Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1140102,
regarding trixie-pu: package giflib/5.2.2-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140102: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140102
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:giflib
User: [email protected]
Usertags: pu
Fixes two low security security issues, which don't warrant a DSA. All tests
in debusine were fine, debdiff below.
Cheers,
Moritz
diff -Nru giflib-5.2.2/debian/changelog giflib-5.2.2/debian/changelog
--- giflib-5.2.2/debian/changelog 2024-02-25 18:44:51.000000000 +0100
+++ giflib-5.2.2/debian/changelog 2026-06-13 17:19:16.000000000 +0200
@@ -1,3 +1,10 @@
+giflib (5.2.2-1+deb13u1) trixie; urgency=medium
+
+ * CVE-2026-23868 (Closes: #1130495)
+ * CVE-2026-26740 (Closes: #1131368)
+
+ -- Moritz Mühlenhoff <[email protected]> Sat, 13 Jun 2026 17:19:16 +0200
+
giflib (5.2.2-1) unstable; urgency=medium
[ Debian Janitor]
diff -Nru giflib-5.2.2/debian/patches/CVE-2026-23868.patch
giflib-5.2.2/debian/patches/CVE-2026-23868.patch
--- giflib-5.2.2/debian/patches/CVE-2026-23868.patch 1970-01-01
01:00:00.000000000 +0100
+++ giflib-5.2.2/debian/patches/CVE-2026-23868.patch 2026-06-13
17:17:46.000000000 +0200
@@ -0,0 +1,21 @@
+commit f5b7267aed3665ef025c13823e454170d031c106
+Author: Eric S. Raymond <[email protected]>
+Date: Wed Mar 4 18:49:49 2026 -0500
+
+--- giflib-5.2.2.orig/gifalloc.c
++++ giflib-5.2.2/gifalloc.c
+@@ -349,6 +349,14 @@ SavedImage *GifMakeSavedImage(GifFileTyp
+ * aliasing problems.
+ */
+
++ /* Null out aliased pointers before any allocations
++ * so that FreeLastSavedImage won't free CopyFrom's
++ * data if an allocation fails partway through. */
++ sp->ImageDesc.ColorMap = NULL;
++ sp->RasterBits = NULL;
++ sp->ExtensionBlocks = NULL;
++ sp->ExtensionBlockCount = 0;
++
+ /* first, the local color map */
+ if (CopyFrom->ImageDesc.ColorMap != NULL) {
+ sp->ImageDesc.ColorMap = GifMakeMapObject(
diff -Nru giflib-5.2.2/debian/patches/CVE-2026-26740.patch
giflib-5.2.2/debian/patches/CVE-2026-26740.patch
--- giflib-5.2.2/debian/patches/CVE-2026-26740.patch 1970-01-01
01:00:00.000000000 +0100
+++ giflib-5.2.2/debian/patches/CVE-2026-26740.patch 2026-06-13
17:19:11.000000000 +0200
@@ -0,0 +1,48 @@
+From a3a600aa97c24734dde0b0951542488095f38ad4 Mon Sep 17 00:00:00 2001
+From: rootvector2 <[email protected]>
+Date: Sat, 16 May 2026 00:41:28 +0530
+Subject: [PATCH] Fix heap buffer overflow in EGifGCBToSavedExtension
+
+EGifGCBToExtension() unconditionally writes 4 bytes into the buffer
+passed to it, but EGifGCBToSavedExtension() invoked it on ep->Bytes
+without checking ep->ByteCount. DGifSlurp() preserves whatever
+sub-block size the source GIF declared when it stores extension
+blocks, so a malformed GIF whose Graphics Control Extension declares
+a sub-block size less than 4 leaves a saved extension shorter than
+the 4 bytes EGifGCBToExtension() then writes. Tools that round-trip
+a GIF through DGifSlurp() and EGifGCBToSavedExtension() (for example
+giftool -d, -t, -u and -x) corrupt the heap on such input.
+
+Resize the existing extension to exactly 4 bytes before writing,
+matching the invariant DGifExtensionToGCB() enforces on the read side.
+
+Reproduced under AddressSanitizer with a 40-byte crafted GIF whose
+Graphics Control Extension declares a 1-byte sub-block; giftool -d
+then triggers a 1-byte heap write past the end of the ep->Bytes
+allocation made in GifAddExtensionBlock().
+---
+ egif_lib.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- giflib-5.2.2.orig/egif_lib.c
++++ giflib-5.2.2/egif_lib.c
+@@ -678,6 +678,19 @@ int EGifGCBToSavedExtension(const Graphi
+ ExtensionBlock *ep =
+ &GifFile->SavedImages[ImageIndex].ExtensionBlocks[i];
+ if (ep->Function == GRAPHICS_EXT_FUNC_CODE) {
++ /* A Graphics Control Block is always 4 bytes. If
++ * the existing block came from a malformed GIF and
++ * is shorter, resize it so EGifGCBToExtension does
++ * not write past the end of ep->Bytes. */
++ if (ep->ByteCount != 4) {
++ GifByteType *new_bytes =
++ (GifByteType *)realloc(ep->Bytes, 4);
++ if (new_bytes == NULL) {
++ return GIF_ERROR;
++ }
++ ep->Bytes = new_bytes;
++ ep->ByteCount = 4;
++ }
+ EGifGCBToExtension(GCB, ep->Bytes);
+ return GIF_OK;
+ }
diff -Nru giflib-5.2.2/debian/patches/series giflib-5.2.2/debian/patches/series
--- giflib-5.2.2/debian/patches/series 2024-02-25 18:29:30.000000000 +0100
+++ giflib-5.2.2/debian/patches/series 2026-06-13 17:18:11.000000000 +0200
@@ -5,3 +5,5 @@
dont-spoil-tests-with-stderr.patch
giflib_quantize-header.patch
Clean-up-memory-better-at-end-of-run-CVE-2021-40633.patch
+CVE-2026-23868.patch
+CVE-2026-26740.patch
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---