clarify current security fixes and add two other security fixes

openexr-CVE-2025-12495.patch

@@ -0,0 +1,23 @@
+Index: openexr-3.2.2/src/lib/OpenEXRCore/chunk.c
+===================================================================
+--- openexr-3.2.2.orig/src/lib/OpenEXRCore/chunk.c
++++ openexr-3.2.2/src/lib/OpenEXRCore/chunk.c
+@@ -1292,6 +1292,18 @@ exr_read_tile_chunk_info (
+         return pctxt->report_error (
+             pctxt, EXR_ERR_INVALID_ARGUMENT, "Invalid packed size of 0");
+ 
++    if (part->comp_type == EXR_COMPRESSION_NONE &&
++       cinfo->packed_size != cinfo->unpacked_size)
++    {
++         return pctxt->print_error (
++             pctxt,
++             EXR_ERR_BAD_CHUNK_LEADER,
++             "Mismatch between unpacked and packed size with uncompressed data: packed is %" PRIu64 "; unpacked is %" PRIu64,
++             cinfo->packed_size, cinfo->unpacked_size);
++    }
++
++
++
+     return EXR_ERR_SUCCESS;
+ }
+ 

openexr-CVE-2025-12839.patch

@@ -0,0 +1,15 @@
+Index: openexr-3.2.2/src/lib/OpenEXRCore/parse_header.c
+===================================================================
+--- openexr-3.2.2.orig/src/lib/OpenEXRCore/parse_header.c
++++ openexr-3.2.2/src/lib/OpenEXRCore/parse_header.c
+@@ -2293,7 +2293,9 @@ internal_exr_compute_chunk_offset_size (
+ 
+     w = (uint64_t) (((int64_t) dw.max.x) - ((int64_t) dw.min.x) + 1);
+ 
+-    if (curpart->tiles)
++    if (curpart->storage_mode != EXR_STORAGE_SCANLINE &&
++       curpart->storage_mode != EXR_STORAGE_DEEP_SCANLINE &&
++       curpart->tiles)
+     {
+         const exr_attr_tiledesc_t* tiledesc  = curpart->tiles->tiledesc;
+         int64_t                    tilecount = 0;

openexr-CVE-2025-12840.patch

@@ -0,0 +1,39 @@
+From 3d53ed21cadb612e3b9828ccf116227e6a6ce21a Mon Sep 17 00:00:00 2001
+From: Kimball Thurston <kdt3rd@gmail.com>
+Date: Tue, 28 Oct 2025 02:49:19 +1300
+Subject: [PATCH] Fix issues with negative coordinates and sampling != 0
+ (#2160)
+
+* remove unused variable
+
+Signed-off-by: Kimball Thurston <kdt3rd@gmail.com>
+
+* allow a single line when positions are negative with large y sampling > height
+
+Signed-off-by: Kimball Thurston <kdt3rd@gmail.com>
+
+---------
+
+Signed-off-by: Kimball Thurston <kdt3rd@gmail.com>
+---
+ src/lib/OpenEXRCore/internal_util.h | 5 +++--
+ src/lib/OpenEXRCore/parse_header.c  | 1 -
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+Index: openexr-3.2.2/src/lib/OpenEXRCore/internal_util.h
+===================================================================
+--- openexr-3.2.2.orig/src/lib/OpenEXRCore/internal_util.h
++++ openexr-3.2.2/src/lib/OpenEXRCore/internal_util.h
+@@ -31,10 +31,10 @@ compute_sampled_lines (int height, int y
+         else
+             start = start_y;
+         end = start_y + height - 1;
+-        end -= (end % y_sampling);
++        end -= (end < 0 ? -end : end) % y_sampling;
+ 
+         if (start > end)
+-            nlines = 0;
++            nlines = start == start_y ? 1 : 0;
+         else
+             nlines = (end - start) / y_sampling + 1;
+     }

