openimageio - Debian Package Tracker

general

source: openimageio (main)
version: 2.4.7.1+dfsg-2
maintainer: Debian PhotoTools Maintainers (archive) (DMD)
uploaders: Matteo F. Vescovi [DMD]
arch: all any
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.6.17~dfsg0-1
oldstable: 2.0.5~dfsg0-1
stable: 2.2.10.1+dfsg-1
testing: 2.4.7.1+dfsg-2
unstable: 2.4.7.1+dfsg-2
exp: 2.4.9.0+dfsg-1

versioned links

1.6.17~dfsg0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.0.5~dfsg0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.10.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.7.1+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.9.0+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libopenimageio-dev
libopenimageio-doc
libopenimageio2.4
openimageio-tools
python3-openimageio

action needed

A new upstream version is available: 2.4.9.0 high

A new upstream version 2.4.9.0 is available, you should consider packaging it.

Created: 2023-02-04 Last update: 2023-03-28 05:13

23 security issues in buster high

There are 23 open security issues in buster.

23 important issues:

CVE-2022-36354: A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41639: A heap based buffer overflow vulnerability exists in tile decoding code of TIFF image parser in OpenImageIO master-branch-9aeece7a and v2.3.19.0. A specially-crafted TIFF file can lead to an out of bounds memory corruption, which can result in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41649: A heap out of bounds read vulnerability exists in the handling of IPTC data while parsing TIFF images in OpenImageIO v2.3.19.0. A specially-crafted TIFF file can cause a read of adjacent heap memory, which can leak sensitive process information. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41684: A heap out of bounds read vulnerability exists in the OpenImageIO master-branch-9aeece7a when parsing the image file directory part of a PSD image file. A specially-crafted .psd file can cause a read of arbitrary memory address which can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41794: A heap based buffer overflow vulnerability exists in the PSD thumbnail resource parsing code of OpenImageIO 2.3.19.0. A specially-crafted PSD file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41837: An out-of-bounds write vulnerability exists in the OpenImageIO::add_exif_item_to_spec functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially-crafted exif metadata can lead to stack-based memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41838: A code execution vulnerability exists in the DDS scanline parsing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially-crafted .dds can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41977: An out of bounds read vulnerability exists in the way OpenImageIO version v2.3.19.0 processes string fields in TIFF image files. A specially-crafted TIFF file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41981: A stack-based buffer overflow vulnerability exists in the TGA file format parser of OpenImageIO v2.3.19.0. A specially-crafted targa file can lead to out of bounds read and write on the process stack, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41988: An information disclosure vulnerability exists in the OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41999: A denial of service vulnerability exists in the DDS native tile reading functionality of OpenImageIO Project OpenImageIO v2.3.19.0 and v2.4.4.2. A specially-crafted .dds can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-43592: An information disclosure vulnerability exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. An attacker can provide malicious input to trigger this vulnerability.
CVE-2022-43593: A denial of service vulnerability exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to null pointer dereference. An attacker can provide malicious input to trigger this vulnerability.
CVE-2022-43594: Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. An attacker can provide malicious multiple inputs to trigger these vulnerabilities.This vulnerability applies to writing .bmp files.
CVE-2022-43595: Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. An attacker can provide malicious multiple inputs to trigger these vulnerabilities.This vulnerability applies to writing .fits files.
CVE-2022-43596: An information disclosure vulnerability exists in the IFFOutput channel interleaving functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. An attacker can provide malicious input to trigger this vulnerability.
CVE-2022-43597: Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary code execution. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `m_spec.format` is `TypeDesc::UINT8`.
CVE-2022-43598: Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary code execution. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `m_spec.format` is `TypeDesc::UINT16`.
CVE-2022-43599: Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `xmax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8`
CVE-2022-43600: Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `xmax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT16`
CVE-2022-43601: Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `ymax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT16`
CVE-2022-43602: Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `ymax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8`
CVE-2022-43603: A denial of service vulnerability exists in the ZfileOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability.

Created: 2022-12-24 Last update: 2023-03-27 11:06

24 security issues in bullseye high

There are 24 open security issues in bullseye.

24 important issues:

CVE-2022-36354: A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-38143: A heap out-of-bounds write vulnerability exists in the way OpenImageIO v2.3.19.0 processes RLE encoded BMP images. A specially-crafted bmp file can write to arbitrary out of bounds memory, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41639: A heap based buffer overflow vulnerability exists in tile decoding code of TIFF image parser in OpenImageIO master-branch-9aeece7a and v2.3.19.0. A specially-crafted TIFF file can lead to an out of bounds memory corruption, which can result in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41649: A heap out of bounds read vulnerability exists in the handling of IPTC data while parsing TIFF images in OpenImageIO v2.3.19.0. A specially-crafted TIFF file can cause a read of adjacent heap memory, which can leak sensitive process information. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41684: A heap out of bounds read vulnerability exists in the OpenImageIO master-branch-9aeece7a when parsing the image file directory part of a PSD image file. A specially-crafted .psd file can cause a read of arbitrary memory address which can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41794: A heap based buffer overflow vulnerability exists in the PSD thumbnail resource parsing code of OpenImageIO 2.3.19.0. A specially-crafted PSD file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41837: An out-of-bounds write vulnerability exists in the OpenImageIO::add_exif_item_to_spec functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially-crafted exif metadata can lead to stack-based memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41838: A code execution vulnerability exists in the DDS scanline parsing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially-crafted .dds can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41977: An out of bounds read vulnerability exists in the way OpenImageIO version v2.3.19.0 processes string fields in TIFF image files. A specially-crafted TIFF file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41981: A stack-based buffer overflow vulnerability exists in the TGA file format parser of OpenImageIO v2.3.19.0. A specially-crafted targa file can lead to out of bounds read and write on the process stack, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41988: An information disclosure vulnerability exists in the OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-41999: A denial of service vulnerability exists in the DDS native tile reading functionality of OpenImageIO Project OpenImageIO v2.3.19.0 and v2.4.4.2. A specially-crafted .dds can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-43592: An information disclosure vulnerability exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. An attacker can provide malicious input to trigger this vulnerability.
CVE-2022-43593: A denial of service vulnerability exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to null pointer dereference. An attacker can provide malicious input to trigger this vulnerability.
CVE-2022-43594: Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. An attacker can provide malicious multiple inputs to trigger these vulnerabilities.This vulnerability applies to writing .bmp files.
CVE-2022-43595: Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. An attacker can provide malicious multiple inputs to trigger these vulnerabilities.This vulnerability applies to writing .fits files.
CVE-2022-43596: An information disclosure vulnerability exists in the IFFOutput channel interleaving functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. An attacker can provide malicious input to trigger this vulnerability.
CVE-2022-43597: Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary code execution. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `m_spec.format` is `TypeDesc::UINT8`.
CVE-2022-43598: Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary code execution. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `m_spec.format` is `TypeDesc::UINT16`.
CVE-2022-43599: Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `xmax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8`
CVE-2022-43600: Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `xmax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT16`
CVE-2022-43601: Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `ymax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT16`
CVE-2022-43602: Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `ymax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8`
CVE-2022-43603: A denial of service vulnerability exists in the ZfileOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability.

