add three bug/CVE references

baselibs.conf

@@ -1,5 +1,5 @@
-libOpenEXR-3_2-31
-libOpenEXRCore-3_2-31
-libOpenEXRUtil-3_2-31
-libIlmThread-3_2-31
-libIex-3_2-31
+libOpenEXR-3_4-33
+libOpenEXRCore-3_4-33
+libOpenEXRUtil-3_4-33
+libIlmThread-3_4-33
+libIex-3_4-33

openexr.changes

@@ -1,3 +1,137 @@
+-------------------------------------------------------------------
+Tue Nov 11 09:16:50 UTC 2025 - pgajdos@suse.com
+
+- version update to 3.4.3
+  * Buffer overflow in PyOpenEXR_old's channels() and channel() in legacy python
+  * Use after free in PyObject_StealAttrString in legacy python
+  * Use of Uninitialized Memory in openexr
+  * Heap-based Buffer Overflow Remote Code Execution Vulnerability
+  * OSS-fuzz 456158449 Heap-buffer-overflow in generic_unpack
+  * OSS-fuzz 447429458 Heap-buffer-overflow in DwaCompressor_uncompress
+  * OSS-fuzz 439237843 Heap-buffer-overflow in internal_exr_undo_ht
+  * OSS-fuzz 436037111 Heap-buffer-overflow in generic_unpack
+  * OSS-fuzz 435779241 Heap-buffer-overflow in generic_unpack
+  * OSS-fuzz 420744464 Abrt in __cxxabiv1::failed_throw
+  * Fix a bug with re-reading a scanline file with a different set of channels.
+  * Only populate CMAKE_DEBUG_POSTFIX with _d if it is undefined, which makes
+    it possible to set CMAKE_DEBUG_POSTFIX="".
+- fixes bsc#1253233 (CVE-2025-64181)
+        bsc#1253234 (CVE-2025-64182)
+        bsc#1253235 (CVE-2025-64183)
+        bsc#1253715 (CVE-2025-12839)
+        bsc#1253714 (CVE-2025-12495)
+        bsc#1253713 (CVE-2025-12840)
+
+-------------------------------------------------------------------
+Sat Oct 18 08:05:35 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Add symbol versioning to OpenEXR ELF files [boo#1252012]
+
+-------------------------------------------------------------------
+Sun Oct 12 08:32:24 UTC 2025 - ecsos <ecsos@opensuse.org>
+
+- Update to 0.24.1
+  - Patch release that fixes a build issue: OpenJPH headers are now
+    included from the openjph folder, as required by OpenJPH 0.23+.
+  - No change in functionality.
+- Drop ojph-0.23.patch because no more needed.
+
+-------------------------------------------------------------------
+Fri Sep 19 15:41:52 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Add ojph-0.23.patch to fix building against openjph >= 0.23.0
+  https://github.com/AcademySoftwareFoundation/openexr/issues/2130
+- fix upstream URL
+
+-------------------------------------------------------------------
+Wed Sep 10 10:05:27 UTC 2025 - pgajdos@suse.com
+
+- version update to 3.4.0
+  * Additional compression option to the OpenEXR file format for
+    lossless compression with High Throughput JPEG-2000 (HTJ2K).
+  * New colorInteropID standard attribute.
+  * New bytes attribute type.
+  * TBB as a global thread provider.
+  * Using openexr via cmake add_subdirectory now works properly.
+  * The Python module now allows an empty part name for a single-part file
+  * The header_only option for Python module's OpenEXR.File now works properly.
+
+-------------------------------------------------------------------
+Wed Aug  6 11:06:45 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Fix build on code 15 by forcing gcc 14
+
+-------------------------------------------------------------------
+Mon Aug  4 08:29:48 UTC 2025 - pgajdos@suse.com
+
+- version update 
+  3.3.5
+  * :bug: Fix for DeepScanlineInputFile read memory leak
+  * :rocket: OpenEXRCore Deep pixel unpacking optimisation
+  3.3.4
+  * :bug: Fix a crash with deep scanline input
+  * :bug: Fix a bug when reading a file with missing tiles
+  * :bug: Fix a crash in exrmetrics
+  * :hammer_and_wrench: Fix a problem with /EHsc and /MP flags that broke CUDA compilation
+  * :hammer_and_wrench: Fix a build failure on MinGW
+  * :rocket: Enable vectorisation for ZIP reconstruct stage on Windows
+  3.3.3
+  * :bug: Fix a bug involving deep tiled images
+  * :bug: Adjust the clamping on the dwa compression (Issue [1982](https://github.com/AcademySoftwareFoundation/openexr/issues/1982))
+  * :bug: Address issues with small exr files and header parse (Issue [1984](https://github.com/AcademySoftwareFoundation/openexr/issues/1984))
+  * :bug: Fix crash if user does not provide memory when filling deep framebuffer
+  * :bug: Fix bad pointer SSE math causing out-of-bounds access
+  * :bug: Fix potential buffer overwrite with zip data
+  * :bug: Fix usage of utf-8 filenames for windows
+  * :bug: Fix regression in reading EXR images on 32bit Windows involving `atomic_compare_exchange_strong`
+  * :bug: Add checks to avoid using optimizations when inappropriate (Issue [1949](https://github.com/AcademySoftwareFoundation/openexr/issues/1949))
+  * :bug: Convert dwa encoder to use algorithm quantize (Issue [1915](https://github.com/AcademySoftwareFoundation/openexr/issues/1915))
+  * :bug: Fix incorrect v3 array size validation
+  * :rocket: Add minor huf encode / decode performance optimizations
+  * :hammer_and_wrench: Add numpy dependency to python wrapper (Issue [1919](https://github.com/AcademySoftwareFoundation/openexr/issues/1919))
+  * :hammer_and_wrench: Remove duplicate cmake dependency from skbuild plugin (Issue [1958](https://github.com/AcademySoftwareFoundation/openexr/pull/1958))
+  * :hammer_and_wrench: Don't set the library postfix in the cmake cache (Issue [1981](https://github.com/AcademySoftwareFoundation/openexr/issues/1981))
+  3.3.2
+  * A recent change to CMake had the unintended consequence of
+    installing headers and libraries from `libdeflate` when doing an
+    internal build. This is now fixed.
+  * Fix custom namespaces
+  * Add thread control to `exrmetrics` tool
+  * Reintroduce single cache for successive scanline reads
+  * Allow empty filename when providing a custom stream
+  * Handle non-seekable stream in python module's `InputFile` object
+  3.3.1
+  * Fix a performance regression 3.3.0 in huf/piz compression
+  * Replace ``FetchContent_Populate`` with ``FetchContent_MakeAvailable``
+  * Build wheels for python 3.12
+  * Fix a problem with python wheel sdist that caused local build to fail
+  * Compile source files in parallel under MSVC
+  3.3.0
+  Minor release two significant changes:
+  * The C++ API now uses the OpenEXRCore library underneath.
+  * New API for accessing compression types
+  * New bin tools:
+    - ``exrmetrics`` - Read an OpenEXR image from infile, write an
+      identical copy to outfile reporting time taken to read/write and
+      file sizes. Useful for benchmarking performance in space and time.
+    - ``exrmanifest`` - Read exr files and print the contents of the
+      embedded manifest. The manifest provides a mapping between integer
+      object identifiers and human-readible strings. See [OpenEXR Deep
+  3.2.4
+  * This release also removes the unused CMake option
+    - ``OPENEXR_INSTALL_EXAMPLES``, and fixes some other compiler warnings.
+  3.2.3
+  * Fix `bswap` on NetBSD
+  * Fix issue with decompressing fp32 dwa files
+  * Support cmake config for `libdeflate`
+  * updated security policy
+  * miscelleneous website improvements
+- includes fixes for:
+  CVE-2025-48074 [bsc#1247504]
+  CVE-2025-48073 [bsc#1247550]
+  CVE-2025-48072 [bsc#1247551]
+  CVE-2025-48071 [bsc#1247552]
+
 -------------------------------------------------------------------
 Thu Dec 12 14:56:41 UTC 2024 - Martin Pluskal <mpluskal@suse.com>
 

