A vulnerability was found in openexr where an Integer-overflow was found in Imf_3_1::bytesPerDeepLineTable. References: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38912
Created mingw-openexr tracking bugs for this issue: Affects: fedora-all [bug 2019785] Created openexr tracking bugs for this issue: Affects: fedora-all [bug 2019784]
This is already fixed for Fedora 35+ (already on 3.1.2). Unless upstream wants to backport the fixes/patches to 2.5 I have no intention of update Fedora 33 & 34.
Flaw summary: An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.
Patch: https://github.com/AcademySoftwareFoundation/openexr/commit/5db6f7aee79e3e75e8c3780b18b28699614dd08e (also applies to ImfMisc.cpp of openexr-2.5.5)