pool/openexr
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

base: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
..
compare: pool:slfo-main
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

2 Commits
slfo-1.2 ... slfo-main

Author SHA256 Message Date
Petr Gajdos
319c549154 add three bug/CVE references 2025-11-20 16:55:19 +01:00
Petr Gajdos
4cc7b721a8 version update to 3.4.3, fixes several security bugs 2025-11-14 11:43:07 +01:00
9 changed files with 169 additions and 165 deletions
Expand all files Collapse all files

10
baselibs.conf
View File

@@ -1,5 +1,5 @@
libOpenEXR-3_2-31
libOpenEXRCore-3_2-31
libOpenEXRUtil-3_2-31
libIlmThread-3_2-31
libIex-3_2-31
libOpenEXR-3_4-33
libOpenEXRCore-3_4-33
libOpenEXRUtil-3_4-33
libIlmThread-3_4-33
libIex-3_4-33

23
openexr-CVE-2025-12495.patch
View File

@@ -1,23 +0,0 @@
Index: openexr-3.2.2/src/lib/OpenEXRCore/chunk.c
===================================================================
--- openexr-3.2.2.orig/src/lib/OpenEXRCore/chunk.c
+++ openexr-3.2.2/src/lib/OpenEXRCore/chunk.c
@@ -1292,6 +1292,18 @@ exr_read_tile_chunk_info (
return pctxt->report_error (
pctxt, EXR_ERR_INVALID_ARGUMENT, "Invalid packed size of 0");
+ if (part->comp_type == EXR_COMPRESSION_NONE &&
+ cinfo->packed_size != cinfo->unpacked_size)
+ {
+ return pctxt->print_error (
+ pctxt,
+ EXR_ERR_BAD_CHUNK_LEADER,
+ "Mismatch between unpacked and packed size with uncompressed data: packed is %" PRIu64 "; unpacked is %" PRIu64,
+ cinfo->packed_size, cinfo->unpacked_size);
+ }
+
+
+
return EXR_ERR_SUCCESS;
}

15
openexr-CVE-2025-12839.patch
View File

@@ -1,15 +0,0 @@
Index: openexr-3.2.2/src/lib/OpenEXRCore/parse_header.c
===================================================================
--- openexr-3.2.2.orig/src/lib/OpenEXRCore/parse_header.c
+++ openexr-3.2.2/src/lib/OpenEXRCore/parse_header.c
@@ -2293,7 +2293,9 @@ internal_exr_compute_chunk_offset_size (
w = (uint64_t) (((int64_t) dw.max.x) - ((int64_t) dw.min.x) + 1);
- if (curpart->tiles)
+ if (curpart->storage_mode != EXR_STORAGE_SCANLINE &&
+ curpart->storage_mode != EXR_STORAGE_DEEP_SCANLINE &&
+ curpart->tiles)
{
const exr_attr_tiledesc_t* tiledesc = curpart->tiles->tiledesc;
int64_t tilecount = 0;

39
openexr-CVE-2025-12840.patch
View File

@@ -1,39 +0,0 @@
From 3d53ed21cadb612e3b9828ccf116227e6a6ce21a Mon Sep 17 00:00:00 2001
From: Kimball Thurston <kdt3rd@gmail.com>
Date: Tue, 28 Oct 2025 02:49:19 +1300
Subject: [PATCH] Fix issues with negative coordinates and sampling != 0
(#2160)
* remove unused variable
Signed-off-by: Kimball Thurston <kdt3rd@gmail.com>
* allow a single line when positions are negative with large y sampling > height
Signed-off-by: Kimball Thurston <kdt3rd@gmail.com>
---------
Signed-off-by: Kimball Thurston <kdt3rd@gmail.com>
---
src/lib/OpenEXRCore/internal_util.h | 5 +++--
src/lib/OpenEXRCore/parse_header.c | 1 -
2 files changed, 3 insertions(+), 3 deletions(-)
Index: openexr-3.2.2/src/lib/OpenEXRCore/internal_util.h
===================================================================
--- openexr-3.2.2.orig/src/lib/OpenEXRCore/internal_util.h
+++ openexr-3.2.2/src/lib/OpenEXRCore/internal_util.h
@@ -31,10 +31,10 @@ compute_sampled_lines (int height, int y
else
start = start_y;
end = start_y + height - 1;
- end -= (end % y_sampling);
+ end -= (end < 0 ? -end : end) % y_sampling;
if (start > end)
- nlines = 0;
+ nlines = start == start_y ? 1 : 0;
else
nlines = (end - start) / y_sampling + 1;
}

