commit openexr for openSUSE:Factory

Source-Sync Wed, 13 May 2026 08:18:59 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package openexr for openSUSE:Factory checked 
in at 2026-05-13 17:18:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openexr (Old)
 and      /work/SRC/openSUSE:Factory/.openexr.new.1966 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "openexr"

Wed May 13 17:18:27 2026 rev:78 rq:1352615 version:3.4.11

Changes:
--------
--- /work/SRC/openSUSE:Factory/openexr/openexr.changes  2026-04-30 
20:26:02.964140018 +0200
+++ /work/SRC/openSUSE:Factory/.openexr.new.1966/openexr.changes        
2026-05-13 17:18:36.177461359 +0200
@@ -1,0 +2,26 @@
+Tue May 12 06:33:22 UTC 2026 - Petr Gajdos <[email protected]>
+
+- version update to 3.4.11
+  * [CVE-2026-42217](https://www.cve.org/CVERecord?id=CVE-2026-42217)
+    Shift exponent overflow in `readVariableLengthInteger()` 
(`ImfIDManifest.cpp`)
+  * [CVE-2026-42216](https://www.cve.org/CVERecord?id=CVE-2026-42216)
+    Out-of-bounds read in `IDManifest::init()` during prefix expansion
+  * [CVE-2026-41142](https://www.cve.org/CVERecord?id=CVE-2026-41142)
+    Integer overflow in `ImageChannel::resize` leads to heap OOB write
+    via OpenEXRUtil public API
+  * OSS-fuzz [504280155](https://issues.oss-fuzz.com/issues/504280155)
+    Heap-buffer-overflow in `DwaCompressor_uncompress`
+  * OSS-fuzz [505062709](https://issues.oss-fuzz.com/issues/505062709)
+    Null-dereference READ in `Imf_3_3::prefixFromLayerName`
+  - version update to 3.4.10
+  * [CVE-2026-39886](https://www.cve.org/CVERecord?id=CVE-2026-39886)
+    HTJ2K Signed Integer Overflow in `ht_undo_impl()`
+  * [CVE-2026-40244](https://www.cve.org/CVERecord?id=CVE-2026-40244)
+    Integer overflow in DWA `setupChannelData` `planarUncRle` pointer
+    arithmetic (missed variant of CVE-2026-34589)
+  * [CVE-2026-40250](https://www.cve.org/CVERecord?id=CVE-2026-40250)
+    Integer overflow in DWA decoder `outBufferEnd` pointer arithmetic
+    (missed variant of CVE-2026-34589)
+- fixes [bsc#1264354], [bsc#1264356], [bsc#1264353]
+
+-------------------------------------------------------------------

Old:
----
  v3.4.9.tar.gz

New:
----
  v3.4.11.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ openexr.spec ++++++
--- /var/tmp/diff_new_pack.IdrOEP/_old  2026-05-13 17:18:37.637522359 +0200
+++ /var/tmp/diff_new_pack.IdrOEP/_new  2026-05-13 17:18:37.641522525 +0200
@@ -26,7 +26,7 @@
 %endif
 
 Name:           openexr
-Version:        3.4.9
+Version:        3.4.11
 Release:        0
 Summary:        Utilities for working with HDR images in OpenEXR format
 License:        BSD-3-Clause

++++++ v3.4.9.tar.gz -> v3.4.11.tar.gz ++++++
/work/SRC/openSUSE:Factory/openexr/v3.4.9.tar.gz 
/work/SRC/openSUSE:Factory/.openexr.new.1966/v3.4.11.tar.gz differ: char 16, 
line 1

commit openexr for openSUSE:Factory

Reply via email to