Your message dated Tue, 11 Mar 2025 23:24:37 +0000
with message-id <e1ts8xh-006ugi...@fasolo.debian.org>
and subject line Bug#1063414: fixed in openexr 3.1.13-1
has caused the Debian Bug report #1063414,
regarding openexr: CVE-2023-5841
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1063414: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063414
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openexr
Version: 3.1.5-5
Severity: important
Tags: security upstream
Forwarded: https://github.com/AcademySoftwareFoundation/openexr/issues/1625
https://github.com/AcademySoftwareFoundation/openexr/pull/1627
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for openexr.
CVE-2023-5841[0]:
| Due to a failure in validating the number of scanline samples of a
| OpenEXR file containing deep scanline data, Academy Software
| Foundation OpenEX image parsing library version 3.2.1 and prior is
| susceptible to a heap-based buffer overflow vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-5841
https://www.cve.org/CVERecord?id=CVE-2023-5841
[1] https://takeonme.org/cves/CVE-2023-5841.html
[2] https://github.com/AcademySoftwareFoundation/openexr/issues/1625
[3]
https://github.com/AcademySoftwareFoundation/openexr/commit/46944c3a87ebc6c5d9a9a4962a94569ba1082bc3
[4] https://github.com/AcademySoftwareFoundation/openexr/pull/1627
Regards,
Salvatore
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.6.11-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: openexr
Source-Version: 3.1.13-1
Done: Bastian Germann <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
openexr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1063...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <b...@debian.org> (supplier of updated openexr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Mar 2025 21:49:24 +0100
Source: openexr
Architecture: source
Version: 3.1.13-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<pkg-phototools-de...@lists.alioth.debian.org>
Changed-By: Bastian Germann <b...@debian.org>
Closes: 1063414 1068939
Changes:
openexr (3.1.13-1) unstable; urgency=medium
.
* Team upload
* Prevent .asc download as upstream has switched to sigstore
* New upstream version 3.1.13 (Closes: #1063414, CVE-2023-5841)
* Backport CVE-2024-31047 patch (Closes: #1068939)
.
[ наб ]
* d/control: Build-Depends: remove dh-buildinfo (see #1068809)
Checksums-Sha1:
570bfffbafc5d66b37e5007d47ea66667e2ddfee 2144 openexr_3.1.13-1.dsc
016f86a9110b0158c1269d49abe2c9224fbd8765 20542408 openexr_3.1.13.orig.tar.gz
071ee139ab05dd2b2af63ec8a4d89ca34af5a6f9 18916 openexr_3.1.13-1.debian.tar.xz
a29df8d18afea16ef74f9b71581787d586cec8ee 6276 openexr_3.1.13-1_source.buildinfo
Checksums-Sha256:
8a8e9bc1600a2f9addc039d492aa346d11af9468fed345c4bf7cae4d1efc9438 2144
openexr_3.1.13-1.dsc
26d265d8cf8df4dad115b066ba209118ca8832cda076ec704ce1a57f827c75c6 20542408
openexr_3.1.13.orig.tar.gz
3b0d1aae981d2cb24fe0f9619d331c79f18a05e97725295b39e39a956ab59deb 18916
openexr_3.1.13-1.debian.tar.xz
9a1826b5cc394d0ed4026caf4da67226f7bfbea1dca461015d383a1894b1b574 6276
openexr_3.1.13-1_source.buildinfo
Files:
6531a22b52cca15f87e971f4f411e650 2144 graphics optional openexr_3.1.13-1.dsc
1006112ee8e02eb10061248cef85c7fd 20542408 graphics optional
openexr_3.1.13.orig.tar.gz
3d8e6da65586a948e1415968e97b7cb0 18916 graphics optional
openexr_3.1.13-1.debian.tar.xz
2da93a9b4edd2a5497408ca477927d4e 6276 graphics optional
openexr_3.1.13-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmfQuGYQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFFzwC/4oqsyxb+f8XOrXz6QGJFc9/dvg3+SGozBn
LMrksQfp4XokxKDTeBI9mMVWJpbqaEr/r+yIe684Ex8mnDtzCsKSNva93M4X2zQM
5Rng4KHCGWQbF6yg3Z6YerHD//1kuq5TpNUxe+b+mt+5b2fAQp57z5cXk5kaOjyP
eNAtt0MlFsFzXEpjh4GchXQGve5om1lfxRncEMRoSbd/+z94MX1AjLWvcUzlWlWE
dMvq0+qGQvH8V1lZCysXkTiMtNid35FH62mKfmZi7YGDVH3eeUW/Zy1LbGzzsQ5H
YZC3HQRPzK8/LhW2dYXHlyxzyIHNTUOqNWW/0l2pPCvE9dmEc8/T2XIDomqPIPqj
57GtEVFLHtEpGD9C2KQj0u+Gdm89lyFvmwlBRzDIoRuWhObhAStLsoSxX6KNyDoO
tWa9xpFL2QrPQaLRfKt7ynCtHgmB8oaUlLu894ZVaPklXUKV+8K0P7T3hzcTzjdu
cEXG+Xwo/Bi9AhaVUp/tVXmVmA2Mmg0=
=3pL6
-----END PGP SIGNATURE-----
pgpisJESXR7Dh.pgp
Description: PGP signature
--- End Message ---
