Skip to content

v3.4.13

Latest
Latest

Choose a tag to compare

View all tags
@cary-ilm cary-ilm released this 19 Jun 18:33
· 254 commits to main since this release
v3.4.13
c1194b2

Patch release that addresses several bugs and security
vulnerabilities.

  • 🐛 Fix a regression introduced in v3.4.11 in decoding of DWAA compression
  • 🐛 Fix to handling deep images and very large images with the OpenEXRUtil library
  • 🐛 Fix initiliazation issue in B44A decoding
  • 🐛 Validate HTJ2K chunk header length before decode
  • 🛠️ Fix when building statically and using the vendored OpenJPH library

For the python module:

  • 🐍 ✨ Support NumPy scalar values Box2i and V2f tuple bindings

This release addresses the following security vulnerabilities:

  • CVE-2026-55373 OpenEXRUtil SampleCountChannel endEdit() can loop forever on UINT_MAX sample counts
  • CVE-2026-55371 OpenEXRCore exr_attr_set_bytes() accepts NULL type_hint with positive hint_length
  • CVE-2026-55059 OpenEXRUtil SampleCountChannel row setter heap out-of-bounds write
  • CVE-2026-54920 Integer Overflow and Use of Uninitialized Pointer leading to Invalid Delete in OpenEXRUtil Image Resize
  • CVE-2026-53532 Unhandled assert abort in HTJ2K decoder via crafted QCD marker (DoS)
Assets 4
Loading