SUSE has issued an advisory on January 12:
Mageia 8 is also affected.
openSUSE has issued an advisory for this on January 12:
Patches available from upstream and openSUSE
No consistent maintainer, but NicolasS (assignee) & DavidG (CC) looks most promising.
The updated packages fix a security vulnerability:
OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). (CVE-2021-45942)
Updated packages in core/updates_testing:
Patches available from upstream and openSUSE =>
Installed all the packages from core release and krita.
Used krita to display various EXR format test images.
Not going to repeat the strace tests reported on bug 29657 which showed that exr related libraries are used.
Updated all five packages from testing.
Ran the same tests as before in the local TestImages directory.
$ exrheader AllHalfValues.exr
file format version: 2, flags 0x0
channels (type chlist):
B, 16-bit floating-point, sampling 1 1
G, 16-bit floating-point, sampling 1 1
R, 16-bit floating-point, sampling 1 1
compression (type compression): piz
dataWindow (type box2i): (0 0) - (255 255)
displayWindow (type box2i): (0 0) - (255 255)
lineOrder (type lineOrder): increasing y
pixelAspectRatio (type float): 1
screenWindowCenter (type v2f): (0 0)
screenWindowWidth (type float): 1
type (type string): "scanlineimage"
Reloaded krita to look at some of the EXR image files.
Moved to another directory:
$ exrmultipart -combine -i Trunks.exr Leaves.exr Ground.exr -o new.exr
-combine multipart input
part 0: deepscanlineimage
part 1: deepscanlineimage
part 2: deepscanlineimage
part 3: deepscanlineimage
part 4: deepscanlineimage
part 5: deepscanlineimage
Sort of - new.exr showed only the Trunks, as in previous tests. This may only expose the user's lack of understanding of how to handle EXR images.
And, as before krita showed balls, trees, trunks and ground in the composited.exr image.
This is all developer territory really, so there is very little that QA can say about the new packages except there are no obvious regressions.
Giving this an OK.
Validating. Advisory in Comment 3.
An update for this issue has been pushed to the Mageia Updates repository.