Bug 29888

openSUSE has issued an advisory for this on January 12:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QYJBECOXKL6LM6PP3ZL5EKF4GRPTFTD5/

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from upstream and openSUSE

No consistent maintainer, but NicolasS (assignee) & DavidG (CC) looks most promising.

CC: (none) => geiger.david68210
Assignee: bugsquad => nicolas.salguero

Suggested advisory:
========================

The updated packages fix a security vulnerability:

OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). (CVE-2021-45942)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45942
https://lists.suse.com/pipermail/sle-security-updates/2022-January/009997.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QYJBECOXKL6LM6PP3ZL5EKF4GRPTFTD5/
========================

Updated packages in core/updates_testing:
========================
lib(64)ilmbase2_5_25-2.5.7-1.3.mga8
lib(64)ilmbase-devel-2.5.7-1.3.mga8
lib(64)openexr-devel-2.5.7-1.3.mga8
openexr-2.5.7-1.3.mga8
lib(64)ilmimf2_5_25-2.5.7-1.3.mga8

from SRPM:
openexr-2.5.7-1.3.mga8.src.rpm

Status comment: Patches available from upstream and openSUSE => (none)
CC: (none) => nicolas.salguero
Source RPM: openexr-3.1.3-1.mga9.src.rpm => openexr-2.5.7-1.2.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 8
Status: NEW => ASSIGNED

mga8, x64

Installed all the packages from core release and krita.
Used krita to display various EXR format test images.

Not going to repeat the strace tests reported on bug 29657 which showed that exr related libraries are used.
Updated all five packages from testing.

Ran the same tests as before in the local TestImages directory.
$ exrheader AllHalfValues.exr
file AllHalfValues.exr:
file format version: 2, flags 0x0
channels (type chlist):
    B, 16-bit floating-point, sampling 1 1
    G, 16-bit floating-point, sampling 1 1
    R, 16-bit floating-point, sampling 1 1
compression (type compression): piz
dataWindow (type box2i): (0 0) - (255 255)
displayWindow (type box2i): (0 0) - (255 255)
lineOrder (type lineOrder): increasing y
pixelAspectRatio (type float): 1
screenWindowCenter (type v2f): (0 0)
screenWindowWidth (type float): 1
type (type string): "scanlineimage"

Reloaded krita to look at some of the EXR image files.
Moved to another directory:
$ pwd
/home/lcl/qa/openexr/openexr-images-master/v2/Stereo
$ exrmultipart -combine -i Trunks.exr Leaves.exr Ground.exr -o new.exr
input:
      Trunks.exr
      Leaves.exr
      Ground.exr
output:
      new.exr
override:0

-combine multipart input 
part 0: deepscanlineimage
part 1: deepscanlineimage
part 2: deepscanlineimage
part 3: deepscanlineimage
part 4: deepscanlineimage
part 5: deepscanlineimage

Combine Success

Sort of - new.exr showed only the Trunks, as in previous tests.  This may only expose  the user's lack of understanding of how to handle EXR images.
And, as before krita showed balls, trees, trunks and ground in the composited.exr image.

This is all developer territory really, so there is very little that QA can say about the new packages except there are no obvious regressions.
Giving this an OK.

CC: (none) => tarazed25

Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0020.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED