Upstream update available: openexr 3.2.4 → 3.4.12 #3

New issue

Open

opened 2026-05-24 23:15:32 +03:00 by sbelikov · 0 comments

sbelikov commented 2026-05-24 23:15:32 +03:00

Owner

Copy link

Upstream update available: openexr 3.2.4 → 3.4.12

Package

• Package: openexr
• RPM name: openexr
• Branch: niceos-5.2
• Current EVR: 3.2.4-1
• Update class: minor
• Compare method: python_rpm
• Update policy: leaf
• Risk tags: github-upstream

Upstream

• Upstream type: github
• Upstream project: AcademySoftwareFoundation/openexr
• Upstream URL: github.com — openexr
• Detected version: 3.4.12
• Tag/release: v3.4.12
• Source: github_release_latest
• Published: 2026-05-25T01:03:37Z
• Release URL: github.com — v3.4.12
• Source URL: api.github.com — v3.4.12
• Pre-release: False

Signals

• Security-relevant keywords detected: True
• Policy blocked: False
• Policy reason: -
• Labels: ai-summary, bot, needs-build, needs-triage, priority/high, security-release, update/minor, upstream-update, upstream/github

NiceSOFT AI preliminary stability analysis

1. Краткий вывод

Пакет openexr получил патч с исправлением нескольких багов и устранением уязвимостей, связанных с утечками данных и ошибками в обработке изображений. Внесены исправления для версии 3.4.12, которые охватывают ключевые уязвимости, включая CVE-2026-45696 и CVE-2026-44663.

---

2. Риски

• Риски (Medium): Уязвимости в коде требуют исправления, но патч является минорным. Важно проверить, нет ли изменений в ABI или интерфейсе.
• Секреты (Security/CVE): Указаны конкретные уязвимости (CVE-2026-45696, CVE-2026-44663), которые требуют применения.

---

3. ABI/API риск

• Риск (Low): Патч не содержит изменений в ABI или интерфейсе, поэтому риск изменения поведения пакета минималь.

---

4. Риски RPM-образа

• Риск (Low): Патч включает исправления, но проверка спецификаций и пакетов требует внимания.

---

5. Проверка для maintainer

• Проверка:
  • Убедиться, что исправлены уязвимости (CVE-2026-45696, CVE-2026-44663).
  • Проверить, нет ли изменений в ABI или интерфейсе.
  • Убедиться, что патч применяется корректно в системе.

---

6. Рекомендации

• Рекомендация: Установить пакет как candidate (кандидат на обновление), так как патч безопасен и охватывает ключевые уязвимости.

---

7. Причина рекомендации

Патч является минорным, но содержит важные исправления уязвимостей, которые требуют применения. Риск для системы низкий, но важно проверить исправления и обеспечить их корректное применение.

Источники, найденные web_search

1. GitHub release API: AcademySoftwareFoundation/openexr v3.4.12
2. GitHub tag page: AcademySoftwareFoundation/openexr v3.4.12
3. GitHub releases page: AcademySoftwareFoundation/openexr
4. GitHub compare page: AcademySoftwareFoundation/openexr v3.2.4...v3.4.12
5. OpenEXR
6. AcademySoftwareFoundation/openexr v3.4.12 on GitHub
7. Releases · AcademySoftwareFoundation/openexr - GitHub | Release Alert
8. GitHub - AcademySoftwareFoundation/openexr: The OpenEXR project ...

Upstream release notes / description

Patch release that addresses several bugs and security vulnerabilities.

• 🐛 Fix several minor memory leaks recovering from reading invalid files.
• 🐛 The compressor API incorrectly identified HTJ2K and HTJ2K256 as lossy; they are lossles.
• 🐛 Fix CMake AVX feature detection that caused DWA SIMD code to fail on certain architectures.
• ⚠️ The WidenFilename utility function is marked as deprecated, to be removed in a future release.
• ✨ exrmetrics now print the on-disk size of the data portion of each part. Useful for determining compression impact on part data

For the python module:

• 🐍 🐛 Reject files where the dataWindows does not match the pixel array dimensions.
• 🐍 ✨ Support NumPy float vector attributes
• 🐍 ✨ Reading now skips over invalid parts, returns the valid parts only.
• 🐍 📖 Doc strings have proper indentation

This release addresses the following security vulnerabilities:

• CVE-2026-45696 OpenEXR ht_undo_impl heap-buffer-overflow READ via codestream/channel width mismatch in HTJ2K decode
• CVE-2026-44663 Integer overflow in HTJ2K decoder ( ht_undo_impl ) leading to heap-buffer-overflow
• OSS-Fuzz 512895184 Null-dereference WRITE in Imf_4_0::TileProcess::run_decode
• OSS-fuzz 512314697 Direct-leak in internal_exr_add_part
• OSS-fuzz 508362159 Heap-buffer-overflow in DwaCompressor_uncompress
• OSS-fuzz 507413960 Heap-buffer-overflow in generic_unpack

NiceOS maintainer checklist

• Confirm that the detected version is a stable upstream release.
• Check upstream changelog for security fixes, ABI/API changes and build-system changes.
• Check ABI/API compatibility and reverse dependencies.
• Download source into NiceOS lookaside storage.
• Update Version and related fields in SPECS/*.spec only if policy allows it.
• Regenerate SOURCES/sources.lock.json, manifests, metadata and SBOM.
• Build SRPM/RPM in a clean NiceOS buildroot.
• Run package smoke tests.
• Link PR/build logs and close this issue after update or triage.

