Source: opencolorio
Version: 2.1.3+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for opencolorio.

CVE-2026-42450[0]:
| OpenColorIO is a color management framework for visual effects and
| animation. Prior to version 2.5.2, `FileFormatSpi3D.cpp:163` uses
| `sscanf` with `%s` into 64-byte stack buffers when parsing LUT data
| lines. Input comes from `lineBuffer[4096]`, so a crafted .spi3d file
| can overflow by ~4000 bytes on non-Windows. Version 2.5.2 fixes the
| issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-42450
    https://www.cve.org/CVERecord?id=CVE-2026-42450
[1] 
https://github.com/AcademySoftwareFoundation/OpenColorIO/security/advisories/GHSA-rxp3-rrgx-f547

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to