Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1139173,
regarding trixie-pu: package graphite2/1.3.14-2+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1139173: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139173
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:graphite2
User: [email protected]
Usertags: pu


[ Reason ]
CVE. See https://cvefeed.io/vuln/detail/CVE-2026-50593

the Security Team suggests to fix this via point release, so here it is
:)

[ Impact ]
CVE unfixed

[ Tests ]
None. Operated that out since a .ttf is bad for a diff. But the test
with 1.3.15-2 works in sid

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Apply upstreams 
https://github.com/silnrsi/graphite/commit/ad78c6b7319909e1540c1b134e115ced03417866

Debdiff attached.

diff -Nru graphite2-1.3.14/debian/changelog graphite2-1.3.14/debian/changelog
--- graphite2-1.3.14/debian/changelog	2023-12-24 11:38:53.000000000 +0100
+++ graphite2-1.3.14/debian/changelog	2026-06-06 19:55:55.000000000 +0200
@@ -1,3 +1,10 @@
+graphite2 (1.3.14-2+deb13u1) trixie; urgency=medium
+
+  * debian/patches/ad78c6b7319909e1540c1b134e115ced03417866.patch:
+    fix CVE-2026-50593 
+
+ -- Rene Engelhard <[email protected]>  Sat, 06 Jun 2026 19:55:55 +0200
+
 graphite2 (1.3.14-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru graphite2-1.3.14/debian/patches/ad78c6b7319909e1540c1b134e115ced03417866.patch graphite2-1.3.14/debian/patches/ad78c6b7319909e1540c1b134e115ced03417866.patch
--- graphite2-1.3.14/debian/patches/ad78c6b7319909e1540c1b134e115ced03417866.patch	1970-01-01 01:00:00.000000000 +0100
+++ graphite2-1.3.14/debian/patches/ad78c6b7319909e1540c1b134e115ced03417866.patch	2026-06-06 19:55:55.000000000 +0200
@@ -0,0 +1,34 @@
+From ad78c6b7319909e1540c1b134e115ced03417866 Mon Sep 17 00:00:00 2001
+From: Tim Eves <[email protected]>
+Date: Mon, 1 Jun 2026 03:21:42 +0700
+Subject: [PATCH] Fix an underflow case that can be induced by crafted graphite
+ actions.
+
+This can be used to induce an out-of-bounds write prior to the slotmap.
+
+Add tests that will crash the engine if the underflow can be caused.
+---
+ src/inc/opcodes.h              |   3 +-
+ tests/CMakeLists.txt           |   1 +
+ tests/fonts/underflow.ttf      | Bin 0 -> 58340 bytes
+ tests/standards/underflow.json | 473 +++++++++++++++++++++++++++++++++
+ tests/standards/underflow.log  |   2 +
+ 5 files changed, 478 insertions(+), 1 deletion(-)
+ create mode 100644 tests/fonts/underflow.ttf
+ create mode 100644 tests/standards/underflow.json
+ create mode 100644 tests/standards/underflow.log
+
+diff --git a/src/inc/opcodes.h b/src/inc/opcodes.h
+index 10ba1772..f6166693 100644
+--- a/src/inc/opcodes.h
++++ b/src/inc/opcodes.h
+@@ -53,7 +53,8 @@
+ 
+ #define push(n)             { *++sp = n; }
+ #define pop()               (*sp--)
+-#define slotat(x)           (map[(x)])
++#define slotat(x)           ((map + (x) >= &smap[-1] && map + (x) < smap.end()) ? \
++                                map[(x)] : (status = Machine::slot_offset_out_bounds, nullptr))
+ #define DIE                 { is=seg.last(); status = Machine::died_early; EXIT(1); }
+ #define POSITIONED          1
+ 
diff -Nru graphite2-1.3.14/debian/patches/series graphite2-1.3.14/debian/patches/series
--- graphite2-1.3.14/debian/patches/series	2023-12-24 11:38:53.000000000 +0100
+++ graphite2-1.3.14/debian/patches/series	2026-06-06 19:55:55.000000000 +0200
@@ -9,3 +9,4 @@
 spell-out-lesser-and-greater.diff 
 no-explicit-dot-font-settings.diff 
 explicit-pdflatex.diff
+ad78c6b7319909e1540c1b134e115ced03417866.patch

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to