Created: 2022-12-24 Last update: 2023-03-27 11:06

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2023-01-30 Last update: 2023-03-28 07:04

lintian reports 5 warnings normal

Lintian reports 5 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-01-19 Last update: 2023-02-04 05:04

Build log checks report 3 warnings low

Build log checks report 3 warnings

Created: 2023-01-06 Last update: 2023-01-06 15:31

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.6.1).

Created: 2022-12-17 Last update: 2023-01-23 05:08

testing migrations

This package will soon be part of the auto-ffmpeg transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-dcmtk transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-libraw transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the boost1.81 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2023-03-12] Accepted openimageio 2.4.9.0+dfsg-1 (source) into experimental (Matteo F. Vescovi)
[2023-01-28] openimageio 2.4.7.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2023-01-22] Accepted openimageio 2.4.7.1+dfsg-2 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2023-01-18] Accepted openimageio 2.4.7.1+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: bage@debian.org)
[2023-01-18] Accepted openimageio 2.3.21.0+dfsg-1 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2023-01-06] Accepted openimageio 2.3.18.0+dfsg-6 (source) into unstable (Matteo F. Vescovi)
[2022-09-26] openimageio 2.3.18.0+dfsg-5 MIGRATED to testing (Debian testing watch)
[2022-09-20] Accepted openimageio 2.3.18.0+dfsg-5 (source) into unstable (Matteo F. Vescovi)
[2022-09-14] openimageio 2.3.18.0+dfsg-4 MIGRATED to testing (Debian testing watch)
[2022-09-08] Accepted openimageio 2.3.18.0+dfsg-4 (source) into unstable (Matteo F. Vescovi)
[2022-09-04] openimageio 2.3.18.0+dfsg-3 MIGRATED to testing (Debian testing watch)
[2022-08-18] Accepted openimageio 2.3.18.0+dfsg-3 (source) into unstable (Matteo F. Vescovi)
[2022-08-17] Accepted openimageio 2.3.18.0+dfsg-2 (source) into unstable (Matteo F. Vescovi)
[2022-08-16] Accepted openimageio 2.3.18.0+dfsg-1 (source) into unstable (Matteo F. Vescovi)
[2022-07-23] Accepted openimageio 2.3.17.0+dfsg-1 (source) into unstable (Matteo F. Vescovi)
[2022-05-12] Accepted openimageio 2.3.14.0+dfsg-3 (source) into unstable (Andreas Tille)
[2022-05-02] Accepted openimageio 2.3.14.0+dfsg-2 (source) into unstable (Matteo F. Vescovi)
[2022-04-04] Accepted openimageio 2.3.14.0+dfsg-1 (source) into experimental (Matteo F. Vescovi)
[2022-03-29] openimageio REMOVED from testing (Debian testing watch)
[2022-03-16] openimageio 2.2.18.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-02-24] Accepted openimageio 2.3.12.0+dfsg-1 (source) into experimental (Matteo F. Vescovi)
[2022-02-23] Accepted openimageio 2.2.18.0+dfsg-2 (source) into unstable (Matteo F. Vescovi)
[2022-01-05] Accepted openimageio 2.3.11.0+dfsg-1 (source) into experimental (Matteo F. Vescovi) (signed by: Mattia Rizzolo)
[2021-11-11] Accepted openimageio 2.3.9.1+dfsg-1 (source) into experimental (Matteo F. Vescovi)
[2021-10-08] Accepted openimageio 2.3.8.0+dfsg-1 (source amd64 all) into experimental, experimental (Debian FTP Masters) (signed by: Matteo F. Vescovi)
[2021-09-23] openimageio 2.2.18.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-09-17] Accepted openimageio 2.2.18.0+dfsg-1 (source) into unstable (Matteo F. Vescovi)
[2021-08-23] openimageio 2.2.17.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2021-08-17] Accepted openimageio 2.2.17.0+dfsg-2 (source) into unstable (Matteo F. Vescovi)
[2021-08-04] Accepted openimageio 2.2.17.0+dfsg-1 (source) into experimental (Matteo F. Vescovi)

bugs [bug history graph]

all: 2
RC: 1
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 5)
buildd: logs, exp, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.4.7.1+dfsg-2build2
2 bugs