Bug#1123963: openexr: CVE-2025-12495 CVE-2025-12839 CVE-2025-128340
Sylvain Beucler
beuc at beuc.net
Fri Jan 30 15:01:35 GMT 2026
Hi,
The current triage indicates "Revisit when fixed upstream" but upstream
claims to have it fixed AFAICS:
https://github.com/AcademySoftwareFoundation/openexr/commit/b9a36b4c3ec717e994535aeb5c1beae8bfbd15e1
There are not many changes from 3.4.2 to 3.4.3:
https://github.com/AcademySoftwareFoundation/openexr/compare/v3.4.2...v3.4.3
or 3.3.5 to 3.3.6:
https://github.com/AcademySoftwareFoundation/openexr/compare/v3.3.5...v3.3.6
unfortunately several other security fixes are in there, and all 3 CVEs
from this BTS entry have the exact same description, including at ZDI.
They don't claim to have it fixed in 3.2.x though:
https://github.com/AcademySoftwareFoundation/openexr/compare/v3.2.4...v3.2.5
Does anybody have further info, or should I try and ask upstream?
Cheers!
Sylvain Beucler
Debian LTS Team
More information about the Pkg-phototools-devel
mailing list