Control: tags 1135778 + patch Control: tags 1135778 + pending Dear maintainer,
I've prepared an NMU for cimg (versioned as 3.5.2+dfsg-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
diffstat for cimg-3.5.2+dfsg cimg-3.5.2+dfsg changelog | 9 +++++++++ patches/0001-Fix-478.patch | 25 +++++++++++++++++++++++++ patches/0002-Fix-477.patch | 28 ++++++++++++++++++++++++++++ patches/series | 2 ++ 4 files changed, 64 insertions(+) diff -Nru cimg-3.5.2+dfsg/debian/changelog cimg-3.5.2+dfsg/debian/changelog --- cimg-3.5.2+dfsg/debian/changelog 2025-02-21 12:46:14.000000000 +0200 +++ cimg-3.5.2+dfsg/debian/changelog 2026-05-06 16:19:11.000000000 +0300 @@ -1,3 +1,12 @@ +cimg (3.5.2+dfsg-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2026-42144: Integer overflow in PNM size check + * CVE-2026-42146: OOM on crafted BMP + * (Closes: #1135778) + + -- Adrian Bunk <[email protected]> Wed, 06 May 2026 16:19:11 +0300 + cimg (3.5.2+dfsg-1) unstable; urgency=medium * New upstream version diff -Nru cimg-3.5.2+dfsg/debian/patches/0001-Fix-478.patch cimg-3.5.2+dfsg/debian/patches/0001-Fix-478.patch --- cimg-3.5.2+dfsg/debian/patches/0001-Fix-478.patch 1970-01-01 02:00:00.000000000 +0200 +++ cimg-3.5.2+dfsg/debian/patches/0001-Fix-478.patch 2026-05-06 16:18:41.000000000 +0300 @@ -0,0 +1,25 @@ +From 8970ffa14df371f473b6f9136d23aac70c8a98a9 Mon Sep 17 00:00:00 2001 +From: David Tschumperlé <[email protected]> +Date: Wed, 15 Apr 2026 22:53:50 +0200 +Subject: Fix #478. + +--- + CImg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CImg.h b/CImg.h +index 910a0a4..0cadc79 100644 +--- a/CImg.h ++++ b/CImg.h +@@ -56352,7 +56352,7 @@ namespace cimg_library { + + if (filename) { // Check that dimensions specified in file does not exceed the buffer dimension + const cimg_int64 siz = cimg::fsize(filename); +- if (W*H*D>siz) ++ if ((cimg_int64)W*H*D>siz) + throw CImgIOException(_cimg_instance + "load_pnm(): Specified image dimensions in file '%s' exceed file size.", + cimg_instance, +-- +2.47.3 + diff -Nru cimg-3.5.2+dfsg/debian/patches/0002-Fix-477.patch cimg-3.5.2+dfsg/debian/patches/0002-Fix-477.patch --- cimg-3.5.2+dfsg/debian/patches/0002-Fix-477.patch 1970-01-01 02:00:00.000000000 +0200 +++ cimg-3.5.2+dfsg/debian/patches/0002-Fix-477.patch 2026-05-06 16:18:42.000000000 +0300 @@ -0,0 +1,28 @@ +From ed1e7846ee0a374587e518bfa2a7c75cca1ad50a Mon Sep 17 00:00:00 2001 +From: David Tschumperlé <[email protected]> +Date: Wed, 15 Apr 2026 22:59:40 +0200 +Subject: Fix #477. + +--- + CImg.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/CImg.h b/CImg.h +index 0cadc79..1f7a832 100644 +--- a/CImg.h ++++ b/CImg.h +@@ -55744,7 +55744,10 @@ namespace cimg_library { + (long)fsiz,filename?filename:"(FILE*)",dx,dy); + + CImg<intT> colormap; +- if (bpp<16) { if (!nb_colors) nb_colors = 1<<bpp; } else nb_colors = 0; ++ if (bpp<16) { ++ const int max_colors = 1<<bpp; ++ if (nb_colors<=0 || nb_colors>max_colors) nb_colors = max_colors; ++ } else nb_colors = 0; + if (nb_colors) { colormap.assign(nb_colors); cimg::fread(colormap._data,nb_colors,nfile); } + + const int xoffset = offset - 14 - header_size - 4*nb_colors; +-- +2.47.3 + diff -Nru cimg-3.5.2+dfsg/debian/patches/series cimg-3.5.2+dfsg/debian/patches/series --- cimg-3.5.2+dfsg/debian/patches/series 2025-02-21 12:46:14.000000000 +0200 +++ cimg-3.5.2+dfsg/debian/patches/series 2026-05-06 16:19:09.000000000 +0300 @@ -3,3 +3,5 @@ # baseline.patch privacy.patch Imath.patch +0001-Fix-478.patch +0002-Fix-477.patch
