Source: openexr Version: 3.4.6+ds-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for openexr. CVE-2026-34545[0]: | OpenEXR provides the specification and reference implementation of | the EXR file format, an image storage format for the motion picture | industry. From version 3.4.0 to before version 3.4.7, an attacker | providing a crafted .exr file with HTJ2K compression and a channel | width of 32768 can write controlled data beyond the output heap | buffer in any application that decodes EXR images. The write | primitive is 2 bytes per overflow iteration or 4 bytes (by another | path), repeating for each additional pixel past the overflow point. | In this context, a heap write overflow can lead to remote code | execution on systems. This issue has been patched in version 3.4.7. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-34545 https://www.cve.org/CVERecord?id=CVE-2026-34545 [1] https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-ghfj-fx47-wg97 [2] https://github.com/AcademySoftwareFoundation/openexr/commit/3827998f5c041d6a94c6af24bbb363daa669e4b3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