openexr.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openexr
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,23 +19,29 @@
 %define prjname      openexr
 # perhaps you want to build against corresponding Imath build
 %define debug_build 0
-%define sonum 31
-%global so_suffix -3_2
+%global so_suffix -3_4
+%define sonum 33
+%if 0%{?suse_version} == 1500
+%global force_gcc_version 14
+%endif
+
 Name:           openexr
-Version:        3.2.2
+Version:        3.4.3
 Release:        0
 Summary:        Utilities for working with HDR images in OpenEXR format
 License:        BSD-3-Clause
 Group:          Development/Libraries/C and C++
 URL:            https://www.openexr.com/
-Source0:        https://github.com/openexr/openexr/archive/v%{version}.tar.gz
+Source0:        https://github.com/AcademySoftwareFoundation/openexr/archive/v%{version}.tar.gz
 Source2:        baselibs.conf
 BuildRequires:  cmake >= 3.12
 BuildRequires:  freeglut-devel
-BuildRequires:  gcc-c++
+BuildRequires:  gcc%{?force_gcc_version}
+BuildRequires:  gcc%{?force_gcc_version}-c++
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(Imath)
 BuildRequires:  pkgconfig(libdeflate)
+BuildRequires:  pkgconfig(openjph) >= 0.21.0
 BuildRequires:  pkgconfig(zlib)
 Obsoletes:      OpenEXR <= 1.6.1
 Provides:       OpenEXR = %{version}
@@ -150,12 +156,27 @@ This package contains documentation.
 %autosetup -p1
 
 %build
+%if 0%{?force_gcc_version}
+export CC="gcc-%{?force_gcc_version}"
+export CXX="g++-%{?force_gcc_version}"
+%endif
 export PTHREAD_LIBS="-lpthread"
 %if %{debug_build}
 export CXXFLAGS="%{optflags} -O0"
 %endif
+
+# The Imath ABI gets embedded into the OpenEXR C++ symbol names, and so these
+# symbols can change at a whim, but this change happens without the mandatory
+# accompanying symver definitions or SONAME bumps, and that is bad. Force-add
+# some symvers.
+#
+sym="$(pkg-config Imath --modversion | cut -d. -f1,2 | perl -pe 's{\.}{_}g')"
+sv="$PWD/exr.sym"
+echo "Imath_$sym { global: *N9Imath_$sym*; *N10Imath_$sym*; };" >"$sv"
+
 %cmake \
-  -DCMAKE_INSTALL_DOCDIR="%{_docdir}/%{name}"
+	-DCMAKE_SHARED_LINKER_FLAGS:STRING="-Wl,--version-script=$sv" \
+	-DCMAKE_INSTALL_DOCDIR="%{_docdir}/%{name}"
 %cmake_build
 
 %install
@@ -206,6 +227,8 @@ export LD_LIBRARY_PATH="%{buildroot}/%{_libdir}"
 %{_bindir}/exrmultiview
 %{_bindir}/exrmultipart
 %{_bindir}/exr2aces
+%{_bindir}/exrmanifest
+%{_bindir}/exrmetrics
 
 %files devel
 %{_includedir}/OpenEXR