Bug 2413906 (CVE-2025-64182)

Summary: CVE-2025-64182 openexr: buffer overflow in PyOpenEXR_old's channels() and channel()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gtanzill, jbuscemi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A memory-safety vulnerability has been identified in the Python bindings of OpenEXR, where improper checks on image channels and attribute stealing operations may result in buffer overflow when processing crafted EXR files or Python objects. An attacker supplying a malicious EXR file or crafted Python object could exploit this flaw to trigger a crash in applications that use the vulnerable bindings, potentially leading to denial-of-service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2417985, 2417986, 2417987, 2417988    
Bug Blocks:    

Description OSIDB Bzimport 2025-11-10 22:01:49 UTC 
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects. Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit). Versions 3.2.5, 3.3.6, and 3.4.3 contain a patch for the issue.