Your message dated Thu, 12 Mar 2026 11:33:44 +0000
with message-id <[email protected]>
and subject line Bug#1110261: fixed in openexr 3.4.6+ds-1
has caused the Debian Bug report #1110261,
regarding openexr: CVE-2025-48074
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110261: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110261
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openexr
Version: 3.1.13-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for openexr.
CVE-2025-48074[0]:
| OpenEXR provides the specification and reference implementation of
| the EXR file format, an image storage format for the motion picture
| industry. In version 3.3.2, applications trust unvalidated
| dataWindow size values from file headers, which can lead to
| excessive memory allocation and performance degradation when
| processing malicious files. This is fixed in version 3.3.3.
While the advisory explicitly mentions only 3.3.2, by code inspection
I have not seen a reason why this should only ever have been
introduced in 3.3.2 and actually affect older versions (generally
anyway not trusting a CVE description as they reflect only e.g.
assessment in a given point in time).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48074
https://www.cve.org/CVERecord?id=CVE-2025-48074
[1]
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-x22w-82jp-8rvf
[2]
https://github.com/AcademySoftwareFoundation/openexr/commit/501be087faa62d0fb7115ce3a0ebd7b4ef0117fc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openexr
Source-Version: 3.4.6+ds-1
Done: Bastian Germann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openexr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <[email protected]> (supplier of updated openexr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Mar 2026 12:16:34 +0100
Source: openexr
Architecture: source
Version: 3.4.6+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<[email protected]>
Changed-By: Bastian Germann <[email protected]>
Closes: 1110261 1120700 1123963 1130041
Changes:
openexr (3.4.6+ds-1) unstable; urgency=medium
.
* Team upload
* Repack eliminating external dir
* New upstream version 3.4.6 (Closes: #1110261, #1120700, #1123963, #1130041)
addresses CVE-2025-48074, CVE-2025-64181, CVE-2025-12495, CVE-2025-12839,
CVE-2025-128340, CVE-2026-27622
* Add new Depends
* Drop html docs
* Enable tests
Checksums-Sha1:
849ecd3c8c155348825440c84b12de9e37f3aae4 2136 openexr_3.4.6+ds-1.dsc
8f3a81c0f6520fa72a7537245e0475b03a17f788 20545840 openexr_3.4.6+ds.orig.tar.xz
f15944b21b586ae1531ea994e430db2ebaa504d0 17656 openexr_3.4.6+ds-1.debian.tar.xz
55db5f31171d01b837e5a0ba838be9f934928e66 6778
openexr_3.4.6+ds-1_source.buildinfo
Checksums-Sha256:
4f52815ece4c087682a164024cb3cd4f9481e94922e5d8709765fccdfe0fe564 2136
openexr_3.4.6+ds-1.dsc
38077f666199ab7b972be4455519527f8833c9bc509e7ffb89421dbb73080277 20545840
openexr_3.4.6+ds.orig.tar.xz
268d8da4ed9971aea3c8709f533263ef17cacbf7b97d47fe018d6d9097b9fc5f 17656
openexr_3.4.6+ds-1.debian.tar.xz
0dd25448a78573e2c8276022859c01cd6c6ee0dbd3fa25d2f4d9fca100e6f99a 6778
openexr_3.4.6+ds-1_source.buildinfo
Files:
82d88281eb56a2e85b83efd1d00ee40c 2136 graphics optional openexr_3.4.6+ds-1.dsc
fb1234b5eecb54456202c52c04b9795d 20545840 graphics optional
openexr_3.4.6+ds.orig.tar.xz
481a95acd6897ecc65b1375d7f0c1503 17656 graphics optional
openexr_3.4.6+ds-1.debian.tar.xz
72833873934d7a7895a95d92b5b4403f 6778 graphics optional
openexr_3.4.6+ds-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmmyoNIQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFIhBDACHU/3lSoNn8hErF5gU18PHnVvZaM7n0Q33
OXUxAnwl0EZZ4uTpoZspXP5gyim96m65ZYkPTOwj+teM9B6hupooscj0LrbMjgEd
Gmh8+4DO1ae5LuPv4JfUkU5qhx3i+WsE7dD51htqwLaSd0KUoQCUSgOphl02Fv9i
rtrLES1h+A47FbqXAlL7cY8uSgxbBVTJdQUigZAAYoPt+aLKPDKjOO2X0LI3cT5v
D8Yb2JFP1nugw6rJg411Zvk1kpcq07USPhU+2aFBcJ9hq1n0kHH0H25Ironkyh5l
g4V2JqgTeiXR5uJVadXsXD7P/5zuBBYebqg/Lc7ZwIoGz1nkY2Bre9TdnsXJp85y
d65hS3UtoPEm8SMBysYsxMVnBFRzSued3RTk4auS7BwM84rJulUUnOu3IMeMxDG4
4OoLxq3YpDOrDeBn9wZLFnTaV+zW2XMO/JUB5mkVbuCSI0QY2kRPXN/vvD9g9aAy
+Nu4mwTI2fortJqA+76QShF13sytj5I=
=AQZn
-----END PGP SIGNATURE-----
pgpF1cA0xB2ps.pgp
Description: PGP signature
--- End Message ---