openexr-CVE-2025-64181.patch

@@ -0,0 +1,54 @@
+From c41a2fc901608c912f73bd7a0e53b3c9ccb58074 Mon Sep 17 00:00:00 2001
+From: Peter Hillman <peterh@wetafx.co.nz>
+Date: Thu, 30 Oct 2025 08:04:36 +1300
+Subject: [PATCH] ImfCheckFile: handle partial deep tiles
+
+Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
+---
+ src/lib/OpenEXRUtil/ImfCheckFile.cpp | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+Index: openexr-3.2.2/src/lib/OpenEXRUtil/ImfCheckFile.cpp
+===================================================================
+--- openexr-3.2.2.orig/src/lib/OpenEXRUtil/ImfCheckFile.cpp
++++ openexr-3.2.2/src/lib/OpenEXRUtil/ImfCheckFile.cpp
+@@ -654,15 +654,24 @@ readDeepTile (T& in, bool reduceMemory,
+                             try
+                             {
+ 
++
+                                 in.readPixelSampleCounts (
+                                     x, y, x, y, xlevel, ylevel);
+ 
+                                 size_t bufferSize = 0;
+                                 size_t fileBufferSize = 0;
+ 
+-                                for (int ty = 0; ty < tileHeight; ++ty)
++                                Box2i tileRange =
++                                    in.dataWindowForTile (x, y, xlevel, ylevel);
++
++                                int thisTileWidth =
++                                    tileRange.max.x - tileRange.min.x + 1;
++                                int thisTileHeight =
++                                    tileRange.max.y - tileRange.min.y + 1;
++
++                                for (int ty = 0; ty < thisTileHeight; ++ty)
+                                 {
+-                                    for (int tx = 0; tx < tileWidth; ++tx)
++                                    for (int tx = 0; tx < thisTileWidth; ++tx)
+                                     {
+                                         fileBufferSize += channelCount *
+                                                 localSampleCount[ty][tx];
+@@ -689,9 +698,10 @@ readDeepTile (T& in, bool reduceMemory,
+                                     pixelBuffer.resize (bufferSize);
+                                     size_t bufferIndex = 0;
+ 
+-                                    for (int ty = 0; ty < tileHeight; ++ty)
++                                    for (int ty = 0; ty < thisTileHeight; ++ty)
+                                     {
+-                                        for (int tx = 0; tx < tileWidth; ++tx)
++                                        for (int tx = 0; tx < thisTileWidth;
++                                             ++tx)
+                                         {
+                                             if (!reduceMemory ||
+                                                 localSampleCount[ty][tx] *

openexr.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Fri Nov 14 11:53:57 UTC 2025 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2025-64181 [bsc#1253233], use of uninitialized memory in function generic_unpack()
+  + openexr-CVE-2025-64181.patch
+  fix CVE-2025-12495 [bsc#1253714], Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
+  + openexr-CVE-2025-12495.patch
+  fix CVE-2025-12839 [bsc#1253715], Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
+  + openexr-CVE-2025-12839.patch
+  fix CVE-2025-12840 [bsc#1253713], Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
+  + openexr-CVE-2025-12840.patch
+
 -------------------------------------------------------------------
 Thu Dec 12 14:56:41 UTC 2024 - Martin Pluskal <mpluskal@suse.com>
 

openexr.spec

@@ -30,6 +30,14 @@ Group:          Development/Libraries/C and C++
 URL:            https://www.openexr.com/
 Source0:        https://github.com/openexr/openexr/archive/v%{version}.tar.gz
 Source2:        baselibs.conf
+# CVE-2025-64181 [bsc#1253233], use of uninitialized memory in function generic_unpack()
+Patch0:         openexr-CVE-2025-64181.patch
+# CVE-2025-12495 [bsc#1253714], Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
+Patch1:         openexr-CVE-2025-12495.patch
+# CVE-2025-12839 [bsc#1253715], Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
+Patch2:         openexr-CVE-2025-12839.patch
+# CVE-2025-12840 [bsc#1253713], Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
+Patch3:         openexr-CVE-2025-12840.patch
 BuildRequires:  cmake >= 3.12
 BuildRequires:  freeglut-devel
 BuildRequires:  gcc-c++