import UBI openexr-3.1.1-3.el9_7.1

SOURCES/openexr-CVE-2026-27622.patch

@@ -0,0 +1,14 @@
+diff -urNp a/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp b/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp
+--- a/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp	2026-03-26 08:27:58.855705716 +0100
++++ b/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp	2026-03-26 08:32:52.955196547 +0100
+@@ -462,6 +462,10 @@ CompositeDeepScanLine::readPixels(int st
+        num_sources[ptr]=0;
+        for(size_t j=0;j<parts;j++)
+        {
++          if (total_sizes[ptr] > std::numeric_limits<unsigned int>::max() - counts[j][ptr])
++              throw IEX_NAMESPACE::ArgExc (
++                  "Cannot composite scanline: pixel cannot have more than UINT_MAX samples");
++
+           total_sizes[ptr]+=counts[j][ptr];
+           if(counts[j][ptr]>0) num_sources[ptr]++;
+        }

SPECS/openexr.spec

@@ -3,7 +3,7 @@
 
 Name:           openexr
 Version:        3.1.1
-Release:        3%{?dist}
+Release:        3%{?dist}.1
 Summary:        Provides the specification and reference implementation of the EXR file format
 
 License:        BSD
@@ -17,6 +17,8 @@ BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  zlib-devel
 
 Patch1:         openexr-CVE-2023-5481.patch
+# Fix CVE 2026-27622
+Patch2:         openexr-CVE-2026-27622.patch
 
 Obsoletes:      OpenEXR < 2.5.3
 Provides:       OpenEXR = %{version}-%{release}
@@ -33,6 +35,7 @@ This package containes the binaries for OpenEXR.
 Summary:        OpenEXR Libraries
 Provides:       OpenEXR-libs = %{version}-%{release}
 Obsoletes:      OpenEXR-libs < 2.5.3
+Requires:       openexr-libs = %{version}-%{release}
 
 %description libs
 OpenEXR is an open-source high-dynamic-range floating-point image file format
@@ -128,6 +131,9 @@ Summary:        Development files for %{name}
 
 
 %changelog
+* Wed Apr 01 2026 Josef Ridky <jridky@redhat.com> - 3.1.1-3.1
+- fix CVE-2026-27622
+
 * Wed Oct 23 2024 Josef Ridky <jridky@redhat.com> - 3.1.1-3
 - fix CVE-2023-5481 (RHEL-23879)