CVE-2023-22845 (https://talosintelligence.com/vulnerability_reports/TALOS-2023-1708): An out-of-bounds read vulnerability exists in the TGAInput::decode_pixel() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability. CVE-2023-24472 (https://talosintelligence.com/vulnerability_reports/TALOS-2023-1709): A denial of service vulnerability exists in the FitsOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide malicious input to trigger this vulnerability. CVE-2023-24473 (https://talosintelligence.com/vulnerability_reports/TALOS-2023-1707): An information disclosure vulnerability exists in the TGAInput::read_tga2_header functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability. Unclear if fixed.
These are fixed in v2.4.8.1: https://github.com/OpenImageIO/oiio/releases/tag/v2.4.8.1
Looks like 2.4.12.0 is the first version with fixes here. Probably will be covered by the stabilization in bug 917679.