git: 6ae2ea6b9804 - 2026Q1 - graphics/openexr*: Security update to v3.4.5 and i386 fix
Date: Tue, 24 Feb 2026 21:28:05 UTC
The branch 2026Q1 has been updated by diizzy:
URL: https://cgit.FreeBSD.org/ports/commit/?id=6ae2ea6b9804ed95bc7a67f4bff6954441d9890f
commit 6ae2ea6b9804ed95bc7a67f4bff6954441d9890f
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2026-02-22 10:17:32 +0000
Commit: Daniel Engberg <diizzy@FreeBSD.org>
CommitDate: 2026-02-24 21:26:58 +0000
graphics/openexr*: Security update to v3.4.5 and i386 fix
"Patch release that fixes an incorrect size check in
istream_nonparallel_read that could lead to a buffer overflow on invalid
input data."
Also fix i386 self-tests by adding -msse2: i386 builds require SSE2, but
the upstream cmake stuff does not enable this, so use CFLAGS_i386.
To prevent people seeing SIGILL crashes down late at run-time,
check if the CPU is sse2-capable by querying the clang compiler from
the pre-install script (pkg-plist's @preexec). Suggested by diizzy@.
Other than that we could use the cpuid or the lscpu port instead, but
let's for now assume everything that wants to run OpenEXR also has a
working cc that is clang and has -march=native and gives us CPU details).
(GCC also gives us this but will use a different output format.)
While here, make failed tests verbose through ctest's environment so we
can see what's up from the build log already. (We need to go through
this indirection because our cmake.mk's :testing feature wants to go
through the test target instead of calling ctest directly.)
Changelog: https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.5
Security: 716d25a6-0fdc-11f1-bfdf-ff9355aecb00
MFH: 2026Q1
(cherry picked from commit 6b50d3885e31662c439e89f43c74617100ce0bd0)
---
graphics/openexr-website-docs/Makefile | 2 +-
graphics/openexr-website-docs/distinfo | 6 +++---
graphics/openexr/Makefile | 15 ++++++++++++++-
graphics/openexr/distinfo | 6 +++---
graphics/openexr/pkg-plist | 1 +
5 files changed, 22 insertions(+), 8 deletions(-)
diff --git a/graphics/openexr-website-docs/Makefile b/graphics/openexr-website-docs/Makefile
index 30fb0e33e45e..c0107dc64f54 100644
--- a/graphics/openexr-website-docs/Makefile
+++ b/graphics/openexr-website-docs/Makefile
@@ -1,5 +1,5 @@
PORTNAME= openexr-website-docs
-PORTVERSION= 3.4.4
+PORTVERSION= 3.4.5
PORTREVISION= 0
MASTER_SITES= https://github.com/AcademySoftwareFoundation/openexr/releases/download/v${PORTVERSION}/:DEFAULT \
https://raw.githubusercontent.com/AcademySoftwareFoundation/openexr-images/main/:website \
diff --git a/graphics/openexr-website-docs/distinfo b/graphics/openexr-website-docs/distinfo
index 65c4857d8fe6..b804f0a627b5 100644
--- a/graphics/openexr-website-docs/distinfo
+++ b/graphics/openexr-website-docs/distinfo
@@ -1,6 +1,6 @@
-TIMESTAMP = 1763594706
-SHA256 (openexr/openexr-3.4.4.tar.gz) = 91fc5670f13fe7d9d3b7ae0fe695e3cc813200839084eae6497459e7f650d876
-SIZE (openexr/openexr-3.4.4.tar.gz) = 25475873
