Source: openexr X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for openexr. CVE-2026-42216[0]: | OpenEXR provides the specification and reference implementation of | the EXR file format, an image storage format for the motion picture | industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before | 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs | strings from a prefix-compressed representation. If the previous | string is longer than 255 bytes, the next string is expected to | begin with a 2-byte prefix length. The code reads stringList[i][0] | and stringList[i][1] without checking that the current string has at | least two bytes. This issue has been patched in versions 3.2.9, | 3.3.11, and 3.4.11. https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65j8-95g9-jgj4 CVE-2026-42217[1]: | OpenEXR provides the specification and reference implementation of | the EXR file format, an image storage format for the motion picture | industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before | 3.3.11, and 3.4.0 to before 3.4.11, readVariableLengthInteger() | decodes a variable-length integer from untrusted EXR input without | bounding the shift count. After enough continuation bytes, the code | executes a left shift by 70 on a 64-bit value, which is undefined | behavior. This issue has been patched in versions 3.2.9, 3.3.11, and | 3.4.11. https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3c67-4wwp-w52m https://github.com/AcademySoftwareFoundation/openexr/pull/2378 Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/21eaa33bcbbb0c83a5fc42f6b6d65b70a996e63c If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-42216 https://www.cve.org/CVERecord?id=CVE-2026-42216 [1] https://security-tracker.debian.org/tracker/CVE-2026-42217 https://www.cve.org/CVERecord?id=CVE-2026-42217 Please adjust the affected versions in the BTS as needed.
