2 Commits

Author SHA256 Message Date
Petr Gajdos
319c549154 add three bug/CVE references 2025-11-20 16:55:19 +01:00
Petr Gajdos
4cc7b721a8 version update to 3.4.3, fixes several security bugs 2025-11-14 11:43:07 +01:00
5 changed files with 172 additions and 15 deletions

View File

@@ -1,5 +1,5 @@
libOpenEXR-3_2-31
libOpenEXRCore-3_2-31
libOpenEXRUtil-3_2-31
libIlmThread-3_2-31
libIex-3_2-31
libOpenEXR-3_4-33
libOpenEXRCore-3_4-33
libOpenEXRUtil-3_4-33
libIlmThread-3_4-33
libIex-3_4-33

View File

@@ -1,3 +1,137 @@
-------------------------------------------------------------------
Tue Nov 11 09:16:50 UTC 2025 - pgajdos@suse.com
- version update to 3.4.3
* Buffer overflow in PyOpenEXR_old's channels() and channel() in legacy python
* Use after free in PyObject_StealAttrString in legacy python
* Use of Uninitialized Memory in openexr
* Heap-based Buffer Overflow Remote Code Execution Vulnerability
* OSS-fuzz 456158449 Heap-buffer-overflow in generic_unpack
* OSS-fuzz 447429458 Heap-buffer-overflow in DwaCompressor_uncompress
* OSS-fuzz 439237843 Heap-buffer-overflow in internal_exr_undo_ht
* OSS-fuzz 436037111 Heap-buffer-overflow in generic_unpack
* OSS-fuzz 435779241 Heap-buffer-overflow in generic_unpack
* OSS-fuzz 420744464 Abrt in __cxxabiv1::failed_throw
* Fix a bug with re-reading a scanline file with a different set of channels.
* Only populate CMAKE_DEBUG_POSTFIX with _d if it is undefined, which makes
it possible to set CMAKE_DEBUG_POSTFIX="".
- fixes bsc#1253233 (CVE-2025-64181)
bsc#1253234 (CVE-2025-64182)
bsc#1253235 (CVE-2025-64183)
bsc#1253715 (CVE-2025-12839)
bsc#1253714 (CVE-2025-12495)
bsc#1253713 (CVE-2025-12840)
-------------------------------------------------------------------
Sat Oct 18 08:05:35 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
- Add symbol versioning to OpenEXR ELF files [boo#1252012]
-------------------------------------------------------------------
Sun Oct 12 08:32:24 UTC 2025 - ecsos <ecsos@opensuse.org>
- Update to 0.24.1
- Patch release that fixes a build issue: OpenJPH headers are now
included from the openjph folder, as required by OpenJPH 0.23+.
- No change in functionality.
- Drop ojph-0.23.patch because no more needed.
-------------------------------------------------------------------
Fri Sep 19 15:41:52 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Add ojph-0.23.patch to fix building against openjph >= 0.23.0
https://github.com/AcademySoftwareFoundation/openexr/issues/2130
- fix upstream URL
-------------------------------------------------------------------
Wed Sep 10 10:05:27 UTC 2025 - pgajdos@suse.com
- version update to 3.4.0
* Additional compression option to the OpenEXR file format for
lossless compression with High Throughput JPEG-2000 (HTJ2K).
* New colorInteropID standard attribute.
* New bytes attribute type.
* TBB as a global thread provider.
* Using openexr via cmake add_subdirectory now works properly.
* The Python module now allows an empty part name for a single-part file
* The header_only option for Python module's OpenEXR.File now works properly.
-------------------------------------------------------------------
Wed Aug 6 11:06:45 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Fix build on code 15 by forcing gcc 14
-------------------------------------------------------------------
Mon Aug 4 08:29:48 UTC 2025 - pgajdos@suse.com
- version update
3.3.5
* :bug: Fix for DeepScanlineInputFile read memory leak
* :rocket: OpenEXRCore Deep pixel unpacking optimisation
3.3.4
* :bug: Fix a crash with deep scanline input
* :bug: Fix a bug when reading a file with missing tiles
* :bug: Fix a crash in exrmetrics
* :hammer_and_wrench: Fix a problem with /EHsc and /MP flags that broke CUDA compilation
* :hammer_and_wrench: Fix a build failure on MinGW
* :rocket: Enable vectorisation for ZIP reconstruct stage on Windows
3.3.3
* :bug: Fix a bug involving deep tiled images
* :bug: Adjust the clamping on the dwa compression (Issue [1982](https://github.com/AcademySoftwareFoundation/openexr/issues/1982))
* :bug: Address issues with small exr files and header parse (Issue [1984](https://github.com/AcademySoftwareFoundation/openexr/issues/1984))
* :bug: Fix crash if user does not provide memory when filling deep framebuffer
* :bug: Fix bad pointer SSE math causing out-of-bounds access
* :bug: Fix potential buffer overwrite with zip data
* :bug: Fix usage of utf-8 filenames for windows
* :bug: Fix regression in reading EXR images on 32bit Windows involving `atomic_compare_exchange_strong`
* :bug: Add checks to avoid using optimizations when inappropriate (Issue [1949](https://github.com/AcademySoftwareFoundation/openexr/issues/1949))
* :bug: Convert dwa encoder to use algorithm quantize (Issue [1915](https://github.com/AcademySoftwareFoundation/openexr/issues/1915))
* :bug: Fix incorrect v3 array size validation
* :rocket: Add minor huf encode / decode performance optimizations
* :hammer_and_wrench: Add numpy dependency to python wrapper (Issue [1919](https://github.com/AcademySoftwareFoundation/openexr/issues/1919))
* :hammer_and_wrench: Remove duplicate cmake dependency from skbuild plugin (Issue [1958](https://github.com/AcademySoftwareFoundation/openexr/pull/1958))
* :hammer_and_wrench: Don't set the library postfix in the cmake cache (Issue [1981](https://github.com/AcademySoftwareFoundation/openexr/issues/1981))
3.3.2
* A recent change to CMake had the unintended consequence of
installing headers and libraries from `libdeflate` when doing an
internal build. This is now fixed.
* Fix custom namespaces
* Add thread control to `exrmetrics` tool
* Reintroduce single cache for successive scanline reads
* Allow empty filename when providing a custom stream
* Handle non-seekable stream in python module's `InputFile` object
3.3.1
* Fix a performance regression 3.3.0 in huf/piz compression
* Replace ``FetchContent_Populate`` with ``FetchContent_MakeAvailable``
* Build wheels for python 3.12
* Fix a problem with python wheel sdist that caused local build to fail
* Compile source files in parallel under MSVC
3.3.0
Minor release two significant changes:
* The C++ API now uses the OpenEXRCore library underneath.
* New API for accessing compression types
* New bin tools:
- ``exrmetrics`` - Read an OpenEXR image from infile, write an
identical copy to outfile reporting time taken to read/write and
file sizes. Useful for benchmarking performance in space and time.
- ``exrmanifest`` - Read exr files and print the contents of the
embedded manifest. The manifest provides a mapping between integer
object identifiers and human-readible strings. See [OpenEXR Deep
3.2.4
* This release also removes the unused CMake option
- ``OPENEXR_INSTALL_EXAMPLES``, and fixes some other compiler warnings.
3.2.3
* Fix `bswap` on NetBSD
* Fix issue with decompressing fp32 dwa files
* Support cmake config for `libdeflate`
* updated security policy
* miscelleneous website improvements
- includes fixes for:
CVE-2025-48074 [bsc#1247504]
CVE-2025-48073 [bsc#1247550]
CVE-2025-48072 [bsc#1247551]
CVE-2025-48071 [bsc#1247552]
-------------------------------------------------------------------
Thu Dec 12 14:56:41 UTC 2024 - Martin Pluskal <mpluskal@suse.com>

