Source: openexr Version: 3.1.13-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for openexr. The information found so far is unfortunately very light, the ZDI advisory only add that they are fixed in the v3.4.3 release, cf. [2]. CVE-2025-12839[0]: | Academy Software Foundation OpenEXR EXR File Parsing Heap-based | Buffer Overflow Remote Code Execution Vulnerability. This | vulnerability allows remote attackers to execute arbitrary code on | affected installations of Academy Software Foundation OpenEXR. User | interaction is required to exploit this vulnerability in that the | target must visit a malicious page or open a malicious file. The | specific flaw exists within the parsing of EXR files. The issue | results from the lack of proper validation of the length of user- | supplied data prior to copying it to a heap-based buffer. An | attacker can leverage this vulnerability to execute code in the | context of the current process. Was ZDI-CAN-27947. CVE-2025-128340[1]: No description was found (try on a search engine) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-12839 https://www.cve.org/CVERecord?id=CVE-2025-12839 [1] https://security-tracker.debian.org/tracker/CVE-2025-128340 https://www.cve.org/CVERecord?id=CVE-2025-128340 [2] https://lists.aswf.io/g/openexr-dev/topic/openexr_v3_4_3_is_staged_for/116040425 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
