CVS commit: pkgsrc/graphics/openexr

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/graphics/openexr
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Sun, 3 May 2026 14:30:52 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Sun May  3 14:30:52 UTC 2026

Modified Files:
        pkgsrc/graphics/openexr: Makefile distinfo

Log Message:
openexr: update to 3.4.11.

## Version 3.4.11 (April 29, 2026)

Patch release that addresses the following security vulnerabilities:

* [CVE-2026-42217](https://www.cve.org/CVERecord?id=CVE-2026-42217)
Shift exponent overflow in `readVariableLengthInteger()` (`ImfIDManifest.cpp`)
* [CVE-2026-42216](https://www.cve.org/CVERecord?id=CVE-2026-42216)
Out-of-bounds read in `IDManifest::init()` during prefix expansion
* [CVE-2026-41142](https://www.cve.org/CVERecord?id=CVE-2026-41142)
Integer overflow in `ImageChannel::resize` leads to heap OOB write via OpenEXRUtil public API

* OSS-fuzz [504280155](https://issues.oss-fuzz.com/issues/504280155)
Heap-buffer-overflow in `DwaCompressor_uncompress`
* OSS-fuzz [505062709](https://issues.oss-fuzz.com/issues/505062709)
Null-dereference READ in `Imf_3_3::prefixFromLayerName`

Build fixes:

- Fix Windows ARM64EC build issues and correct SIMD ARM NEON path for ARM64/EC

Also, some minor documentation updates:

- GitHub Security Advisories are the preferred way of reporting
  vulnerabilities, not email.
- Some clarification around handling of UFT-8 of file paths

### Merged Pull Requests

* [2383](https://github.com/AcademySoftwareFoundation/openexr/pull/2383)
validate that the uncompressed sizes recorded in the dwa header are valid
* [2382](https://github.com/AcademySoftwareFoundation/openexr/pull/2382)
Fix Null-dereference READ in prefixFromLayerName
* [2378](https://github.com/AcademySoftwareFoundation/openexr/pull/2378)
Harden IDManifest parsing against illegal shift and string prefix OOB
* [2377](https://github.com/AcademySoftwareFoundation/openexr/pull/2377)
Fix OOB read when expanding IDManifest prefix-compressed strings
* [2375](https://github.com/AcademySoftwareFoundation/openexr/pull/2375)
Minor changes to website index page to make some sentences clearer. A…
* [2368](https://github.com/AcademySoftwareFoundation/openexr/pull/2368)
Add release notes and news for v3.4.10, v3.3.10, v3.2.8
* [2367](https://github.com/AcademySoftwareFoundation/openexr/pull/2367)
Fix int overflow in ImageChannel::resize pixel count
* [2364](https://github.com/AcademySoftwareFoundation/openexr/pull/2364)
Recommend GH Security Advisories for vulnerability reporting
* [2361](https://github.com/AcademySoftwareFoundation/openexr/pull/2361)
Add documentation and test for UTF-8 file paths
* [2344](https://github.com/AcademySoftwareFoundation/openexr/pull/2344)
Fix Windows ARM64EC build issues and correct SIMD ARM NEON path for ARM64/EC

### Merged Workflow Pull Requests

* [2370](https://github.com/AcademySoftwareFoundation/openexr/pull/2370)
Bump msys2/setup-msys2 from 2.31.0 to 2.31.1
* [2366](https://github.com/AcademySoftwareFoundation/openexr/pull/2366)
Add workflow dispatch trigger to release-sign.yml
* [2363](https://github.com/AcademySoftwareFoundation/openexr/pull/2363)
Bump vmactions/freebsd-vm from 1.4.4 to 1.4.5
* [2362](https://github.com/AcademySoftwareFoundation/openexr/pull/2362)
Bump github/codeql-action from 4.35.1 to 4.35.2


To generate a diff of this commit:
cvs rdiff -u -r1.81 -r1.82 pkgsrc/graphics/openexr/Makefile
cvs rdiff -u -r1.73 -r1.74 pkgsrc/graphics/openexr/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/openexr/Makefile
diff -u pkgsrc/graphics/openexr/Makefile:1.81 pkgsrc/graphics/openexr/Makefile:1.82
--- pkgsrc/graphics/openexr/Makefile:1.81       Sun Apr 19 14:58:58 2026
+++ pkgsrc/graphics/openexr/Makefile    Sun May  3 14:30:51 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.81 2026/04/19 14:58:58 wiz Exp $
+# $NetBSD: Makefile,v 1.82 2026/05/03 14:30:51 wiz Exp $
 
-DISTNAME=      openexr-3.4.10
+DISTNAME=      openexr-3.4.11
 CATEGORIES=    graphics
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=openexr/}
 GITHUB_PROJECT=        openexr

Index: pkgsrc/graphics/openexr/distinfo
diff -u pkgsrc/graphics/openexr/distinfo:1.73 pkgsrc/graphics/openexr/distinfo:1.74
--- pkgsrc/graphics/openexr/distinfo:1.73       Sun Apr 19 14:58:58 2026
+++ pkgsrc/graphics/openexr/distinfo    Sun May  3 14:30:51 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.73 2026/04/19 14:58:58 wiz Exp $
+$NetBSD: distinfo,v 1.74 2026/05/03 14:30:51 wiz Exp $
 
-BLAKE2s (openexr-3.4.10.tar.gz) = c547c428de82bf59f3b8451ce0596afd0049af55958c4e93bfbdcdf61a1a2eec
-SHA512 (openexr-3.4.10.tar.gz) = c2c14cdfec3c211ee33d8d4706ac2aa8f0e4ad5effe097678aeb7bb87a833dd66c41c50b59d15f26bb08e92f6f703af50cf20baf3d97110c9ac36f75f9fa7442
-Size (openexr-3.4.10.tar.gz) = 25747896 bytes
+BLAKE2s (openexr-3.4.11.tar.gz) = 5471b224e38f6b2325e3680a57f4551532ef2c952d68575984f22b30350537a9
+SHA512 (openexr-3.4.11.tar.gz) = 1495ca7ae8a9cf865a1ec5e58e78e4136030938b59867e916aa26343693fddb16297faa9d29d6110ad3e97cec594e05d9dee5ffdb47586b44b3800cfc3502d14
+Size (openexr-3.4.11.tar.gz) = 25752935 bytes

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index