Hi, On Fri, Jan 30, 2026 at 04:01:35PM +0100, Sylvain Beucler wrote: > Hi, > > The current triage indicates "Revisit when fixed upstream" but upstream > claims to have it fixed AFAICS: > https://github.com/AcademySoftwareFoundation/openexr/commit/b9a36b4c3ec717e994535aeb5c1beae8bfbd15e1 > > There are not many changes from 3.4.2 to 3.4.3: > https://github.com/AcademySoftwareFoundation/openexr/compare/v3.4.2...v3.4.3 > or 3.3.5 to 3.3.6: > https://github.com/AcademySoftwareFoundation/openexr/compare/v3.3.5...v3.3.6 > unfortunately several other security fixes are in there, and all 3 CVEs from > this BTS entry have the exact same description, including at ZDI. > > They don't claim to have it fixed in 3.2.x though: > https://github.com/AcademySoftwareFoundation/openexr/compare/v3.2.4...v3.2.5 > > Does anybody have further info, or should I try and ask upstream?
We do not have, and the problem is exactly we do not have enough information on the three CVEs. The overview in https://github.com/AcademySoftwareFoundation/openexr/security *suggests* that the 3.2x and older might not be vulnerable, but until we have a confirmation we should not mark it as such. I will mail upstream and put you in recipients. Regards, Salvatore
