Currently oiio relies on openexr and there is no option to disable it's use.
Seems there are several security reports related to openexr and there appears to be some lack of interest in repairing the issues, at least on github, contact has been attempted directly to ILM. Today a discussion was started about changing the status of the openexr libraries from vulnerable to forbidden, not sure if it will get support. This is in the freebsd ports, which could be the first/one of many. This sounds like a very damaging step to me. If openexr is removed as an available dependency can oiio still be built? Could an option be added instead of multiple patches being made for each system package? OpenEXR is a bsd licensed project. Anyone interested in forking it? The list of vulnerabilities in the discussion - CVE-2017-9110 In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash. CVE-2017-9111 In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code. CVE-2017-9112 In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash. CVE-2017-9113 In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code. CVE-2017-9114 In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash. CVE-2017-9115 In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code. CVE-2017-9116 In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash. -- FreeBSD - the place to B...Software Developing Shane Ambler _______________________________________________ Oiio-dev mailing list [email protected] http://lists.openimageio.org/listinfo.cgi/oiio-dev-openimageio.org