+TIMESTAMP = 1771710011
+SHA256 (openexr/openexr-3.4.5.tar.gz) = 3e3b0c697acb7383ed476276e8ca3933d1e099249c080d3c91642515e6b5b84a
+SIZE (openexr/openexr-3.4.5.tar.gz) = 25476007
SHA256 (openexr/TestImages/README.rst) = 3cbb0a9ab20868940de1b9bf582bdc5ff4244cc585c682d6e40b9befb8fd593c
SIZE (openexr/TestImages/README.rst) = 2588
SHA256 (openexr/TestImages/AllHalfValues.exr) = eede573a0b59b79f21de15ee9d3b7649d58d8f2a8e7787ea34f192db3b3c84a4
diff --git a/graphics/openexr/Makefile b/graphics/openexr/Makefile
index 4e023bd61ac0..29304517a8f3 100644
--- a/graphics/openexr/Makefile
+++ b/graphics/openexr/Makefile
@@ -1,5 +1,5 @@
PORTNAME?= openexr
-PORTVERSION?= 3.4.4 # ALSO update openexr-website-docs! -- verify sigstore: make makesum verify-sigstore
+PORTVERSION?= 3.4.5 # ALSO update openexr-website-docs! -- verify sigstore: make makesum verify-sigstore
PORTREVISION?= 0
CATEGORIES= graphics devel
.if !defined(MASTERDIR)
@@ -63,6 +63,10 @@ CMAKE_TESTING_ON= BUILD_TESTING \
OPENEXR_TEST_PYTHON \
OPENEXR_TEST_TOOLS
+TEST_ENV+= CTEST_OUTPUT_ON_FAILURE=TRUE
+
+# OpenEXR mandates SSE2 on i386
+CFLAGS_i386+= -msse2
CPPFLAGS+= -I.
# must be linked with -l{thr|pthread} explicitly
LDFLAGS+= -lpthread
@@ -86,6 +90,15 @@ _DOCSRCDIR1= ${WRKSRC}
_DOC_FILES1= CHANGES.md CONTRIBUTING.md GOVERNANCE.md LICENSE.md SECURITY.md \
CODE_OF_CONDUCT.md CONTRIBUTORS.md README.md
+.include <bsd.port.options.mk>
+
+# use conditional i386-specific lines in main pkg-plist file:
+.if ${ARCH} != i386
+PLIST_SUB+= i386="@comment "
+.else
+PLIST_SUB+= i386=""
+.endif
+
# too many reports about compilation failures, so
# sanity check we are using the same C++ standard library
_imath_libcxx= ${COMPILER_FEATURES:Mlib*c++}
diff --git a/graphics/openexr/distinfo b/graphics/openexr/distinfo
index 20c5eb7a95d3..55171e42eaa6 100644
--- a/graphics/openexr/distinfo
+++ b/graphics/openexr/distinfo
@@ -1,6 +1,6 @@
-TIMESTAMP = 1763592744
-SHA256 (openexr/openexr-3.4.4.tar.gz) = 91fc5670f13fe7d9d3b7ae0fe695e3cc813200839084eae6497459e7f650d876
-SIZE (openexr/openexr-3.4.4.tar.gz) = 25475873
+TIMESTAMP = 1771709759
+SHA256 (openexr/openexr-3.4.5.tar.gz) = 3e3b0c697acb7383ed476276e8ca3933d1e099249c080d3c91642515e6b5b84a
+SIZE (openexr/openexr-3.4.5.tar.gz) = 25476007
SHA256 (openexr/Beachball/multipart.0001.exr) = 0cd032069fbaa14a2766861fef9893ea66a6494ff64650725d3b26a500df774b
SIZE (openexr/Beachball/multipart.0001.exr) = 2894260
SHA256 (openexr/Beachball/singlepart.0001.exr) = 29719942ed3c095a8f8f111fc139fc4c28f446007f5bfce00177cae585b1a87a
diff --git a/graphics/openexr/pkg-plist b/graphics/openexr/pkg-plist
index 384776b20ffd..f9e0765d9c50 100644
--- a/graphics/openexr/pkg-plist
+++ b/graphics/openexr/pkg-plist
@@ -1,3 +1,4 @@
+%%i386%%@preexec clang </dev/null -m32 -E - -march=native -### 2>&1 | tr ' ' $'\n' | grep -q +sse2 || { echo >&2 "This port requires a CPU with SSE2 instruction set extension." ; exit 1; }
bin/exr2aces
bin/exrenvmap
bin/exrheader