Your message dated Tue, 17 Feb 2026 01:00:21 +0000
with message-id <[email protected]>
and subject line Bug#1125416: fixed in opencolorio 2.5.1+dfsg-1
has caused the Debian Bug report #1125416,
regarding opencolorio: CVE-2025-15506
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125416: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125416
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: opencolorio
Version: 2.1.3+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/AcademySoftwareFoundation/OpenColorIO/issues/2228
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for opencolorio.
CVE-2025-15506[0]:
| A vulnerability was found in AcademySoftwareFoundation OpenColorIO
| up to 2.5.0. This issue affects the function
| ConvertToRegularExpression of the file
| src/OpenColorIO/FileRules.cpp. Performing a manipulation results in
| out-of-bounds read. The attack needs to be approached locally. The
| exploit has been made public and could be used. The patch is named
| ebdbb75123c9d5f4643e041314e2bc988a13f20d. To fix this issue, it is
| recommended to deploy a patch. The fix was added to the 2.5.1
| milestone.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-15506
https://www.cve.org/CVERecord?id=CVE-2025-15506
[1] https://github.com/AcademySoftwareFoundation/OpenColorIO/issues/2228
[2] https://github.com/AcademySoftwareFoundation/OpenColorIO/pull/2231
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: opencolorio
Source-Version: 2.5.1+dfsg-1
Done: Matteo F. Vescovi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
opencolorio, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matteo F. Vescovi <[email protected]> (supplier of updated opencolorio package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 Feb 2026 17:26:26 +0100
Source: opencolorio
Binary: libopencolorio-dev libopencolorio2.5 libopencolorio2.5-dbgsym
opencolorio-tools python3-pyopencolorio
Architecture: source amd64
Version: 2.5.1+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<[email protected]>
Changed-By: Matteo F. Vescovi <[email protected]>
Description:
libopencolorio-dev - complete color management solution - development
libopencolorio2.5 - complete color management solution - runtime
opencolorio-tools - complete color management solution - utilities
python3-pyopencolorio - complete color management solution - Python bindings
Closes: 1125416
Changes:
opencolorio (2.5.1+dfsg-1) experimental; urgency=medium
.
[ Matteo F. Vescovi ]
* New upstream release (Closes: #1125416)
This release addresses CVE-2025-15506:
| A vulnerability was found in AcademySoftwareFoundation OpenColorIO
| up to 2.5.0. This issue affects the function
| ConvertToRegularExpression of the file
| src/OpenColorIO/FileRules.cpp. Performing a manipulation results in
| out-of-bounds read. The attack needs to be approached locally. The
| exploit has been made public and could be used.
* debian/: SONAME bump 2.1 -> 2.5
* debian/control:
- b-dep switch pkg-config -> pkgconf
- libminizip-ng-dev b-dep added
- strict versioning for pystring added
- S-V bump 4.6.1 -> 4.7.3 (no changes needed)
- Priority field dropped (obsolete)
- RRR field dropped (obsolete)
* debian/watch: v4 -> v5 switch
* debian/python3-pyopencolorio.install: path fixed
* debian/libopencolorio2.5.lintian-overrides: file dropped (useless)
.
[ Jordan Justen ]
* d/patches: Update patches for v2.5.1
* d/rules: Stop deleting Findyaml-cpp.cmake.
Ref: c075bff0 ("Import Debian changes 2.1.2+dfsg1-4.1")
Checksums-Sha1:
db38b8dafab30d9e4dcef62a27fb08f94cb6da7f 2941 opencolorio_2.5.1+dfsg-1.dsc
66cb37c8eec8292183131c611e9e7f327ccc6e60 10216204
