openexr (2.5.7-1) unstable; urgency=medium
* New upstream release
- debian/control: bump libilmbase-dev version
- debian/patches/series: drop CVE-2021-23169.diff
(applied upstream)
This release addresses following security issues:
+ CVE-2021-26260 and CVE-2021-23215
| An integer overflow leading to a heap-buffer overflow
| was found in the DwaCompressor of OpenEXR in versions
| before 3.0.1. An attacker could use this flaw to crash
| an application compiled with OpenEXR.
+ CVE-2021-3605 and CVE-2021-3598
| There's a flaw in OpenEXR's rleUncompress functionality
| in versions prior to 3.0.5. An attacker who is able to
| submit a crafted file to an application linked with
| OpenEXR could cause an out-of-bounds read.
| The greatest risk from this flaw is to application
| availability.
* debian/watch: change path and narrow down search
-- Matteo F. Vescovi <mfv@debian.org> Sat, 28 Aug 2021 22:20:22 +0200
openexr (2.5.4-2) unstable; urgency=high
* debian/patches/: patchset updated
- CVE-2021-23169.diff added (Closes: #988240)
| This patch aims to fix CVE-2021-23169:
| Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
| The patch applied is a reduced version of the upstream
| commit, given the code base has changed in the meanwhile.
-- Matteo F. Vescovi <mfv@debian.org> Tue, 18 May 2021 23:26:12 +0200
openexr (2.5.4-1) unstable; urgency=medium
* New upstream release
* debian/watch: parameters updated
* debian/control:
- S-V bump 4.5.0 -> 4.5.1 (no changes needed)
- set minimal ilmbase lib to v2.5.4
-- Matteo F. Vescovi <mfv@debian.org> Thu, 21 Jan 2021 23:24:00 +0100
openexr (2.5.3-2) unstable; urgency=medium
* Upload to unstable (Closes: #959444)
-- Matteo F. Vescovi <mfv@debian.org> Fri, 21 Aug 2020 22:56:55 +0200
openexr (2.5.3-1) experimental; urgency=medium
* New upstream release
-- Matteo F. Vescovi <mfv@debian.org> Fri, 14 Aug 2020 20:54:17 +0200
openexr (2.5.2-2) experimental; urgency=medium
* debian/control: strict versioning against libilmbase-dev
-- Matteo F. Vescovi <mfv@debian.org> Thu, 06 Aug 2020 20:18:22 +0200
openexr (2.5.2-1) experimental; urgency=medium
* New upstream release
-- Matteo F. Vescovi <mfv@debian.org> Thu, 06 Aug 2020 17:38:22 +0200
openexr (2.5.1-2) experimental; urgency=medium
* debian/rules: drop tests on all architectures
-- Matteo F. Vescovi <mfv@debian.org> Fri, 12 Jun 2020 20:36:27 +0200
openexr (2.5.1-1) experimental; urgency=medium
* New upstream release (Closes: #960439)
- debian/control: SONAME bump 24 -> 25
* debian/rules: set cmake as build system
-- Matteo F. Vescovi <mfv@debian.org> Thu, 21 May 2020 23:05:36 +0200
openexr (2.5.0-1) experimental; urgency=medium
* New upstream release, fixing following security issues:
+ CVE-2020-11758:
| An issue was discovered in OpenEXR before 2.4.1. There is an out-of-
| bounds read in ImfOptimizedPixelReading.h.
+ CVE-2020-11759:
| An issue was discovered in OpenEXR before 2.4.1. Because of integer
| overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and
| readSampleCountForLineBlock, an attacker can write to an out-of-bounds
| pointer.
+ CVE-2020-11760:
| An issue was discovered in OpenEXR before 2.4.1. There is an out-of-
| bounds read during RLE uncompression in rleUncompress in ImfRle.cpp.
+ CVE-2020-11761:
| An issue was discovered in OpenEXR before 2.4.1. There is an out-of-
| bounds read during Huffman uncompression, as demonstrated by
| FastHufDecoder::refill in ImfFastHuf.cpp.
+ CVE-2020-11762:
| An issue was discovered in OpenEXR before 2.4.1. There is an out-of-
| bounds read and write in DwaCompressor::uncompress in
| ImfDwaCompressor.cpp when handling the UNKNOWN compression case.
+ CVE-2020-11763:
| An issue was discovered in OpenEXR before 2.4.1. There is an
| std::vector out-of-bounds read and write, as demonstrated by
| ImfTileOffsets.cpp.
+ CVE-2020-11764:
| An issue was discovered in OpenEXR before 2.4.1. There is an out-of-
| bounds write in copyIntoFrameBuffer in ImfMisc.cpp.
+ CVE-2020-11765:
| An issue was discovered in OpenEXR before 2.4.1. There is an off-by-
| one error in use of the ImfXdr.h read function by
| DwaCompressor::Classifier::Classifier, leading to an out-of-bounds
| read.
* debian/watch: upstream URL updated
* debian/control:
- S-V bump 4.4.0 -> 4.5.0 (no changes needed)
- RRR set
- debhelper bump 12 -> 13
- cmake b-dep added
* debian/patches/: patchset refreshed against v2.5.0
* debian/copyright: entries updated and refreshed
* debian/libopenexr-dev.install: useless files dropped
* debian/libopenexr-dev.dirs: useless file dropped
* debian/openexr-doc.docs: installation path updated
* debian/openexr.install: executables path updated
* debian/libopenexr-dev.install: cmake helpers added
* debian/openexr-doc.examples: installation paths updated
-- Matteo F. Vescovi <mfv@debian.org> Mon, 11 May 2020 16:33:24 +0200
# For older changelog entries, run 'apt-get changelog openexr-doc'
Generated by dwww version 1.14 on Wed Jan 22 09:43:00 CET 2025.