Upstream information

CVE-2024-40630 at MITRE

Description

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation via a format-agnostic API with a feature set, scalability, and robustness needed for feature film production. In affected versions there is a bug in the heif input functionality of OpenImageIO. Specifically, in `HeifInput::seek_subimage()`. In the worst case, this can lead to an information disclosure vulnerability, particularly for programs that directly use the `ImageInput` APIs. This bug has been addressed in commit `0a2dcb4c` which is included in the 2.5.13.1 release. Users are advised to upgrade. There are no known workarounds for this issue.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently not rated by SUSE as it is not affecting the SUSE Enterprise products.

SUSE Bugzilla entry: 1227897 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • OpenImageIO >= 2.5.13.1-1.1
  • OpenImageIO-devel >= 2.5.13.1-1.1
  • libOpenImageIO2_5 >= 2.5.13.1-1.1
  • libOpenImageIO_Util2_5 >= 2.5.13.1-1.1
  • python3-OpenImageIO >= 2.5.13.1-1.1
Patchnames:
openSUSE-Tumbleweed-2024-14200


SUSE Timeline for this CVE

CVE page created: Tue Jul 16 00:00:12 2024
CVE page last modified: Tue Sep 3 19:35:55 2024