opencolorio_2.5.1+dfsg.orig.tar.xz
7e6a3e9fd0e314c04d52b8feb1063faa496d08a1 11280
opencolorio_2.5.1+dfsg-1.debian.tar.xz
5ec77b63de72c2e6f875a0033d38c5e4bb09f7bf 80404
libopencolorio-dev_2.5.1+dfsg-1_amd64.deb
58d1d6c9a0669a16edd124d7ac9169a5f6f5347c 27943736
libopencolorio2.5-dbgsym_2.5.1+dfsg-1_amd64.deb
5316c843b397251a519dac8283dbee9a19763da2 1750284
libopencolorio2.5_2.5.1+dfsg-1_amd64.deb
4dfbadc7fe9b9af14c3b40340cce7350b81918b4 124516
opencolorio-tools_2.5.1+dfsg-1_amd64.deb
b8ae40e72a53a381bc6a9b0ef660271d32f288b5 19330
opencolorio_2.5.1+dfsg-1_amd64.buildinfo
92cfe40a2f903a3497690e621ff66f07ae4d20fb 1074712
python3-pyopencolorio_2.5.1+dfsg-1_amd64.deb
Checksums-Sha256:
8599cf7db7bdad9e3fb7deadf3af9764903de7c3ea520ae190de41b394da369d 2941
opencolorio_2.5.1+dfsg-1.dsc
3b5b54b827b317d9c58a5318db8b58ebad30c5cba470e829683cf9bd5984e3df 10216204
opencolorio_2.5.1+dfsg.orig.tar.xz
4c68a4b28aae282170e6bb47d37442d814ac9606f0e4399f0e4095a391f13678 11280
opencolorio_2.5.1+dfsg-1.debian.tar.xz
c2d9e3388fbb4187f8fa3fb97f6a7e78d6152f6d21f6aacb3b3204025473d9c3 80404
libopencolorio-dev_2.5.1+dfsg-1_amd64.deb
910e9ef709e8c94cb313693b78cc5b65e1bb8f5a4568593be7c83a64207687d4 27943736
libopencolorio2.5-dbgsym_2.5.1+dfsg-1_amd64.deb
f7c9dc198f72663a609c67903c9c077bf937426add9c77d9714c1a8baa48063a 1750284
libopencolorio2.5_2.5.1+dfsg-1_amd64.deb
ae343fa4c641216522785c27fc8d96c487039e4a237391846ed496bc4417bc38 124516
opencolorio-tools_2.5.1+dfsg-1_amd64.deb
d0392311b70506963527200f4381619dd7510ac82d7dd11d3b56825f582f9148 19330
opencolorio_2.5.1+dfsg-1_amd64.buildinfo
02922dd1516d5b1df780a2aac70ba5e1783cdceca48e5a3181537024b39291ab 1074712
python3-pyopencolorio_2.5.1+dfsg-1_amd64.deb
Files:
c095a2436bd315aa08ef2c9c43602d6b 2941 libs optional
opencolorio_2.5.1+dfsg-1.dsc
0f3bfc805608e75b94c5fa8da228fe78 10216204 libs optional
opencolorio_2.5.1+dfsg.orig.tar.xz
f3780ebe4e8f9eea576d46072bde961c 11280 libs optional
opencolorio_2.5.1+dfsg-1.debian.tar.xz
b2cd6040c920402bb579a5b0cff303a5 80404 libdevel optional
libopencolorio-dev_2.5.1+dfsg-1_amd64.deb
18314af087703f0f0bb712bdb116b7a2 27943736 debug optional
libopencolorio2.5-dbgsym_2.5.1+dfsg-1_amd64.deb
c8625baf1f2d4e87ad56836ff94fb802 1750284 libs optional
libopencolorio2.5_2.5.1+dfsg-1_amd64.deb
ee43df8c1437b49fd72509b220f62abb 124516 utils optional
opencolorio-tools_2.5.1+dfsg-1_amd64.deb
a02f89e43ed5a3b7ca410ffc0f9dc76b 19330 libs optional
opencolorio_2.5.1+dfsg-1_amd64.buildinfo
6e810689915d46e60a82d250cd8de803 1074712 python optional
python3-pyopencolorio_2.5.1+dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Comment: Debian powered!
iQKTBAEBCgB9FiEE890J+NqH0d9QRsmbBhL0lE7NzVoFAmmQublfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEYz
REQwOUY4REE4N0QxREY1MDQ2Qzk5QjA2MTJGNDk0NEVDRENENUEACgkQBhL0lE7N
zVomqxAAlRe14I9Y56JQIgSxzIInZOQls2p5xc0S/5XkzOJ72Vwp/Hvs0PkHwXrW
UTL0kn9yTf+75KqZB91L+D84VgG61OrHXIAXAA0aq+DUqZ77+tHTyVJolUe1FPe8
1bZpEfidiyGTCdd44cQ1JQxuRLRlmvTZzs+ySAI8AJuvGzEWemgOFkOXyx3heYzm
ql1zooNfEbyiqZXO2PGMrCfJfFjnxG3CW4uCc4mf5WLPY0fu8OkEOcte2nL0yQvr
4HeE8/MbThK6FbYTOd9OjcULxdnClgHXaoG9+ya1Dxh3myl7qL9JmeieIEvefX/g
CfBQPnKE8MrO/ccDvvei7m8oZab78XVG2UxdBMh9p/bkTiZA4AlcG3tJ7tFszPRK
+sOEoN0FEl1EEaLLWNx15qze0PcIzOhibCDjg82wLR53D9mc0ExnPdBrS+wd5vKm
0mmRNIVZ3ZdUniomWvdVjqGHBP6Catm9oCImFQquKMY75Dn2UOTr/kOGBN+uRhCc
sx7Bf+3HK2jdzTv1uwPWGYvV/rXiTSRecN+R9BYDM48hn8NTB1kMbuU0ZedZtEdU
glPSZwXG043d8c4/SP+vEqX519/3msxy5GF0YHO3alKzsao3C5zp0e9dvRuxjo7X
mGF8gQP5vQkk4nU85sN3ZlckaqV/g8RSWSlIAuza0diIqc8nwP4=
=MxzB
-----END PGP SIGNATURE-----
pgpnPFMpH3cKh.pgp
Description: PGP signature
--- End Message ---
