Your message dated Mon, 11 May 2026 07:34:01 +0000
with message-id <[email protected]>
and subject line Bug#1132655: fixed in libraw 0.22.1-1
has caused the Debian Bug report #1132655,
regarding libraw: CVE-2026-5318 CVE-2026-5342
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132655: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132655
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libraw
Version: 0.21.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for libraw.
CVE-2026-5318[0]:
| A weakness has been identified in LibRaw up to 0.22.0. This impacts
| the function HuffTable::initval of the file
| src/decompressors/losslessjpeg.cpp of the component JPEG DHT Parser.
| This manipulation of the argument bits[] causes out-of-bounds write.
| It is possible to initiate the attack remotely. The exploit has been
| made available to the public and could be used for attacks.
| Upgrading to version 0.22.1 will fix this issue. Patch name:
| a6734e867b19d75367c05f872ac26322464e3995. It is advisable to upgrade
| the affected component.
CVE-2026-5342[1]:
| A flaw has been found in LibRaw up to 0.22.0. This affects the
| function LibRaw::nikon_load_padded_packed_raw of the file
| src/decoders/decoders_libraw.cpp of the component TIFF/NEF.
| Executing a manipulation of the argument load_flags/raw_width can
| lead to out-of-bounds read. It is possible to launch the attack
| remotely. The exploit has been published and may be used. Upgrading
| to version 0.22.1 mitigates this issue. This patch is called
| b8397cd45657b84e88bd1202528d1764265f185c. It is advisable to upgrade
| the affected component.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5318
https://www.cve.org/CVERecord?id=CVE-2026-5318
https://github.com/LibRaw/LibRaw/issues/794
[1] https://security-tracker.debian.org/tracker/CVE-2026-5342
https://www.cve.org/CVERecord?id=CVE-2026-5342
https://github.com/LibRaw/LibRaw/issues/795
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libraw
Source-Version: 0.22.1-1
Done: xiao sheng wen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libraw, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
xiao sheng wen <[email protected]> (supplier of updated libraw package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 May 2026 11:39:26 +0800
Source: libraw
Architecture: source
Version: 0.22.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<[email protected]>
Changed-By: xiao sheng wen <[email protected]>
Closes: 1132655 1133845
Changes:
libraw (0.22.1-1) unstable; urgency=medium
.
* Team upload.
* upload to sid
* New upstream version
- Closes: #1132655
CVE-2026-5318
CVE-2026-5342
- Closes: #1133845
upstream use TALOS id in Changelog.txt
CVE-2026-20911 TALOS-2026-2330
CVE-2026-21413 TALOS-2026-2331
CVE-2026-20889 TALOS-2026-2358
CVE-2026-24660 TALOS-2026-2359
CVE-2026-24450 TALOS-2026-2363
CVE-2026-20884 TALOS-2026-2364
Checksums-Sha1:
568e0f840f8dc4a7f4feaf2e3b94daa10a107a69 2215 libraw_0.22.1-1.dsc
182553f219439557821c3e570cef663ff9d61643 26168 libraw_0.22.1-1.debian.tar.xz
95402f9794e5e98a55462a099ebf1f5912213199 6960 libraw_0.22.1-1_source.buildinfo
Checksums-Sha256:
580454f4a94eed249fb919e97aa19d1910ff20df6ebae4ecb3c78a7c1054ec4c 2215
libraw_0.22.1-1.dsc
3f9d2afa551b6c733c0f68052991b897123e0cb75d66dc522af6595b7cc9c51c 26168
libraw_0.22.1-1.debian.tar.xz
edda475f1bfb08fa44bf9ded8c42d24b73e8e8e4cf116d71171ae957e7a639e6 6960
libraw_0.22.1-1_source.buildinfo
Files:
48c1b0990145dbda2d46b0856193b11e 2215 libs optional libraw_0.22.1-1.dsc
1601e28e5ea01efe18fd310b270ff3fa 26168 libs optional
libraw_0.22.1-1.debian.tar.xz
4ba571180fc6b91606479258510db2b3 6960 libs optional
libraw_0.22.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvGv7H5NUQYeSuhtTJ2Egg8PSprAFAmoBgvQACgkQJ2Egg8PS
prBb+A/+IIeHycl8smAvsVYTSktYIcn2hVMlq+noUhdzG8vtJOrtAbBfbwEKJ69n
SSiusotKagQT2WHlmmFxTSWofqRaIiyIY2lxLF8YyMCNLcUX7BEgaCXiDIby8135
/qvo973QGKFKbpA3XCWvTxsevRVnFFnAN6RJEc9Zl8HyXYeGffykM+gkowuKSZpR
ht8JL3dYeAdaPZMImrJjGIio+sINDtR9aqBsjM0VdG8h1METBHrcJIIYjic7V/gv
CTSSg/jVtcMQlysiQWzFie8JaTq7xuDSiWmWtwgA9S6EUDPIyV60B3UAarW3qs+9
BSHWSWVwQwt8H1wFxDYfhzvxLZ4TMNr65VJ7jHxVDLdy+kSIvaj1Ss46hRlBwonf
nkg8pN03JXfnWLwGDLQdTsadmLLLu8yImoCjvLfq9YxWYy7jmGtpDO+QGGh8ZGIe
YBUVTZA2Q5MOojmTJY/MI2cE28eVu1oW7B7/B0LY9eYnKDnrSm4592hiGUVo3Bge
kN3RsFGqCGSWjO7uwirxrODRADYic9RP9JFVAP5R6AdAOHPDir6Ry7j/QFEaun4r
wI04gEUcpNAJ4VNVPtSjcSB5iRUqlmQcEYrnIabT2PY5bzlgdgumc/j4tv2rAW7M
u8i70gLxt8nKHHEBoryp2l8F678uHITPoMDx8ZLnMENWd/mWeKc=
=R6p8
-----END PGP SIGNATURE-----
pgproT85gFHzs.pgp
Description: PGP signature
--- End Message ---
