageIO v3.1.0.0dev was discovered to contain a segmentation violation via the component /OpenImageIO/string_view.h.
CVE-2024-55194: OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via the component /OpenImageIO/fmath.h.

Created: 2025-02-17 Last update: 2025-02-27 05:02

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-04-23 Last update: 2025-05-07 14:00

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2024-09-09 Last update: 2024-09-09 05:03

12 low-priority security issues in bookworm low

There are 12 open security issues in bookworm.

12 issues left for the package maintainer to handle:

CVE-2023-3430: (needs triaging) A vulnerability was found in OpenImageIO, where a heap buffer overflow exists in the src/gif.imageio/gifinput.cpp file. This flaw allows a remote attacker to pass a specially crafted file to the application, which triggers a heap-based buffer overflow and could cause a crash, leading to a denial of service.
CVE-2023-22845: (needs triaging) An out-of-bounds read vulnerability exists in the TGAInput::decode_pixel() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2023-24472: (needs triaging) A denial of service vulnerability exists in the FitsOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide malicious input to trigger this vulnerability.
CVE-2023-24473: (needs triaging) An information disclosure vulnerability exists in the TGAInput::read_tga2_header functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2023-36183: (needs triaging) Buffer Overflow vulnerability in OpenImageIO v.2.4.12.0 and before allows a remote to execute arbitrary code and obtain sensitive information via a crafted file to the readimg function.
CVE-2023-42295: (needs triaging) An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_rle_image function of file bifs/unquantize.c
CVE-2023-42299: (needs triaging) Buffer Overflow vulnerability in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_subimage_data function.
CVE-2024-40630: (needs triaging) OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation via a format-agnostic API with a feature set, scalability, and robustness needed for feature film production. In affected versions there is a bug in the heif input functionality of OpenImageIO. Specifically, in `HeifInput::seek_subimage()`. In the worst case, this can lead to an information disclosure vulnerability, particularly for programs that directly use the `ImageInput` APIs. This bug has been addressed in commit `0a2dcb4c` which is included in the 2.5.13.1 release. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2024-55192: (needs triaging) OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via the component OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*).
CVE-2024-55193: (needs triaging) OpenImageIO v3.1.0.0dev was discovered to contain a segmentation violation via the component /OpenImageIO/string_view.h.
CVE-2024-55194: (needs triaging) OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via the component /OpenImageIO/fmath.h.
CVE-2024-55195: (needs triaging) An allocation-size-too-big bug in the component /imagebuf.cpp of OpenImageIO v3.1.0.0dev may cause a Denial of Service (DoS) when the program to requests to allocate too much space.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-04-09 Last update: 2025-02-27 05:02

Build log checks report 3 warnings low

Build log checks report 3 warnings

Created: 2023-01-06 Last update: 2024-09-08 22:29

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:25

news

[rss feed]

[2025-02-26] openimageio 2.5.18.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-02-16] Accepted openimageio 2.5.18.0+dfsg-1 (source) into unstable (Matteo F. Vescovi)
[2025-01-27] openimageio 2.5.16.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-10-25] Accepted openimageio 2.5.16.0+dfsg-1 (source) into unstable (Matteo F. Vescovi)
[2024-09-08] Accepted openimageio 2.5.15.0+dfsg-1 (source) into unstable (Matteo F. Vescovi)
[2024-08-11] Accepted openimageio 2.5.14.0+dfsg-1 (source) into unstable (Matteo F. Vescovi)
[2024-06-17] Accepted openimageio 2.5.12.0+dfsg-2 (source) into unstable (Matteo F. Vescovi)
[2024-06-15] Accepted openimageio 2.5.12.0+dfsg-1 (source) into experimental (Matteo F. Vescovi)
[2024-04-13] Accepted openimageio 2.5.10.1+dfsg-1 (source) into experimental (Matteo F. Vescovi)
[2024-03-26] openimageio REMOVED from testing (Debian testing watch)
[2024-02-29] Accepted openimageio 2.4.17.0+dfsg-1.1 (source) into unstable (Benjamin Drung)
[2024-01-20] openimageio 2.4.17.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-01-17] Accepted openimageio 2.5.7.0+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Matteo F. Vescovi)
[2024-01-14] Accepted openimageio 2.4.17.0+dfsg-1 (source) into unstable (Matteo F. Vescovi)
[2023-11-04] openimageio 2.4.16.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-10-29] Accepted openimageio 2.4.16.0+dfsg-1 (source) into unstable (Matteo F. Vescovi)
[2023-08-18] openimageio 2.4.14.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-08-12] Accepted openimageio 2.4.14.0+dfsg-1 (source) into unstable (Matteo F. Vescovi)
[2023-08-06] Accepted openimageio 2.0.5~dfsg0-1+deb10u2 (source) into oldoldstable (Markus Koschany)
[2023-07-17] openimageio 2.4.13.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-07-02] Accepted openimageio 2.4.13.0+dfsg-1 (source) into unstable (Matteo F. Vescovi)
[2023-06-24] Accepted openimageio 2.4.12.0+dfsg-1 (source) into experimental (Matteo F. Vescovi)
[2023-04-16] Accepted openimageio 2.2.10.1+dfsg-1+deb11u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-04-10] Accepted openimageio 2.2.10.1+dfsg-1+deb11u1 (source) into stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-04-04] Accepted openimageio 2.0.5~dfsg0-1+deb10u1 (source) into oldstable (Markus Koschany)
[2023-03-12] Accepted openimageio 2.4.9.0+dfsg-1 (source) into experimental (Matteo F. Vescovi)
[2023-01-28] openimageio 2.4.7.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2023-01-22] Accepted openimageio 2.4.7.1+dfsg-2 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2023-01-18] Accepted openimageio 2.4.7.1+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: bage@debian.org)
[2023-01-18] Accepted openimageio 2.3.21.0+dfsg-1 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)

bugs [bug history graph]

all: 3
RC: 0
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.5.18.0+dfsg-1build1
2 bugs