Bug 2418252

Summary: CVE-2025-64181 usd: Use of Uninitialized Memory inside generic_unpack [fedora-43]
Product: [Fedora] Fedora Reporter: TEJ RATHI <trathi>
Component: usdAssignee: Ben Beasley <code>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 43CC: adriacabellocrespo, aekoroglu, code, luya_tfz, multimedia-sig, negativo17
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["8abf4a69-b872-4541-8f53-729b2e33838c"]}
Fixed In Version: usd-25.08-12.fc43 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-12-16 00:46:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2413902    

Description TEJ RATHI 2025-12-02 05:44:35 UTC 
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Comment 1 Ben Beasley 2025-12-02 10:29:41 UTC 
It’s unfortunate that neither https://www.cve.org/CVERecord?id=CVE-2025-64181 nor https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq points out the precise fix. Still, it’s basically https://github.com/AcademySoftwareFoundation/openexr/compare/v3.4.2..v3.4.3 that needs to be backported to fix this and related issues. Some, but not all, of the affected code appears to be present in OpenUSD. I will attempt to craft a patch backporting the relevant changes.
Comment 2 Ben Beasley 2025-12-02 20:09:04 UTC 
https://src.fedoraproject.org/rpms/usd/pull-request/37

Waiting for https://bodhi.fedoraproject.org/updates/FEDORA-2025-0cc929ff17 to go stable first.
Comment 3 Fedora Update System 2025-12-07 17:16:19 UTC 
FEDORA-2025-4924a5bc8b (usd-25.08-12.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-4924a5bc8b
Comment 4 Fedora Update System 2025-12-08 01:07:17 UTC 
FEDORA-2025-4924a5bc8b has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-4924a5bc8b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-4924a5bc8b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2025-12-16 00:46:37 UTC 
FEDORA-2025-4924a5bc8b (usd-25.08-12.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.