A vulnerability was found in openexr where a Divide-by-zero was found in Imf_3_1::RGBtoXYZ.
Created mingw-openexr tracking bugs for this issue:
Affects: fedora-all [bug 2019793]
Created openexr tracking bugs for this issue:
Affects: fedora-all [bug 2019792]
Upstream patch: https://github.com/AcademySoftwareFoundation/openexr/pull/1153/commits/ca289ef02c53b09a2d1e20de0333e5a718be3b1d
Unless this can be cleanly applied to the 2.5 series, I don't see the point in keeping this open. F35 and up are on 3.1.2 and about to be 3.1.3 where it's already been fixed.
In reply to comment #3:
> Unless this can be cleanly applied to the 2.5 series, I don't see the point
> in keeping this open. F35 and up are on 3.1.2 and about to be 3.1.3 where
> it's already been fixed.
Note that this is a "Flaw bug" - it is not tied *exclusively* to any version of Fedora or product. The status of a flaw bug is determined by and expresses the status of the security analysis of the vulnerability by the product security analyst, not the affected or fixed status directly. While having zero community or Red Hat products affected would likely result in a swift closure of a flaw, it should not be assumed that just because Fedora is not affected, that the flaw bug should be closed out at that time.
However, the "Tracker" bugs, in this case, , could be closed out directly by maintainers to reflect the status of the product or fix.
In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.
Created attachment 1857459 [details]
Patch for openexr-2.5.5