CVS commit: pkgsrc/graphics/openexr

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/graphics/openexr
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Tue, 23 Jun 2026 10:33:36 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Tue Jun 23 10:33:36 UTC 2026

Modified Files:
        pkgsrc/graphics/openexr: Makefile distinfo

Log Message:
openexr: update to 3.4.13.

## Version 3.4.13 (June 19, 2026)

Patch release that addresses several bugs and security
vulnerabilities.

* :bug: Fix a regression introduced in v3.4.11 in decoding of DWAA compression
* :bug: Fix to handling deep images and very large images with the OpenEXRUtil library
* :bug: Fix initiliazation issue in B44A decoding
* :bug: Validate HTJ2K chunk header length before decode
* :hammer_and_wrench: Fix when building statically and using the vendored OpenJPH library

For the python module:

* :snake: :sparkles: Support NumPy scalar values Box2i and V2f tuple bindings

This release addresses the following security vulnerabilities:

* [CVE-2026-55373](https://www.cve.org/CVERecord?id=CVE-2026-55373)
  OpenEXRUtil `SampleCountChannel` `endEdit()` can loop forever on `UINT_MAX` sample counts
* [CVE-2026-55371](https://www.cve.org/CVERecord?id=CVE-2026-55371)
  OpenEXRCore `exr_attr_set_bytes()` accepts NULL `type_hint` with positive `hint_length`
* [CVE-2026-55059](https://www.cve.org/CVERecord?id=CVE-2026-55059)
  OpenEXRUtil `SampleCountChannel` row setter heap out-of-bounds write
* [CVE-2026-54920](https://www.cve.org/CVERecord?id=CVE-2026-54920)
  Integer Overflow and Use of Uninitialized Pointer leading to Invalid Delete in OpenEXRUtil Image Resize
* [CVE-2026-53532](https://www.cve.org/CVERecord?id=CVE-2026-53532)
  Unhandled assert abort in HTJ2K decoder via crafted QCD marker (DoS)

### Security

This release addresses the following security vulnerabilities:

* [CVE-2026-55373](https://www.cve.org/CVERecord?id=CVE-2026-55373)
  OpenEXRUtil SampleCountChannel endEdit() can loop forever on UINT_MAX sample counts
* [CVE-2026-55371](https://www.cve.org/CVERecord?id=CVE-2026-55371)
  OpenEXRCore exr_attr_set_bytes() accepts NULL type_hint with positive hint_length
* [CVE-2026-55059](https://www.cve.org/CVERecord?id=CVE-2026-55059)
  OpenEXRUtil SampleCountChannel row setter heap out-of-bounds write
* [CVE-2026-54920](https://www.cve.org/CVERecord?id=CVE-2026-54920)
  Integer Overflow and Use of Uninitialized Pointer leading to Invalid Delete in OpenEXRUtil Image Resize

### Merged Pull Requests

* [2476](https://github.com/AcademySoftwareFoundation/openexr/pull/2476)
  Fix the DWAA size checks regression
* [2472](https://github.com/AcademySoftwareFoundation/openexr/pull/2472)
  Unlock write context in exr_get_chunk_table_offset() return paths
* [2471](https://github.com/AcademySoftwareFoundation/openexr/pull/2471)
  Add section on CVE Assignment to SECURITY.md
* [2470](https://github.com/AcademySoftwareFoundation/openexr/pull/2470)
  Reject NULL bytes type_hint and data in exr_attr_bytes_create()
* [2468](https://github.com/AcademySoftwareFoundation/openexr/pull/2468)
  Fix infinite loop in SampleCountChannel roundListSizeUp()
* [2466](https://github.com/AcademySoftwareFoundation/openexr/pull/2466)
  Fix install manifest for linux build 13
* [2464](https://github.com/AcademySoftwareFoundation/openexr/pull/2464)
  Fix heap out-of-bounds write in SampleCountChannel row setter.
* [2463](https://github.com/AcademySoftwareFoundation/openexr/pull/2463)
  Fix integer overflow and invalid delete in OpenEXRUtil Image::resize()
* [2451](https://github.com/AcademySoftwareFoundation/openexr/pull/2451)
  Initialize B44 tables before B44A decode
* [2445](https://github.com/AcademySoftwareFoundation/openexr/pull/2445)
  Fix: Allow NumPy scalar values in Box2i and V2f tuple bindings
* [2444](https://github.com/AcademySoftwareFoundation/openexr/pull/2444)
  Fix vendored OpenJPH for static builds
* [2442](https://github.com/AcademySoftwareFoundation/openexr/pull/2442)
  Bugfix: Fix interger overflows
* [2438](https://github.com/AcademySoftwareFoundation/openexr/pull/2438)
  Break release.py into separate small scripts for each step
* [2436](https://github.com/AcademySoftwareFoundation/openexr/pull/2436)
  Release notes and news for v3.4.12
* [2434](https://github.com/AcademySoftwareFoundation/openexr/pull/2434)
  Validate HTJ2K chunk header length before decode
* [2433](https://github.com/AcademySoftwareFoundation/openexr/pull/2433)
  Tighten python publish workflow security/efficiency
* [2430](https://github.com/AcademySoftwareFoundation/openexr/pull/2430)
  Pin idna>=3.15 in website/requirements.txt