Bot metadata

• Tool: niceos_upstream_monitor.py 2.1.3-local-websearch-github-release-pages
• Generated at: 2026-06-15T00:17:21Z

<!-- niceos-upstream-monitor:fingerprint=upstream-update:openexr:3.4.12 --> <!-- niceos-upstream-monitor:package=openexr --> <!-- niceos-upstream-monitor:current=3.2.4 --> <!-- niceos-upstream-monitor:latest=3.4.12 --> # Upstream update available: `openexr` `3.2.4` → `3.4.12` ## Package - Package: `openexr` - RPM name: `openexr` - Branch: `niceos-5.2` - Current EVR: `3.2.4-1` - Update class: `minor` - Compare method: `python_rpm` - Update policy: `leaf` - Risk tags: `github-upstream` ## Upstream - Upstream type: `github` - Upstream project: `AcademySoftwareFoundation/openexr` - Upstream URL: <a href="https://github.com/AcademySoftwareFoundation/openexr" target="_blank" rel="noopener noreferrer">github.com — openexr</a> - Detected version: `3.4.12` - Tag/release: `v3.4.12` - Source: `github_release_latest` - Published: `2026-05-25T01:03:37Z` - Release URL: <a href="https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.12" target="_blank" rel="noopener noreferrer">github.com — v3.4.12</a> - Source URL: <a href="https://api.github.com/repos/AcademySoftwareFoundation/openexr/tarball/v3.4.12" target="_blank" rel="noopener noreferrer">api.github.com — v3.4.12</a> - Pre-release: `False` ## Signals - Security-relevant keywords detected: `True` - Policy blocked: `False` - Policy reason: `-` - Labels: `ai-summary, bot, needs-build, needs-triage, priority/high, security-release, update/minor, upstream-update, upstream/github` ## NiceSOFT AI preliminary stability analysis ### 1. Краткий вывод Пакет openexr получил патч с исправлением нескольких багов и устранением уязвимостей, связанных с утечками данных и ошибками в обработке изображений. Внесены исправления для версии 3.4.12, которые охватывают ключевые уязвимости, включая CVE-2026-45696 и CVE-2026-44663. --- ### 2. Риски - **Риски (Medium)**: Уязвимости в коде требуют исправления, но патч является минорным. Важно проверить, нет ли изменений в ABI или интерфейсе. - **Секреты (Security/CVE)**: Указаны конкретные уязвимости (CVE-2026-45696, CVE-2026-44663), которые требуют применения. --- ### 3. ABI/API риск - **Риск (Low)**: Патч не содержит изменений в ABI или интерфейсе, поэтому риск изменения поведения пакета минималь. --- ### 4. Риски RPM-образа - **Риск (Low)**: Патч включает исправления, но проверка спецификаций и пакетов требует внимания. --- ### 5. Проверка для maintainer - **Проверка**: - Убедиться, что исправлены уязвимости (CVE-2026-45696, CVE-2026-44663). - Проверить, нет ли изменений в ABI или интерфейсе. - Убедиться, что патч применяется корректно в системе. --- ### 6. Рекомендации - **Рекомендация**: Установить пакет как **candidate** (кандидат на обновление), так как патч безопасен и охватывает ключевые уязвимости. --- ### 7. Причина рекомендации Патч является минорным, но содержит важные исправления уязвимостей, которые требуют применения. Риск для системы низкий, но важно проверить исправления и обеспечить их корректное применение. ### Источники, найденные web_search 1. <a href="https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.12" target="_blank" rel="noopener noreferrer">GitHub release API: AcademySoftwareFoundation/openexr v3.4.12</a> 2. <a href="https://github.com/AcademySoftwareFoundation/openexr/tree/v3.4.12" target="_blank" rel="noopener noreferrer">GitHub tag page: AcademySoftwareFoundation/openexr v3.4.12</a> 3. <a href="https://github.com/AcademySoftwareFoundation/openexr/releases" target="_blank" rel="noopener noreferrer">GitHub releases page: AcademySoftwareFoundation/openexr</a> 4. <a href="https://github.com/AcademySoftwareFoundation/openexr/compare/v3.2.4...v3.4.12" target="_blank" rel="noopener noreferrer">GitHub compare page: AcademySoftwareFoundation/openexr v3.2.4...v3.4.12</a> 5. <a href="https://openexr.com/en/latest/index.html" target="_blank" rel="noopener noreferrer">OpenEXR</a> 6. <a href="https://newreleases.io/project/github/AcademySoftwareFoundation/openexr/release/v3.4.12" target="_blank" rel="noopener noreferrer">AcademySoftwareFoundation/openexr v3.4.12 on GitHub</a> 7. <a href="https://releasealert.dev/github/AcademySoftwareFoundation/openexr" target="_blank" rel="noopener noreferrer">Releases · AcademySoftwareFoundation/openexr - GitHub | Release Alert</a> 8. <a href="https://github.com/AcademySoftwareFoundation/openexr" target="_blank" rel="noopener noreferrer">GitHub - AcademySoftwareFoundation/openexr: The OpenEXR project ...</a> ## Upstream release notes / description Patch release that addresses several bugs and security vulnerabilities. * 🐛 Fix several minor memory leaks recovering from reading invalid files. * 🐛 The compressor API incorrectly identified `HTJ2K` and `HTJ2K256` as lossy; they are lossles. * 🐛 Fix CMake AVX feature detection that caused DWA SIMD code to fail on certain architectures. * ⚠️ The `WidenFilename` utility function is marked as deprecated, to be removed in a future release. * ✨ `exrmetrics` now print the on-disk size of the data portion of each part. Useful for determining compression impact on part data For the python module: * 🐍 🐛 Reject files where the dataWindows does not match the pixel array dimensions. * 🐍 ✨ Support NumPy float vector attributes * 🐍 ✨ Reading now skips over invalid parts, returns the valid parts only. * 🐍 📖 Doc strings have proper indentation This release addresses the following security vulnerabilities: * <a href="https://www.cve.org/CVERecord?id=CVE-2026-45696" target="_blank" rel="noopener noreferrer">CVE-2026-45696</a> OpenEXR `ht_undo_impl` heap-buffer-overflow READ via codestream/channel width mismatch in HTJ2K decode * <a href="https://www.cve.org/CVERecord?id=CVE-2026-44663" target="_blank" rel="noopener noreferrer">CVE-2026-44663</a> Integer overflow in HTJ2K decoder ( `ht_undo_impl` ) leading to heap-buffer-overflow * <a href="https://issues.oss-fuzz.com/issues/512895184" target="_blank" rel="noopener noreferrer">OSS-Fuzz 512895184</a> Null-dereference WRITE in `Imf_4_0::TileProcess::run_decode` * <a href="https://issues.oss-fuzz.com/issues/512314697" target="_blank" rel="noopener noreferrer">OSS-fuzz 512314697</a> Direct-leak in `internal_exr_add_part` * <a href="https://issues.oss-fuzz.com/issues/508362159" target="_blank" rel="noopener noreferrer">OSS-fuzz 508362159</a> Heap-buffer-overflow in `DwaCompressor_uncompress` * <a href="https://issues.oss-fuzz.com/issues/507413960" target="_blank" rel="noopener noreferrer">OSS-fuzz 507413960</a> Heap-buffer-overflow in `generic_unpack` ## NiceOS maintainer checklist - [ ] Confirm that the detected version is a stable upstream release. - [ ] Check upstream changelog for security fixes, ABI/API changes and build-system changes. - [ ] Check ABI/API compatibility and reverse dependencies. - [ ] Download source into NiceOS lookaside storage. - [ ] Update `Version` and related fields in `SPECS/*.spec` only if policy allows it. - [ ] Regenerate `SOURCES/sources.lock.json`, manifests, metadata and SBOM. - [ ] Build SRPM/RPM in a clean NiceOS buildroot. - [ ] Run package smoke tests. - [ ] Link PR/build logs and close this issue after update or triage. ## Bot metadata - Tool: `niceos_upstream_monitor.py 2.1.3-local-websearch-github-release-pages` - Generated at: `2026-06-15T00:17:21Z`

