If you think you've found a potential vulnerability in OpenEXR, please report it by filing a GitHub security advisory. Alternatively, email security@openexr.com and provide your contact info for further private/secure discussion. If your email does not receive a prompt acknowledgement, your address may be blocked.
Our policy is to acknowledge the receipt of vulnerability reports within 48 hours. Our policy is to address critical security vulnerabilities rapidly and post patches within 14 days if possible.
These vulnerabilities are present in the given versions:
- CVE-2021-45942 3.1.0, 3.1.1, 3.1.2, 3.1.3
- CVE-2021-20296 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3
- CVE-2021-3479 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3
- CVE-2021-3478 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3
- CVE-2021-3477 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3
- CVE-2021-3476 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3
- CVE-2021-3475 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3
- CVE-2021-3474 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3
- CVE-2020-16589 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0
- CVE-2020-16588 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0
- CVE-2020-16587 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0
- CVE-2020-15306 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1
- CVE-2020-15305 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1
- CVE-2020-15304 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1
- CVE-2020-11765 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0
- CVE-2020-11764 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0
- CVE-2020-11763 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0
- CVE-2020-11762 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0
- CVE-2020-11761 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0
- CVE-2020-11760 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0
- CVE-2020-11759 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0
- CVE-2020-11758 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0
- CVE-2018-18444 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0
- CVE-2018-18443 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0
- CVE-2017-9116 2.0.0, 2.0.1, 2.1.0, 2.2.0
- CVE-2017-9115 2.0.0, 2.0.1, 2.1.0, 2.2.0
- CVE-2017-9114 2.0.0, 2.0.1, 2.1.0, 2.2.0
- CVE-2017-9113 2.0.0, 2.0.1, 2.1.0, 2.2.0
- CVE-2017-9112 2.0.0, 2.0.1, 2.1.0, 2.2.0
- CVE-2017-9111 2.0.0, 2.0.1, 2.1.0, 2.2.0
- CVE-2017-9110 2.0.0, 2.0.1, 2.1.0, 2.2.0
- CVE-2017-12596 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0
- CVE-2009-1722 1.0., 1.1., 1.2., 1.3., 1.4., 1.5., 1.6.*
- CVE-2009-1721 1.0., 1.1., 1.2., 1.3., 1.4., 1.5., 1.6.*
- CVE-2009-1720 1.0., 1.1., 1.2., 1.3., 1.4., 1.5., 1.6.*
See the release notes for more information.
This gives guidance about which branches are supported with patches to security vulnerabilities.
| Version / branch | Supported |
|---|---|
| main | ✅ 🚧 ALL fixes immediately, but this is a branch under development with a frequently unstable ABI and occasionally unstable API. |
| 3.2.x | ✅ All fixes that can be backported without breaking ABI compatibility. |
| 3.1.x | |
| 3.0.x | |
| 2.5.x | |
| <= 1.x | ❌ No longer receiving patches of any kind. |
Releases artifacts are signed via sigstore. See release-sign.yml for details.
To verify a downloaded release at a given tag:
% pip install sigstore
% sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/openexr/.github/workflows/release-sign.yml@refs/tags/<tag> openexr-<tag>.tar.gz
-
The OpenEXR project implements the EXR image file format, used throughout the motion picture industry and beyond, on Linux, macOS, and Windows.
-
The project consists of a software run-time library, implemented in C/C++ and built via cmake, that reads and writes image data files. The project also distributes python wrappings for the C/C++ I/O API.
-
The library reads and writes binary image data and text-based metadata, treated as blind data, none of which is executable code.
-
Other than the website and online technical documentation, the project implements no web/online services or network communication protocols. The library never requests any security or authentication credentials or login information from users.
The website implements no interactive features and requires no login credentials.
-
The library reads and writes only to file paths specificly requested via the C/C++ API. The runtime library uses no system configuration files or sidecar data files. Access to data files uses only standard file I/O system calls.
-
The library compresses/decompresses data via standard compression algorithms but uses no cryptographic or confidentiality protocols.
OpenEXR depends on Imath, a library of basic math operations also maintained and distributed by the OpenEXR project. Imath follows the same security conventions documented here for OpenEXR itself. The core Imath library has no external dependencies. The Imath python bindings depend on python and boost.
The only external library dependency of OpenEXR is libdeflate, which implements standard deflate/zlib/gzip compression and decompression.
The project uses Snyk to scan for dependency vulnerability.
Potential entry points are images being loaded using the library. Malformed images could caused issues such as heap buffer overflows, out-of-memory faults, or segmentation faults that could be exploitable as denial-of-service attacks.
The OpenEXR project implements a comprehensive suite of validation tests, including fuzz testing to harden against malicious input data. Note that fuzz testing hardens only against small input data files and is not a comprehensive test against all potential input.
Note that the exrcheck utility is intended to be used by testers to demonstrate a particular proof-of-concept input file exposes a vulnerability, and it is very helpful to let us know if a vulnerability can be reproduced using that tool.
The project also uses the OSS Fuzz service for continuous fuzz testing.
OpenEXR is downloadable and buildable by C/C++ source via GitHub. Only members of the project's Technical Steering Committee, all veteran software engineers at major motion picture studios or vendors, have write permissions on the source code repository. All critical software changes are reviewed by multiple TSC members.
The library is distributed in binary form via many common package managers across all platforms.