Source: vips Version: 8.18.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/libvips/libvips/pull/4888 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for vips. CVE-2026-3145[0]: | A flaw has been found in libvips up to 8.18.0. The affected element | is the function | vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_header | of the file libvips/foreign/matrixload.c. Executing a manipulation | can lead to memory corruption. The attack needs to be launched | locally. This patch is called | d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. A patch should be applied | to remediate this issue. CVE-2026-3146[1]: | A vulnerability has been found in libvips up to 8.18.0. The impacted | element is the function vips_foreign_load_matrix_header of the file | libvips/foreign/matrixload.c. The manipulation leads to null pointer | dereference. The attack needs to be performed locally. The | identifier of the patch is d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. | To fix this issue, it is recommended to deploy a patch. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-3145 https://www.cve.org/CVERecord?id=CVE-2026-3145 [1] https://security-tracker.debian.org/tracker/CVE-2026-3146 https://www.cve.org/CVERecord?id=CVE-2026-3146 [2] https://github.com/libvips/libvips/pull/4888 [3] https://github.com/libvips/libvips/commit/d4ce337c76bff1b278d7085c3c4f4725e3aa6ece Please adjust the affected versions in the BTS as needed. Regards, Salvatore