View File

@@ -1,7 +1,7 @@
#
# spec file for package openexr
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,23 +19,29 @@
%define prjname openexr
# perhaps you want to build against corresponding Imath build
%define debug_build 0
%define sonum 31
%global so_suffix -3_2
%global so_suffix -3_4
%define sonum 33
%if 0%{?suse_version} == 1500
%global force_gcc_version 14
%endif
Name: openexr
Version: 3.2.2
Version: 3.4.3
Release: 0
Summary: Utilities for working with HDR images in OpenEXR format
License: BSD-3-Clause
Group: Development/Libraries/C and C++
URL: https://www.openexr.com/
Source0: https://github.com/openexr/openexr/archive/v%{version}.tar.gz
Source0: https://github.com/AcademySoftwareFoundation/openexr/archive/v%{version}.tar.gz
Source2: baselibs.conf
BuildRequires: cmake >= 3.12
BuildRequires: freeglut-devel
BuildRequires: gcc-c++
BuildRequires: gcc%{?force_gcc_version}
BuildRequires: gcc%{?force_gcc_version}-c++
BuildRequires: pkgconfig
BuildRequires: pkgconfig(Imath)
BuildRequires: pkgconfig(libdeflate)
BuildRequires: pkgconfig(openjph) >= 0.21.0
BuildRequires: pkgconfig(zlib)
Obsoletes: OpenEXR <= 1.6.1
Provides: OpenEXR = %{version}
@@ -150,12 +156,27 @@ This package contains documentation.
%autosetup -p1
%build
%if 0%{?force_gcc_version}
export CC="gcc-%{?force_gcc_version}"
export CXX="g++-%{?force_gcc_version}"
%endif
export PTHREAD_LIBS="-lpthread"
%if %{debug_build}
export CXXFLAGS="%{optflags} -O0"
%endif
# The Imath ABI gets embedded into the OpenEXR C++ symbol names, and so these
# symbols can change at a whim, but this change happens without the mandatory
# accompanying symver definitions or SONAME bumps, and that is bad. Force-add
# some symvers.
#
sym="$(pkg-config Imath --modversion | cut -d. -f1,2 | perl -pe 's{\.}{_}g')"
sv="$PWD/exr.sym"
echo "Imath_$sym { global: *N9Imath_$sym*; *N10Imath_$sym*; };" >"$sv"
%cmake \
-DCMAKE_INSTALL_DOCDIR="%{_docdir}/%{name}"
-DCMAKE_SHARED_LINKER_FLAGS:STRING="-Wl,--version-script=$sv" \
-DCMAKE_INSTALL_DOCDIR="%{_docdir}/%{name}"
%cmake_build
%install
@@ -206,6 +227,8 @@ export LD_LIBRARY_PATH="%{buildroot}/%{_libdir}"
%{_bindir}/exrmultiview
%{_bindir}/exrmultipart
%{_bindir}/exr2aces
%{_bindir}/exrmanifest
%{_bindir}/exrmetrics
%files devel
%{_includedir}/OpenEXR

BIN
v3.2.2.tar.gz LFS

Binary file not shown.

BIN
v3.4.3.tar.gz LFS Normal file

Binary file not shown.