Your message dated Mon, 15 Jun 2026 16:34:08 +0000
with message-id <[email protected]>
and subject line Bug#1138257: fixed in golang-golang-x-image 0.42.0-1
has caused the Debian Bug report #1138257,
regarding golang-golang-x-image: CVE-2026-46599 CVE-2026-42500
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138257: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138257
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-golang-x-image
Version: 0.39.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for golang-golang-x-image.
CVE-2026-46599[0]:
| The TIFF decoder does not place a limit on the size of PackBits-
| compressed data. A maliciously-crafted image can exploit this to
| cause a small image (both in terms of pixel width/height and encoded
| size) to make the decoder decode large amounts of compressed data.
CVE-2026-42500[1]:
| Decoding a paletted BMP file with an out-of-range palette index
| results in a panic when accessing pixels in the invalid image.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-46599
https://www.cve.org/CVERecord?id=CVE-2026-46599
https://github.com/golang/go/issues/79577
[1] https://security-tracker.debian.org/tracker/CVE-2026-42500
https://www.cve.org/CVERecord?id=CVE-2026-42500
https://github.com/golang/go/issues/79576
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-golang-x-image
Source-Version: 0.42.0-1
Done: Simon Josefsson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-golang-x-image, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <[email protected]> (supplier of updated
golang-golang-x-image package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Jun 2026 17:23:25 +0200
Source: golang-golang-x-image
Architecture: source
Version: 0.42.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Simon Josefsson <[email protected]>
Closes: 1138257
Changes:
golang-golang-x-image (0.42.0-1) unstable; urgency=medium
.
* Team upload
* New upstream
- CVE-2026-33813
- CVE-2026-42500 (Closes: #1138257)
* Improve d/copyright
Checksums-Sha1:
42f1442ef0a6013f1cce902a2f10ee36079377bc 2536
golang-golang-x-image_0.42.0-1.dsc
6b6d91742dda87639f711e17dbfb274529743cbc 3394788
golang-golang-x-image_0.42.0.orig.tar.xz
83486769c684ecad987c500dc19206523063de98 6292
golang-golang-x-image_0.42.0-1.debian.tar.xz
a2820744593954d4e4c2fd7e316b7e327caf633d 6077044
golang-golang-x-image_0.42.0-1.git.tar.xz
78bd7cb79420d0d75fffbe3a738bdc8a660f8933 17548
golang-golang-x-image_0.42.0-1_source.buildinfo
Checksums-Sha256:
4048d86f3957122b993c54ec7f308a6be3b90bcc0c85770ab1be9747d861ee6a 2536
golang-golang-x-image_0.42.0-1.dsc
8be6e7d59bde964a0f3bd41b94709390361845c686aa5e6f847ca76cedade6f2 3394788
golang-golang-x-image_0.42.0.orig.tar.xz
fbd2b54a8117e4cf77022a487c2722b61fd929b39ae83e3270dd8b49176f0b89 6292
golang-golang-x-image_0.42.0-1.debian.tar.xz
959e4c4491e607ae67cb3416fa12c2d6be3c93cce764bb10b2c70c781edc50c8 6077044
golang-golang-x-image_0.42.0-1.git.tar.xz
7d0d5d192f445deb6d705035402748f42bbb927148187c962d1a5c5a95230801 17548
golang-golang-x-image_0.42.0-1_source.buildinfo
Files:
f1d3841dcaa1a86f877d78550fd66535 2536 golang optional
golang-golang-x-image_0.42.0-1.dsc
aba804e2977a90b4e698b75ea8791cff 3394788 golang optional
golang-golang-x-image_0.42.0.orig.tar.xz
a537495de1ace514e9b25c665bfb7561 6292 golang optional
golang-golang-x-image_0.42.0-1.debian.tar.xz
4929d18c8efb3d03631ddbff637ab134 6077044 golang None
golang-golang-x-image_0.42.0-1.git.tar.xz
c3e44def0359d27ab786a8c2800e9daa 17548 golang optional
golang-golang-x-image_0.42.0-1_source.buildinfo
Git-Tag-Info: tag=c5a964ea73422c26e989b99ae27aa831cc3d98e7
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmowI3MACgkQYG0ITkaD
wHlLeRAAyO4SCNT9iEL1YOnWHhbJrc8zTBTy4GZncoHdx/3vqHhB8YPFZjHN8XZ3
gEkW17AblfBJN9UUucV7DTZn5zetYU1HY9yadn47CGlZUS+sZxKru4Fe2wVTdwxq
K6wgX9nxWZb4nxkig4RK+vlJlgk57gYj/nFVpkvQi9YAgbopbzxnmWPojdocEyx+
pUy1Iyh6DvnaRZC9Q1EdBzSrGeDMUDhHftHZ4rWzNO5k+aqGdIFpXbzTFlkG4wMl
+iDByk5yNETrn5uYNhbtUFBeA8OpbGmWf10dv8bZiPXjdSoWFAX3MP1u77jrW0p3
4yTGWS2HdsHrwj1iGfE1yzgXD1UZwGA65nL+g6lZ9dL2WnmIHHCNiOKPDtvyIzZU
MNYkDxHoVcGFtQZPZMJXOb7SUD/KSN6bo3lqAaDoLP9ip6Lw+bGzMCyOlA5wlhFL
AdIl34eWORS6ZBmJT91FLMAPDAbZhPQDgl7bF7EjknziTtq8qZf6IV3CW7dfOQnm
pKFQJrFbSJ2pG/1GmxlQlcguIt+BhwlHfa5ESDvEJD80odkq74uboZoYVn94zJR9
ASBn4rt5h266ZySAkOPWFglsO9UI4rzAvd9aJP5kwKMEKKl6aRVWySmhQXAsmUMk
7zMZn2rMbytzt4Z6FxZASG725o3x8sK8Zl9jOE3GmxDnib6oz8M=
=0Ge5
-----END PGP SIGNATURE-----
pgp_qAg8Z50i9.pgp
Description: PGP signature
--- End Message ---
