Source: vips Version: 8.18.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/libvips/libvips/pull/4887 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for vips. CVE-2026-3283[0]: | A vulnerability has been found in libvips 8.19.0. This issue affects | the function vips_extract_band_build of the file | libvips/conversion/extract.c. The manipulation of the argument | extract_band leads to out-of-bounds read. The attack needs to be | performed locally. The exploit has been disclosed to the public and | may be used. The identifier of the patch is | 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it is | recommended to deploy a patch. CVE-2026-3284[1]: | A vulnerability was found in libvips 8.19.0. Impacted is the | function vips_extract_area_build of the file | libvips/conversion/extract.c. The manipulation of the argument | extract_area results in integer overflow. The attack requires a | local approach. The exploit has been made public and could be used. | The patch is identified as 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. | It is advisable to implement a patch to correct this issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-3283 https://www.cve.org/CVERecord?id=CVE-2026-3283 [1] https://security-tracker.debian.org/tracker/CVE-2026-3284 https://www.cve.org/CVERecord?id=CVE-2026-3284 [2] https://github.com/libvips/libvips/pull/4887 [3] https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
