Resolves: RHEL-164921 - fix CVE-2026-34588

Signed-off-by: Josef Ridky <jridky@redhat.com>
2026-04-29 07:23:02 +02:00 · 2026-04-29 07:23:02 +02:00 · 1ab481c322
commit 1ab481c322
parent 12c7aa7a94
2 changed files with 106 additions and 2 deletions
--- a/openexr-CVE-2026-34588.patch
+++ b/openexr-CVE-2026-34588.patch
@ -0,0 +1,99 @@
+diff -urNp a/src/lib/OpenEXRCore/internal_piz.c b/src/lib/OpenEXRCore/internal_piz.c
+--- a/src/lib/OpenEXRCore/internal_piz.c	2026-04-28 10:16:28.783604549 +0200
+++ b/src/lib/OpenEXRCore/internal_piz.c	2026-04-28 10:17:45.682196662 +0200
+@@ -10,6 +10,7 @@
+ #include "internal_huf.h"
+ #include "internal_xdr.h"
+ 
+#include <limits.h>
+ #include <string.h>
+ 
+ /**************************************/
+@@ -171,10 +172,11 @@ wdec16 (uint16_t l, uint16_t h, uint16_t
+ static void
+ wav_2D_encode (uint16_t* in, int nx, int ox, int ny, int oy, uint16_t mx)
+ {
+-    int w14 = (mx < (1 << 14)) ? 1 : 0;
+-    int n   = (nx > ny) ? ny : nx;
+-    int p   = 1; // == 1 <<  level
+-    int p2  = 2; // == 1 << (level+1)
+    int     w14  = (mx < (1 << 14)) ? 1 : 0;
+    int     n    = (nx > ny) ? ny : nx;
+    int     p    = 1; // == 1 <<  level
+    int     p2   = 2; // == 1 << (level+1)
+    int64_t oy64 = oy;
+ 
+     //
+     // Hierachical loop on smaller dimension n
+@@ -183,9 +185,9 @@ wav_2D_encode (uint16_t* in, int nx, int
+     while (p2 <= n)
+     {
+         uint16_t* py  = in;
+-        uint16_t* ey  = in + oy * (ny - p2);
+-        int       oy1 = oy * p;
+-        int       oy2 = oy * p2;
+        uint16_t* ey  = in + oy64 * (ny - p2);
+        int64_t   oy1 = oy64 * p;
+        int64_t   oy2 = oy64 * p2;
+         int       ox1 = ox * p;
+         int       ox2 = ox * p2;
+         uint16_t  i00, i01, i10, i11;
+@@ -284,10 +286,11 @@ wav_2D_decode (
+     int       oy, // i : y offset
+     uint16_t  mx)  // i : maximum in[x][y] value
+ {
+-    int w14 = (mx < (1 << 14)) ? 1 : 0;
+-    int n   = (nx > ny) ? ny : nx;
+-    int p   = 1;
+-    int p2;
+    int     w14  = (mx < (1 << 14)) ? 1 : 0;
+    int     n    = (nx > ny) ? ny : nx;
+    int     p    = 1;
+    int     p2;
+    int64_t oy64 = oy;
+ 
+     //
+     // Search max level
+@@ -307,9 +310,9 @@ wav_2D_decode (
+     while (p >= 1)
+     {
+         uint16_t* py  = in;
+-        uint16_t* ey  = in + oy * (ny - p2);
+-        int       oy1 = oy * p;
+-        int       oy2 = oy * p2;
+        uint16_t* ey  = in + oy64 * (ny - p2);
+        int64_t   oy1 = oy64 * p;
+        int64_t   oy2 = oy64 * p2;
+         int       ox1 = ox * p;
+         int       ox2 = ox * p2;
+         uint16_t  i00, i01, i10, i11;
+@@ -509,11 +512,13 @@ internal_exr_apply_piz (exr_encode_pipel
+         nx     = curc->width;
+         ny     = curc->height;
+         wcount = (int) (curc->bytes_per_element / 2);
+        if (wcount > 0 && nx > INT_MAX / wcount)
+            return EXR_ERR_CORRUPT_CHUNK;
+         for (int j = 0; j < wcount; ++j)
+         {
+             wav_2D_encode (wavbuf + j, nx, wcount, ny, wcount * nx, maxValue);
+         }
+-        wavbuf += nx * ny * wcount;
+        wavbuf += (uint64_t) nx * ny * wcount;
+     }
+ 
+     nBytes    = 0;
+@@ -644,11 +649,13 @@ internal_exr_undo_piz (
+         nx     = curc->width;
+         ny     = curc->height;
+         wcount = (int) (curc->bytes_per_element / 2);
+        if (wcount > 0 && nx > INT_MAX / wcount)
+            return EXR_ERR_CORRUPT_CHUNK;
+         for (int j = 0; j < wcount; ++j)
+         {
+             wav_2D_decode (wavbuf + j, nx, wcount, ny, wcount * nx, maxValue);
+         }
+-        wavbuf += nx * ny * wcount;
+        wavbuf += (uint64_t) nx * ny * wcount;
+     }
+ 
+     //
--- a/openexr.spec
+++ b/openexr.spec
@ -3,7 +3,7 @@

 Name:           openexr
 Version:        3.1.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Provides the specification and reference implementation of the EXR file format

 License:        BSD
@ -19,9 +19,12 @@ BuildRequires:  zlib-devel
 Patch1:         openexr-CVE-2023-5481.patch
 # Fix CVE 2026-27622
 Patch2:         openexr-CVE-2026-27622.patch
+# Fix CVE 2026-34588
+Patch3:         openexr-CVE-2026-34588.patch

 Obsoletes:      OpenEXR < 2.5.3
 Provides:       OpenEXR = %{version}-%{release}
+Requires:       openexr-libs%{?_isa} = %{version}-%{release}

 %description
 OpenEXR is an open-source high-dynamic-range floating-point image file format
@ -35,7 +38,6 @@ This package containes the binaries for OpenEXR.
 Summary:        OpenEXR Libraries
 Provides:       OpenEXR-libs = %{version}-%{release}
 Obsoletes:      OpenEXR-libs < 2.5.3
-Requires:       openexr-libs = %{version}-%{release}

 %description libs
 OpenEXR is an open-source high-dynamic-range floating-point image file format
@ -131,6 +133,9 @@ Summary:        Development files for %{name}


 %changelog
+* Tue Apr 28 2026 Josef Ridky <jridky@redhat.com> - 3.1.1-5
+- fix CVE-2026-34588
+
 * Thu Mar 26 2026 Josef Ridky <jridky@redhat.com> - 3.1.1-4
 - fix CVE-2026-27622