CVE-2024-40630

2024-07-1520:15:05

Debian Security Bug Tracker

security-tracker.debian.org

openimageio

image files

vfx/animation

vulnerability

heif input

information disclosure

upgrade

bug fix

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

AI Score

6.6

Confidence

Low

JSON

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation via a format-agnostic API with a feature set, scalability, and robustness needed for feature film production. In affected versions there is a bug in the heif input functionality of OpenImageIO. Specifically, in HeifInput::seek_subimage(). In the worst case, this can lead to an information disclosure vulnerability, particularly for programs that directly use the ImageInput APIs. This bug has been addressed in commit 0a2dcb4c which is included in the 2.5.13.1 release. Users are advised to upgrade. There are no known workarounds for this issue.

OSVersionArchitecturePackageVersionFilename
Debian12allopenimageio<= 2.4.7.1+dfsg-2openimageio_2.4.7.1+dfsg-2_all.deb
Debian11allopenimageio<= 2.2.10.1+dfsg-1+deb11u1openimageio_2.2.10.1+dfsg-1+deb11u1_all.deb
Debian999allopenimageio< 2.5.14.0+dfsg-1openimageio_2.5.14.0+dfsg-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	openimageio	<= 2.4.7.1+dfsg-2	openimageio_2.4.7.1+dfsg-2_all.deb
Debian	11	all	openimageio	<= 2.2.10.1+dfsg-1+deb11u1	openimageio_2.2.10.1+dfsg-1+deb11u1_all.deb
Debian	999	all	openimageio	< 2.5.14.0+dfsg-1	openimageio_2.5.14.0+dfsg-1_all.deb