Nixpkgs security tracker
NIXPKGS-2026-1444
GitHub issue
published on
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
3 packages
- openexr_2
- openexrid-unstable
- haskellPackages.openexr-write
- @LeSuisse accepted
- @LeSuisse published on GitHub
OpenEXR: Out-of-bounds read in `IDManifest::init()` during prefix expansion
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.
References
-
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65j8-95g9-jgj4 x_refsource_CONFIRMexploit
Affected products
openexr
- ==>= 3.0.0, < 3.2.9
- ==>= 3.4.0, < 3.4.11
- ==>= 3.3.0, < 3.3.11
Matching in nixpkgs
Ignored packages (3)
pkgs.openexr_2
High dynamic-range (HDR) image file format
pkgs.openexrid-unstable
OpenEXR files able to isolate any object of a CG image with a perfect antialiazing
-
nixos-unstable 2017-09-17
- nixpkgs-unstable 2017-09-17
- nixos-unstable-small 2017-09-17
-
nixos-25.11 2017-09-17
- nixos-25.11-small 2017-09-17
- nixpkgs-25.11-darwin 2017-09-17
Package maintainers
-
@paperdigits Mica Semrick <mica@silentumbrella.com>