Your message dated Sun, 22 Feb 2026 20:23:44 +0000
with message-id <[email protected]>
and subject line Bug#1128785: fixed in vips 8.18.0-2
has caused the Debian Bug report #1128785,
regarding vips: CVE-2026-2913
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128785
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vips
Version: 8.18.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libvips/libvips/issues/4857
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for vips.
CVE-2026-2913[0]:
| A vulnerability was determined in libvips up to 8.19.0. The affected
| element is the function vips_source_read_to_memory of the file
| libvips/iofuncs/source.c. This manipulation causes heap-based buffer
| overflow. It is possible to launch the attack on the local host. The
| attack's complexity is rated as high. The exploitability is
| described as difficult. The exploit has been publicly disclosed and
| may be utilized. Patch name:
| a56feecbe9ed66521d9647ec9fbcd2546eccd7ee. Applying a patch is the
| recommended action to fix this issue. The confirmation of the bugfix
| mentions: "[T]he impact of this is negligible, since this only
| affects custom seekable sources larger than 4 GiB (and the crash
| occurs in user code rather than libvips itself)."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-2913
https://www.cve.org/CVERecord?id=CVE-2026-2913
[1] https://github.com/libvips/libvips/issues/4857
[2]
https://github.com/libvips/libvips/commit/a56feecbe9ed66521d9647ec9fbcd2546eccd7ee
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: vips
Source-Version: 8.18.0-2
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vips, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated vips package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Feb 2026 20:08:32 +0100
Source: vips
Architecture: source
Version: 8.18.0-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1128785
Changes:
vips (8.18.0-2) unstable; urgency=high
.
* Backport upstream security fix for CVE-2026-2913: heap-based overflow
in vips_source_read_to_memory() (closes: #1128785).
Checksums-Sha1:
dc74aa9a283696b6632f731508e24aaecb5fb3c7 2531 vips_8.18.0-2.dsc
bec13f33ef52e1d6ebc40b402771905f6f708d81 12064 vips_8.18.0-2.debian.tar.xz
Checksums-Sha256:
ce985cd52e5fd7d984e03b6dab76d03969964d6acc8c25ad26940ac68a3ed46e 2531
vips_8.18.0-2.dsc
52f439278749f2c2849397dd681188f3a9c6e1aa5c01dc9ea09942c48b90115a 12064
vips_8.18.0-2.debian.tar.xz
Files:
c5058100322ebc0370fdbbf2e656bbd4 2531 libs optional vips_8.18.0-2.dsc
ebc213085fa2e5c70f41189e6461ae99 12064 libs optional
vips_8.18.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmmbXCgACgkQ3OMQ54ZM
yL/+yxAAguY7HILAkookISEXFU61654Uxz0BACzQg5jRdq1/pYpn2g8mJSS/tYNa
U6Xoi50E7JA4ib/SJbgZOTOM1NQIMwYCNwyaahlD2XSytwr0bhxw017cHrOP2qcs
z1nshf+foE3d5kabtgAG00js8K/JZ0HE3gezh8IiXu8W2V2TMjQt328zVQ28Tiby
Fjp7VW46/iqtqZt2Q36B5vMydtxhPBLuMBz80aQh0/cRpoFPcDxpEcj6GH2/zNFk
dWZ8gFZ7q7YZy5iZZ1VKRgpyPEv5KudOfuCjcU4yRP/0ERNNbClJrTrcZk7n/aQA
yvVmGNL2sB7siivjhEBMXX/4oQ4dCaEoCeHzGfZ4KlmALPHVnQyqUYQ/rmgclblH
91SsGJ96b2EZ/LeobwthwKxaFAh/wUp9/C2zAS/+w/4L0hD6Bcpq7Q3k6F2LSCrw
VXnT3VBFy4VRlQVCmniRp7SZPDLG8nhKkldkorNuGSLpTEqjN67nX6AfmGZqseZd
Yl4+xXHMnQ3eDFnHtPKH5LO5bCTa4oqTykLSSXnDunaIrqi7HievDtYoLnmVFh4P
eOwvgdVsDSxpu6XQVH0Alj53L0NLWfNo+ZTZyn1owkifz1kLmeNc9gFXUJKeJcCG
c7j8+Z+jJkKgmDpL59KKqCf/HwZmrbajOV13rByMMv3CXuTy4k0=
=OOrp
-----END PGP SIGNATURE-----
pgppdwUEpQyGv.pgp
Description: PGP signature
--- End Message ---
