Back to openexr PTS page

Accepted openexr 2.2.0-11+deb9u3 (source) into oldstable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 03 Jul 2021 17:57:41 +0200
Source: openexr
Binary: openexr openexr-doc libopenexr-dev libopenexr22
Architecture: source
Version: 2.2.0-11+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Description:
 libopenexr-dev - development files for the OpenEXR image library
 libopenexr22 - runtime files for the OpenEXR image library
 openexr    - command-line tools for the OpenEXR image format
 openexr-doc - documentation and examples for the OpenEXR image format
Changes:
 openexr (2.2.0-11+deb9u3) stretch-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * Remove unused (non-security) patches.
   * Rename security patches for clarity.
   * CVE-2020-16587: A heap-based buffer overflow vulnerability exists in
     chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause
     a denial of service via a crafted EXR file.
   * CVE-2021-3474: a crafted input file that is processed by OpenEXR could
     cause a shift overflow in the FastHufDecoder, potentially leading to
     problems with application availability.
   * CVE-2021-3475: an attacker who can submit a crafted file to be
     processed by OpenEXR could cause an integer overflow, potentially
     leading to problems with application availability.
   * CVE-2021-3476: a flaw was found in OpenEXR's B44 uncompression
     functionality. An attacker who is able to submit a crafted file to
     OpenEXR could trigger shift overflows, potentially affecting
     application availability.
   * CVE-2021-3477: flaw indeep tile sample size calculations. An attacker
     who is able to submit a crafted file could trigger an integer
     overflow, subsequently leading to an out-of-bounds read.
   * CVE-2021-3478: flaw in scanline input file functionality. An attacker
     able to submit a crafted file could consume excessive system memory.
   * CVE-2021-3479: flaw in Scanline API. An attacker who is able to submit
     a crafted file could trigger excessive consumption of memory,
     resulting in an impact to system availability.
   * CVE-2021-3598: read heap-buffer-overflow in Imf_3_1::CharPtrIO::readChars
   * CVE-2021-20296: a crafted input file supplied by an attacker, that is
     processed by the Dwa decompression functionality, could cause a NULL
     pointer dereference.
   * CVE-2021-23215: an integer overflow leading to a heap-buffer overflow
     was found in the DwaCompressor. An attacker could use this flaw to
     crash an application compiled with OpenEXR.
   * CVE-2021-26260: an integer overflow leading to a heap-buffer overflow
     was found in the DwaCompressor. An attacker could use this flaw to
     crash an application compiled with OpenEXR. This is a different flaw
     from CVE-2021-23215.
Checksums-Sha1:
 6e3e2a9d594d3422b71576365a70f38314b2d04f 2308 openexr_2.2.0-11+deb9u3.dsc
 37611fc0f1ed5be3d27890928f14af57286df92a 35284 openexr_2.2.0-11+deb9u3.debian.tar.xz
 268349f7b67cf86d6a9b9c34b129b23eb4a41a91 6916 openexr_2.2.0-11+deb9u3_amd64.buildinfo
Checksums-Sha256:
 f9618f96abe233995f5754fc932e44b97a3e593b4d4db231530e253606d3257f 2308 openexr_2.2.0-11+deb9u3.dsc
 930ea08378add37ec194af276a702c9e4335e0ff8079384629c7cd68a6196b4e 35284 openexr_2.2.0-11+deb9u3.debian.tar.xz
 4c6bc35b2ef4ce14ffa06b930395bd659876040ba36ace6388560a13831c6697 6916 openexr_2.2.0-11+deb9u3_amd64.buildinfo
Files:
 a33d6edf2e94604602375131097cc634 2308 graphics optional openexr_2.2.0-11+deb9u3.dsc
 c4e4b54a2892f43fce4e9e71b97d022b 35284 graphics optional openexr_2.2.0-11+deb9u3.debian.tar.xz
 f52039baffff9580d7e574f69b50e485 6916 graphics optional openexr_2.2.0-11+deb9u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmDgls4ACgkQDTl9HeUl
XjAb2A//VROsl2jXAAtNBtJ7Q+X8yuTI/Ek0BBYo8aBwYlH/6pXYwHzTyDSIO6GL
XCu+zTlP+fywlVli6kAqkbkyvopfNzOYed/xWCMNtzDiCtmQnMHtTxirMGjp4w0j
g/NGJwfTudNNV1KjmcJEwZwBDqvjRzdHnS0lIGP7m76k89bBn3202bJ0fx2ncNvo
1FgxTEEkI9vCp3ulwwu2lL45jianl7GofVISpfjPj3GOVVj6GWXcZiMKm/w452HB
JvXwl3548+TGaDYfjzo1lg2Rup9pXh36XfnoWi393Uilx9S/O9ohz8wk53KSp6tl
zQkMqTYfmOekb0RL1IHYD+KgaU2DRcaw4wPjft4X70mAZxmMG/1kl7p1WVYkLlOX
h8gYTJcNTwdMl4O0JCN/5E7045cl2SZK4OEz8D503lQHnBu4CAtfKwkFKtlAIinY
P9FEdsM+qsRfKpcyK6qJV2lomnUM9KjGrEQmLgGSMrPlzrsZctNamolmlLpcxBWS
rtFPfO+xQpOmkP1sbzqLHTE74KM6MUkshtVvgddJeyJQS9ggyVle8Dw5U7BUwmwK
KsJ6ZYeKLCHVuaUtip3xQkJgFN8bZfv5kdNgZRLa7H5VoCL9kdMUU1TfCWFV03Vh
uawvXW8cymBRjyOf0nDiMK2wUyx+k3W+rpFsYvZcaNm3Z/FFVVo=
=VjtZ
-----END PGP SIGNATURE-----