54
openexr-CVE-2025-64181.patch
View File

@@ -1,54 +0,0 @@
From c41a2fc901608c912f73bd7a0e53b3c9ccb58074 Mon Sep 17 00:00:00 2001
From: Peter Hillman <peterh@wetafx.co.nz>
Date: Thu, 30 Oct 2025 08:04:36 +1300
Subject: [PATCH] ImfCheckFile: handle partial deep tiles
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
---
src/lib/OpenEXRUtil/ImfCheckFile.cpp | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
Index: openexr-3.2.2/src/lib/OpenEXRUtil/ImfCheckFile.cpp
===================================================================
--- openexr-3.2.2.orig/src/lib/OpenEXRUtil/ImfCheckFile.cpp
+++ openexr-3.2.2/src/lib/OpenEXRUtil/ImfCheckFile.cpp
@@ -654,15 +654,24 @@ readDeepTile (T& in, bool reduceMemory,
try
{
+
in.readPixelSampleCounts (
x, y, x, y, xlevel, ylevel);
size_t bufferSize = 0;
size_t fileBufferSize = 0;
- for (int ty = 0; ty < tileHeight; ++ty)
+ Box2i tileRange =
+ in.dataWindowForTile (x, y, xlevel, ylevel);
+
+ int thisTileWidth =
+ tileRange.max.x - tileRange.min.x + 1;
+ int thisTileHeight =
+ tileRange.max.y - tileRange.min.y + 1;
+
+ for (int ty = 0; ty < thisTileHeight; ++ty)
{
- for (int tx = 0; tx < tileWidth; ++tx)
+ for (int tx = 0; tx < thisTileWidth; ++tx)
{
fileBufferSize += channelCount *
localSampleCount[ty][tx];
@@ -689,9 +698,10 @@ readDeepTile (T& in, bool reduceMemory,
pixelBuffer.resize (bufferSize);
size_t bufferIndex = 0;
- for (int ty = 0; ty < tileHeight; ++ty)
+ for (int ty = 0; ty < thisTileHeight; ++ty)
{
- for (int tx = 0; tx < tileWidth; ++tx)
+ for (int tx = 0; tx < thisTileWidth;
+ ++tx)
{
if (!reduceMemory ||
localSampleCount[ty][tx] *

