libIex-3_4-33-3.4.3-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15741-1 Final 1 1 2025-11-18T00:00:00Z current 2025-11-18T00:00:00Z 2025-11-18T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libIex-3_4-33-3.4.3-1.1 on GA media These are all security issues fixed in the libIex-3_4-33-3.4.3-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15741 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-64181/ SUSE CVE CVE-2025-64181 page https://www.suse.com/security/cve/CVE-2025-64182/ SUSE CVE CVE-2025-64182 page https://www.suse.com/security/cve/CVE-2025-64183/ SUSE CVE CVE-2025-64183 page openSUSE Tumbleweed libIex-3_4-33-3.4.3-1.1 libIex-3_4-33-32bit-3.4.3-1.1 libIex-3_4-33-x86-64-v3-3.4.3-1.1 libIlmThread-3_4-33-3.4.3-1.1 libIlmThread-3_4-33-32bit-3.4.3-1.1 libIlmThread-3_4-33-x86-64-v3-3.4.3-1.1 libOpenEXR-3_4-33-3.4.3-1.1 libOpenEXR-3_4-33-32bit-3.4.3-1.1 libOpenEXR-3_4-33-x86-64-v3-3.4.3-1.1 libOpenEXRCore-3_4-33-3.4.3-1.1 libOpenEXRCore-3_4-33-32bit-3.4.3-1.1 libOpenEXRCore-3_4-33-x86-64-v3-3.4.3-1.1 libOpenEXRUtil-3_4-33-3.4.3-1.1 libOpenEXRUtil-3_4-33-32bit-3.4.3-1.1 libOpenEXRUtil-3_4-33-x86-64-v3-3.4.3-1.1 openexr-3.4.3-1.1 openexr-devel-3.4.3-1.1 openexr-doc-3.4.3-1.1 libIex-3_4-33-3.4.3-1.1 as a component of openSUSE Tumbleweed libIex-3_4-33-32bit-3.4.3-1.1 as a component of openSUSE Tumbleweed libIex-3_4-33-x86-64-v3-3.4.3-1.1 as a component of openSUSE Tumbleweed libIlmThread-3_4-33-3.4.3-1.1 as a component of openSUSE Tumbleweed libIlmThread-3_4-33-32bit-3.4.3-1.1 as a component of openSUSE Tumbleweed libIlmThread-3_4-33-x86-64-v3-3.4.3-1.1 as a component of openSUSE Tumbleweed libOpenEXR-3_4-33-3.4.3-1.1 as a component of openSUSE Tumbleweed libOpenEXR-3_4-33-32bit-3.4.3-1.1 as a component of openSUSE Tumbleweed libOpenEXR-3_4-33-x86-64-v3-3.4.3-1.1 as a component of openSUSE Tumbleweed libOpenEXRCore-3_4-33-3.4.3-1.1 as a component of openSUSE Tumbleweed libOpenEXRCore-3_4-33-32bit-3.4.3-1.1 as a component of openSUSE Tumbleweed libOpenEXRCore-3_4-33-x86-64-v3-3.4.3-1.1 as a component of openSUSE Tumbleweed libOpenEXRUtil-3_4-33-3.4.3-1.1 as a component of openSUSE Tumbleweed libOpenEXRUtil-3_4-33-32bit-3.4.3-1.1 as a component of openSUSE Tumbleweed libOpenEXRUtil-3_4-33-x86-64-v3-3.4.3-1.1 as a component of openSUSE Tumbleweed openexr-3.4.3-1.1 as a component of openSUSE Tumbleweed openexr-devel-3.4.3-1.1 as a component of openSUSE Tumbleweed openexr-doc-3.4.3-1.1 as a component of openSUSE Tumbleweed OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue. CVE-2025-64181 openSUSE Tumbleweed:libIex-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:openexr-3.4.3-1.1 openSUSE Tumbleweed:openexr-devel-3.4.3-1.1 openSUSE Tumbleweed:openexr-doc-3.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-64181.html CVE-2025-64181 https://bugzilla.suse.com/1253233 SUSE Bug 1253233 OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects. Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit). Versions 3.2.5, 3.3.6, and 3.4.3 contain a patch for the issue. CVE-2025-64182 openSUSE Tumbleweed:libIex-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:openexr-3.4.3-1.1 openSUSE Tumbleweed:openexr-devel-3.4.3-1.1 openSUSE Tumbleweed:openexr-doc-3.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-64182.html CVE-2025-64182 https://bugzilla.suse.com/1253234 SUSE Bug 1253234 OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue. CVE-2025-64183 openSUSE Tumbleweed:libIex-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.3-1.1 openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.3-1.1 openSUSE Tumbleweed:openexr-3.4.3-1.1 openSUSE Tumbleweed:openexr-devel-3.4.3-1.1 openSUSE Tumbleweed:openexr-doc-3.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-64183.html CVE-2025-64183 https://bugzilla.suse.com/1253235 SUSE Bug 1253235