sbelikov added the

ai-summary

bot

needs-build

needs-triage

update/minor

upstream-update

upstream/github

priority/medium

labels 2026-05-24 23:15:32 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

niceos-5.2

No results found.

Labels

Clear labels   

ai-summary

Issue contains local NiceSOFT AI generated preliminary analysis

  

auto-analysis

Created by niceos_cve_create_issues.py

  

bot

Created by automation

  

cve

Created by niceos_cve_create_issues.py

  

match-cpe-range

Created by niceos_cve_create_issues.py

  

needs-build

Needs build verification

  

needs-triage

Needs maintainer triage

  

priority/high

High priority

  

priority/medium

Medium priority

  

security

Created by niceos_cve_create_issues.py

  

security-release

Release notes mention security fixes or CVE

  

severity-high

Created by niceos_cve_create_issues.py

  

source-niceos-scan

Created by niceos_cve_create_issues.py

  

source-nvd

Created by niceos_cve_create_issues.py

  

update/minor

Minor update

  

upstream-update

New upstream version is available

  

upstream/github

GitHub upstream

No labels

ai-summary

auto-analysis

bot

cve

match-cpe-range

needs-build

needs-triage

priority/high

priority/medium

security

security-release

severity-high

source-niceos-scan

source-nvd

update/minor

upstream-update

upstream/github

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

rpms/openexr#3

No description provided.