OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.
Created OpenEXR tracking bugs for this issue:
Affects: fedora-all [bug 2047746]
Marking quay-io-3 affected/delegated. Affect code exists in container image* but likelihood of exploit is unknown.
Filing trackers for RHEL-8,9. So that engineering can have closer look and decide accordingly.
Created mingw-openexr tracking bugs for this issue:
Affects: fedora-all [bug 2051598]
Upstream commit: https://github.com/AcademySoftwareFoundation/openexr/commit/7d0ef6617f5b5622276458cc5a21d8b859ca7c5b