Bug#1123963: openexr: CVE-2025-12495 CVE-2025-12839 CVE-2025-128340
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 30 20:23:44 GMT 2026
Hi,
On Fri, Jan 30, 2026 at 04:01:35PM +0100, Sylvain Beucler wrote:
> Hi,
>
> The current triage indicates "Revisit when fixed upstream" but upstream
> claims to have it fixed AFAICS:
> https://github.com/AcademySoftwareFoundation/openexr/commit/b9a36b4c3ec717e994535aeb5c1beae8bfbd15e1
>
> There are not many changes from 3.4.2 to 3.4.3:
> https://github.com/AcademySoftwareFoundation/openexr/compare/v3.4.2...v3.4.3
> or 3.3.5 to 3.3.6:
> https://github.com/AcademySoftwareFoundation/openexr/compare/v3.3.5...v3.3.6
> unfortunately several other security fixes are in there, and all 3 CVEs from
> this BTS entry have the exact same description, including at ZDI.
>
> They don't claim to have it fixed in 3.2.x though:
> https://github.com/AcademySoftwareFoundation/openexr/compare/v3.2.4...v3.2.5
>
> Does anybody have further info, or should I try and ask upstream?
We do not have, and the problem is exactly we do not have enough
information on the three CVEs. The overview in
https://github.com/AcademySoftwareFoundation/openexr/security
*suggests* that the 3.2x and older might not be vulnerable, but until
we have a confirmation we should not mark it as such.
I will mail upstream and put you in recipients.
Regards,
Salvatore
More information about the Pkg-phototools-devel
mailing list