142
openexr.changes
View File

@@ -1,16 +1,136 @@
-------------------------------------------------------------------
Fri Nov 14 11:53:57 UTC 2025 - pgajdos@suse.com
Tue Nov 11 09:16:50 UTC 2025 - pgajdos@suse.com
- security update
- added patches
fix CVE-2025-64181 [bsc#1253233], use of uninitialized memory in function generic_unpack()
+ openexr-CVE-2025-64181.patch
fix CVE-2025-12495 [bsc#1253714], Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
+ openexr-CVE-2025-12495.patch
fix CVE-2025-12839 [bsc#1253715], Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
+ openexr-CVE-2025-12839.patch
fix CVE-2025-12840 [bsc#1253713], Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
+ openexr-CVE-2025-12840.patch
- version update to 3.4.3
* Buffer overflow in PyOpenEXR_old's channels() and channel() in legacy python
* Use after free in PyObject_StealAttrString in legacy python
* Use of Uninitialized Memory in openexr
* Heap-based Buffer Overflow Remote Code Execution Vulnerability
* OSS-fuzz 456158449 Heap-buffer-overflow in generic_unpack
* OSS-fuzz 447429458 Heap-buffer-overflow in DwaCompressor_uncompress
* OSS-fuzz 439237843 Heap-buffer-overflow in internal_exr_undo_ht
* OSS-fuzz 436037111 Heap-buffer-overflow in generic_unpack
* OSS-fuzz 435779241 Heap-buffer-overflow in generic_unpack
* OSS-fuzz 420744464 Abrt in __cxxabiv1::failed_throw
* Fix a bug with re-reading a scanline file with a different set of channels.
* Only populate CMAKE_DEBUG_POSTFIX with _d if it is undefined, which makes
it possible to set CMAKE_DEBUG_POSTFIX="".
- fixes bsc#1253233 (CVE-2025-64181)
bsc#1253234 (CVE-2025-64182)
bsc#1253235 (CVE-2025-64183)
bsc#1253715 (CVE-2025-12839)
bsc#1253714 (CVE-2025-12495)
bsc#1253713 (CVE-2025-12840)
-------------------------------------------------------------------
Sat Oct 18 08:05:35 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
- Add symbol versioning to OpenEXR ELF files [boo#1252012]
-------------------------------------------------------------------
Sun Oct 12 08:32:24 UTC 2025 - ecsos <ecsos@opensuse.org>
- Update to 0.24.1
- Patch release that fixes a build issue: OpenJPH headers are now
included from the openjph folder, as required by OpenJPH 0.23+.
- No change in functionality.
- Drop ojph-0.23.patch because no more needed.
-------------------------------------------------------------------
Fri Sep 19 15:41:52 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Add ojph-0.23.patch to fix building against openjph >= 0.23.0
https://github.com/AcademySoftwareFoundation/openexr/issues/2130
- fix upstream URL
-------------------------------------------------------------------
Wed Sep 10 10:05:27 UTC 2025 - pgajdos@suse.com
- version update to 3.4.0
* Additional compression option to the OpenEXR file format for
lossless compression with High Throughput JPEG-2000 (HTJ2K).
* New colorInteropID standard attribute.
* New bytes attribute type.
* TBB as a global thread provider.
* Using openexr via cmake add_subdirectory now works properly.
* The Python module now allows an empty part name for a single-part file
* The header_only option for Python module's OpenEXR.File now works properly.
-------------------------------------------------------------------
Wed Aug 6 11:06:45 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Fix build on code 15 by forcing gcc 14
-------------------------------------------------------------------
Mon Aug 4 08:29:48 UTC 2025 - pgajdos@suse.com
- version update
3.3.5
* :bug: Fix for DeepScanlineInputFile read memory leak
* :rocket: OpenEXRCore Deep pixel unpacking optimisation
3.3.4
* :bug: Fix a crash with deep scanline input
* :bug: Fix a bug when reading a file with missing tiles
* :bug: Fix a crash in exrmetrics
* :hammer_and_wrench: Fix a problem with /EHsc and /MP flags that broke CUDA compilation
* :hammer_and_wrench: Fix a build failure on MinGW
* :rocket: Enable vectorisation for ZIP reconstruct stage on Windows
3.3.3
* :bug: Fix a bug involving deep tiled images
* :bug: Adjust the clamping on the dwa compression (Issue [1982](https://github.com/AcademySoftwareFoundation/openexr/issues/1982))
* :bug: Address issues with small exr files and header parse (Issue [1984](https://github.com/AcademySoftwareFoundation/openexr/issues/1984))
* :bug: Fix crash if user does not provide memory when filling deep framebuffer
* :bug: Fix bad pointer SSE math causing out-of-bounds access
* :bug: Fix potential buffer overwrite with zip data
* :bug: Fix usage of utf-8 filenames for windows
* :bug: Fix regression in reading EXR images on 32bit Windows involving `atomic_compare_exchange_strong`
* :bug: Add checks to avoid using optimizations when inappropriate (Issue [1949](https://github.com/AcademySoftwareFoundation/openexr/issues/1949))
* :bug: Convert dwa encoder to use algorithm quantize (Issue [1915](https://github.com/AcademySoftwareFoundation/openexr/issues/1915))
* :bug: Fix incorrect v3 array size validation
* :rocket: Add minor huf encode / decode performance optimizations
* :hammer_and_wrench: Add numpy dependency to python wrapper (Issue [1919](https://github.com/AcademySoftwareFoundation/openexr/issues/1919))
* :hammer_and_wrench: Remove duplicate cmake dependency from skbuild plugin (Issue [1958](https://github.com/AcademySoftwareFoundation/openexr/pull/1958))
* :hammer_and_wrench: Don't set the library postfix in the cmake cache (Issue [1981](https://github.com/AcademySoftwareFoundation/openexr/issues/1981))
3.3.2
* A recent change to CMake had the unintended consequence of
installing headers and libraries from `libdeflate` when doing an
internal build. This is now fixed.
* Fix custom namespaces
* Add thread control to `exrmetrics` tool
* Reintroduce single cache for successive scanline reads
* Allow empty filename when providing a custom stream
* Handle non-seekable stream in python module's `InputFile` object
3.3.1
* Fix a performance regression 3.3.0 in huf/piz compression
* Replace ``FetchContent_Populate`` with ``FetchContent_MakeAvailable``
* Build wheels for python 3.12
* Fix a problem with python wheel sdist that caused local build to fail
* Compile source files in parallel under MSVC
3.3.0
Minor release two significant changes:
* The C++ API now uses the OpenEXRCore library underneath.
* New API for accessing compression types
* New bin tools:
- ``exrmetrics`` - Read an OpenEXR image from infile, write an
identical copy to outfile reporting time taken to read/write and
file sizes. Useful for benchmarking performance in space and time.
- ``exrmanifest`` - Read exr files and print the contents of the
embedded manifest. The manifest provides a mapping between integer
object identifiers and human-readible strings. See [OpenEXR Deep
3.2.4
* This release also removes the unused CMake option
- ``OPENEXR_INSTALL_EXAMPLES``, and fixes some other compiler warnings.
3.2.3
* Fix `bswap` on NetBSD
* Fix issue with decompressing fp32 dwa files
* Support cmake config for `libdeflate`
* updated security policy
* miscelleneous website improvements
- includes fixes for:
CVE-2025-48074 [bsc#1247504]
CVE-2025-48073 [bsc#1247550]
CVE-2025-48072 [bsc#1247551]
CVE-2025-48071 [bsc#1247552]
-------------------------------------------------------------------
Thu Dec 12 14:56:41 UTC 2024 - Martin Pluskal <mpluskal@suse.com>

