Bug#1141498: opencolorio: CVE-2026-42450
Salvatore Bonaccorso
carnil at debian.org
Sun Jul 5 16:07:08 BST 2026
Source: opencolorio
Version: 2.1.3+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for opencolorio.
CVE-2026-42450[0]:
| OpenColorIO is a color management framework for visual effects and
| animation. Prior to version 2.5.2, `FileFormatSpi3D.cpp:163` uses
| `sscanf` with `%s` into 64-byte stack buffers when parsing LUT data
| lines. Input comes from `lineBuffer[4096]`, so a crafted .spi3d file
| can overflow by ~4000 bytes on non-Windows. Version 2.5.2 fixes the
| issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42450
https://www.cve.org/CVERecord?id=CVE-2026-42450
[1] https://github.com/AcademySoftwareFoundation/OpenColorIO/security/advisories/GHSA-rxp3-rrgx-f547
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-phototools-devel
mailing list