Source: sail Version: 0.9.10-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for sail. CVE-2026-27168[0]: | SAIL is a cross-platform library for loading and saving images with | support for animation, metadata, and ICC profiles. All versions are | vulnerable to Heap-based Buffer Overflow through the XWD parser's | use of the bytes_per_line value. The value os read directly from the | file as the read size in io->strict_read(), and is never compared to | the actual size of the destination buffer. An attacker can provide | an XWD file with an arbitrarily large bytes_per_line, causing a | massive write operation beyond the buffer heap allocated for the | image pixels. The issue did not have a fix at the time of | publication. To date, AFAIK, no upstream fix is available. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27168 https://www.cve.org/CVERecord?id=CVE-2026-27168 [1] https://github.com/HappySeaFox/sail/security/advisories/GHSA-3g38-x2pj-mv55 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
