Site Navigation

Date:      Sun, 19 Apr 2026 18:36:02 +0000
From:      Daniel Engberg <diizzy@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Cc:        Matthias Andree <mandree@FreeBSD.org>
Subject:   git: 45e6a1dc9a12 - main - security/vuxml: Add entry for OpenEXR vulnerabilities < 3.4.10
Message-ID:  <69e52092.4637e.152e9dcc@gitrepo.freebsd.org>

---

index | next in thread | raw e-mail

---

The branch main has been updated by diizzy:

URL: https://cgit.FreeBSD.org/ports/commit/?id=45e6a1dc9a123ff69d36505e14c18eb1c46a3b1d

commit 45e6a1dc9a123ff69d36505e14c18eb1c46a3b1d
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2026-04-17 18:05:09 +0000
Commit:     Daniel Engberg <diizzy@FreeBSD.org>
CommitDate: 2026-04-19 18:33:11 +0000

    security/vuxml: Add entry for OpenEXR vulnerabilities < 3.4.10
    
    Multiple integer overflow issues
    
    Obtained from:  GitHub repo
    Security:       CVE-2026-39886
                    CVE-2026-40244
                    CVE-2026-40250
---
 security/vuxml/vuln/2026.xml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml
index 3803b68e9c88..c21cd65f7b7e 100644
--- a/security/vuxml/vuln/2026.xml
+++ b/security/vuxml/vuln/2026.xml
@@ -1,3 +1,34 @@
+  <vuln vid="7b83af27-3a86-11f1-90cd-41d47652b1c2">
+    <topic>OpenEXR -- several integer overflow vulnerabilities</topic>
+    <affects>
+	<package>
+	    <name>openexr</name>
+	    <range><lt>3.4.10</lt></range>
+	</package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Cary Phillips reports:</p>
+	<blockquote cite="https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10">;
+	    <p>OpenEXR 3.4.10 is a patch release that addresses the following security vulnerabilities:</p>
+	    <ul><li>CVE-2026-39886 HTJ2K Signed Integer Overflow in ht_undo_impl()</li>
+		<li>CVE-2026-40244 Integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)</li>
+		<li>CVE-2026-40250 Integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)</li></ul>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2026-39886</cvename>
+      <cvename>CVE-2026-40244</cvename>
+      <cvename>CVE-2026-40250</cvename>
+      <url>https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10</url>;
+    </references>
+    <dates>
+      <discovery>2026-04-17</discovery>
+      <entry>2026-04-19</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="6f1c19bf-3b29-11f1-930b-98b78501ef2a">
     <topic>xrdp -- Multiple vulnerabilities</topic>
     <affects>

home | help

---

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69e52092.4637e.152e9dcc>

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact