Overview
Request 1146590 accepted
- version update to 3.2.2 [bsc#1219498]
* [CVE-2023-5841](https://takeonme.org/cves/CVE-2023-5841.html).
Note that this bug is present in the C++ API (since v3.1.0), although
it is in a routine that is predominantly used for development and
testing. It is not likely to appear in production code.
* OSS-fuzz [66491](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66491)
Out-of-memory in openexr_exrcorecheck_fuzzer
* OSS-fuzz [66489](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66489)
Null-dereference in `Imf_3_3::realloc_deepdata`
- deleted patches
- openexr-CVE-2023-5841.patch (upstreamed)
- version update to 3.2.1
## Version 3.2.0 (August 30, 2023)
* Zip compression via ``libdeflate``
* New camdkit/camdkit-enabled standard attributes
* Updated SO versioning policy
* Python bindings & PyPI wheel
* Miscellaneous improvements
## Version 3.2.1 (September 27, 2023)
* Fix for linking statically against an external ``libdeflate``
* Fix a compile error with ``OPENEXR_VERSION_HEX``
* Fix various compiler warnings
* Pkg-config generation is now on by default for all systems, including Windows
- modified sources
% baselibs.conf
- added patches
fix CVE-2023-5841 [bsc#1219498], heap-based buffer overflow in generic_unpack_deep()
+ openexr-CVE-2023-5841.patch
This dependency does not yet exist as -32bit, but openexr does create -32bit packages. As a result, those packages are not installable
can't install libOpenEXRCore-3_2-31-32bit-3.2.1-1.1.x86_64: nothing provides libdeflate.so.0 needed by libOpenEXRCore-3_2-31-32bit-3.2.1.x86_64
Request History
pgajdos created request
- version update to 3.2.2 [bsc#1219498]
* [CVE-2023-5841](https://takeonme.org/cves/CVE-2023-5841.html).
Note that this bug is present in the C++ API (since v3.1.0), although
it is in a routine that is predominantly used for development and
testing. It is not likely to appear in production code.
* OSS-fuzz [66491](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66491)
Out-of-memory in openexr_exrcorecheck_fuzzer
* OSS-fuzz [66489](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66489)
Null-dereference in `Imf_3_3::realloc_deepdata`
- deleted patches
- openexr-CVE-2023-5841.patch (upstreamed)
- version update to 3.2.1
## Version 3.2.0 (August 30, 2023)
* Zip compression via ``libdeflate``
* New camdkit/camdkit-enabled standard attributes
* Updated SO versioning policy
* Python bindings & PyPI wheel
* Miscellaneous improvements
## Version 3.2.1 (September 27, 2023)
* Fix for linking statically against an external ``libdeflate``
* Fix a compile error with ``OPENEXR_VERSION_HEX``
* Fix various compiler warnings
* Pkg-config generation is now on by default for all systems, including Windows
- modified sources
% baselibs.conf
- added patches
fix CVE-2023-5841 [bsc#1219498], heap-based buffer overflow in generic_unpack_deep()
+ openexr-CVE-2023-5841.patch
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
anag+factory set openSUSE:Factory:Staging:G as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:G"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:G"
dimstar accepted review
licensedigger accepted review
ok
anag+factory accepted review
Staging Project openSUSE:Factory:Staging:G got accepted.
anag+factory approved review
Staging Project openSUSE:Factory:Staging:G got accepted.
anag+factory accepted request
Staging Project openSUSE:Factory:Staging:G got accepted.
Also see https://build.opensuse.org/request/show/1146390