### Merged Workflow Pull Requests

* [2479](https://github.com/AcademySoftwareFoundation/openexr/pull/2479)
  Split macOS wheel arches across CI runners
* [2474](https://github.com/AcademySoftwareFoundation/openexr/pull/2474)
  Bump msys2/setup-msys2 from 2.31.1 to 2.32.0
* [2467](https://github.com/AcademySoftwareFoundation/openexr/pull/2467)
  Bump sigstore/gh-action-sigstore-python from 3.3.0 to 3.4.0
* [2462](https://github.com/AcademySoftwareFoundation/openexr/pull/2462)
  Update idna requirement from >=3.17 to >=3.18 in /website
* [2450](https://github.com/AcademySoftwareFoundation/openexr/pull/2450)
  Update idna requirement from >=3.15 to >=3.17 in /website
* [2449](https://github.com/AcademySoftwareFoundation/openexr/pull/2449)
  Bump vmactions/freebsd-vm from 1.4.5 to 1.4.6
* [2437](https://github.com/AcademySoftwareFoundation/openexr/pull/2437)
  Bump github/codeql-action from 4.35.4 to 4.36.0
* [2433](git%github.com@localhost:AcademySoftwareFoundation/openexr/pull/2433)
  Tighten python publish workflow security/efficiency
* [2430](git%github.com@localhost:AcademySoftwareFoundation/openexr/pull/2430)
  Pin idna>=3.15 in website/requirements.txt


To generate a diff of this commit:
cvs rdiff -u -r1.85 -r1.86 pkgsrc/graphics/openexr/Makefile
cvs rdiff -u -r1.75 -r1.76 pkgsrc/graphics/openexr/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/openexr/Makefile
diff -u pkgsrc/graphics/openexr/Makefile:1.85 pkgsrc/graphics/openexr/Makefile:1.86
--- pkgsrc/graphics/openexr/Makefile:1.85       Tue Jun 23 09:37:00 2026
+++ pkgsrc/graphics/openexr/Makefile    Tue Jun 23 10:33:36 2026
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.85 2026/06/23 09:37:00 wiz Exp $
+# $NetBSD: Makefile,v 1.86 2026/06/23 10:33:36 wiz Exp $
 
-DISTNAME=      openexr-3.4.12
-PKGREVISION=   2
+DISTNAME=      openexr-3.4.13
 CATEGORIES=    graphics
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=openexr/}
 GITHUB_PROJECT=        openexr

Index: pkgsrc/graphics/openexr/distinfo
diff -u pkgsrc/graphics/openexr/distinfo:1.75 pkgsrc/graphics/openexr/distinfo:1.76
--- pkgsrc/graphics/openexr/distinfo:1.75       Mon Jun  1 13:58:32 2026
+++ pkgsrc/graphics/openexr/distinfo    Tue Jun 23 10:33:36 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.75 2026/06/01 13:58:32 wiz Exp $
+$NetBSD: distinfo,v 1.76 2026/06/23 10:33:36 wiz Exp $
 
-BLAKE2s (openexr-3.4.12.tar.gz) = afc301c6dc71b6c82f5be1a54dbe64a70c663ca44770d0ea5b797ad745709226
-SHA512 (openexr-3.4.12.tar.gz) = cbf72c5d1a887a19f24a8e1586b6b7baffa9137d8d6900061a676ecccecd95c729c84f17369c531725921e8177fedc9ef818028acddc99f1bc5b34a2770c538a
-Size (openexr-3.4.12.tar.gz) = 25760597 bytes
+BLAKE2s (openexr-3.4.13.tar.gz) = 4aac74518437a54436ba335d85f1dba74f86a267072dc3073b7f4ea5c926f269
+SHA512 (openexr-3.4.13.tar.gz) = da3310f9c3f8b927c7f8fca9edeb381f16e5a492298ae19a3f9d54fa46859542a71ca923a7806ed40a9bbddea34e15cfaa25f9a07a288cc70f0e0fd267a52729
+Size (openexr-3.4.13.tar.gz) = 25778576 bytes

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index