45
openexr.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package openexr
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,31 +19,29 @@
%define prjname openexr
# perhaps you want to build against corresponding Imath build
%define debug_build 0
%define sonum 31
%global so_suffix -3_2
%global so_suffix -3_4
%define sonum 33
%if 0%{?suse_version} == 1500
%global force_gcc_version 14
%endif
Name: openexr
Version: 3.2.2
Version: 3.4.3
Release: 0
Summary: Utilities for working with HDR images in OpenEXR format
License: BSD-3-Clause
Group: Development/Libraries/C and C++
URL: https://www.openexr.com/
Source0: https://github.com/openexr/openexr/archive/v%{version}.tar.gz
Source0: https://github.com/AcademySoftwareFoundation/openexr/archive/v%{version}.tar.gz
Source2: baselibs.conf
# CVE-2025-64181 [bsc#1253233], use of uninitialized memory in function generic_unpack()
Patch0: openexr-CVE-2025-64181.patch
# CVE-2025-12495 [bsc#1253714], Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Patch1: openexr-CVE-2025-12495.patch
# CVE-2025-12839 [bsc#1253715], Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Patch2: openexr-CVE-2025-12839.patch
# CVE-2025-12840 [bsc#1253713], Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Patch3: openexr-CVE-2025-12840.patch
BuildRequires: cmake >= 3.12
BuildRequires: freeglut-devel
BuildRequires: gcc-c++
BuildRequires: gcc%{?force_gcc_version}
BuildRequires: gcc%{?force_gcc_version}-c++
BuildRequires: pkgconfig
BuildRequires: pkgconfig(Imath)
BuildRequires: pkgconfig(libdeflate)
BuildRequires: pkgconfig(openjph) >= 0.21.0
BuildRequires: pkgconfig(zlib)
Obsoletes: OpenEXR <= 1.6.1
Provides: OpenEXR = %{version}
@@ -158,12 +156,27 @@ This package contains documentation.
%autosetup -p1
%build
%if 0%{?force_gcc_version}
export CC="gcc-%{?force_gcc_version}"
export CXX="g++-%{?force_gcc_version}"
%endif
export PTHREAD_LIBS="-lpthread"
%if %{debug_build}
export CXXFLAGS="%{optflags} -O0"
%endif
# The Imath ABI gets embedded into the OpenEXR C++ symbol names, and so these
# symbols can change at a whim, but this change happens without the mandatory
# accompanying symver definitions or SONAME bumps, and that is bad. Force-add
# some symvers.
#
sym="$(pkg-config Imath --modversion | cut -d. -f1,2 | perl -pe 's{\.}{_}g')"
sv="$PWD/exr.sym"
echo "Imath_$sym { global: *N9Imath_$sym*; *N10Imath_$sym*; };" >"$sv"
%cmake \
-DCMAKE_INSTALL_DOCDIR="%{_docdir}/%{name}"
-DCMAKE_SHARED_LINKER_FLAGS:STRING="-Wl,--version-script=$sv" \
-DCMAKE_INSTALL_DOCDIR="%{_docdir}/%{name}"
%cmake_build
%install
@@ -214,6 +227,8 @@ export LD_LIBRARY_PATH="%{buildroot}/%{_libdir}"
%{_bindir}/exrmultiview
%{_bindir}/exrmultipart
%{_bindir}/exr2aces
%{_bindir}/exrmanifest
%{_bindir}/exrmetrics
%files devel
%{_includedir}/OpenEXR

BIN
v3.2.2.tar.gz LFS
View File

Binary file not shown.

BIN
v3.4.3.tar.gz LFS Normal file
View File

Binary file not shown.