Bug#1140494: bookworm-pu: package openslide/3.4.1+dfsg-6+deb12u1

[Étienne Mollier]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: opensl...@packages.debian.org
Control: affects -1 + src:openslide
User: release.debian....@packages.debian.org
Usertags: pu

Hi Stable Release Managers,

This is the bookworm-pu equivalent of the trixie-pu upload of
openslide discussed in #1140493.

[ Reason ]
openslide in bookworm is currently affected by CVE-2026-48977.
See also #1140003.  Following discussion with the Security Team,
it seemed fair to include the change for the upcoming point
release.

[ Impact ]
openslide will remain affected by CVE-2026-48977 if the update
is not granted.

[ Tests ]
The test suite of openslide currently does not trigger while
building the package.  I had to trust reverse dependencies
autopkgtest had sufficient coverage, but even then, the initial
revision of the patch had a problem that I didn't catch (change
from return NULL to goto FAIL needed when backporting the patch
from openslide 4.0.0 to openslide 3.4.1).  It was promptly
flagged by the upstream openslide developper and corrected
thankfully.

[ Risks ]
The change is relatively short, but the context around the
function evolved between openslide 3.4.1 and openslide 4.0.0.
Therefore the patch does look different from upstream's commit.
As the test suite doesn't trigger, and the quilt patch choke on
the binary artifact update for test item, I screwup the initial
revision of the patch.  The present revision of the patch has
beneftitted from upstream correction and comment.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
This change introduces CVE-2026-48977.patch, import of upstream
commit 2be88bd782d9fff46de8e56a99baca523e7917b3.  The code
triggers an error condition when one of the area tiles has an
incoherent value (lesser than one integer IIUC).  Differences
with upstream commit are the lack of test artifacts and the goto
FAIL instead of the return NULL, in order to properly branch to
the failure handling segment present up to openslide 3.4.1.

[ Other info ]
When looking up the security tracker for openslide, you may also
notice CVE-2026-54604.  It appears to not trigger in trixie and
older as long as the libtiff remains no greater than version
4.7.0.  The fix is not part of the present patch.

Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emoll...@debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/1, please excuse my verbosity
   `-

diff -Nru openslide-3.4.1+dfsg/debian/changelog 
openslide-3.4.1+dfsg/debian/changelog
--- openslide-3.4.1+dfsg/debian/changelog       2022-05-23 23:13:35.000000000 
+0200
+++ openslide-3.4.1+dfsg/debian/changelog       2026-06-14 19:52:57.000000000 
+0200
@@ -1,3 +1,13 @@
+openslide (3.4.1+dfsg-6+deb12u1) bookworm-security; urgency=medium
+
+  * Team upload.
+  * CVE-2026-48977.patch: new: fix CVE-2026-48977.
+    The change lacks attempt to apply the test case, because the binary
+    representation of a newly introduced test file is not possible in the
+    patch. (Closes: #1140003)
+
+ -- Étienne Mollier <emoll...@debian.org>  Sun, 14 Jun 2026 19:52:57 +0200
+
 openslide (3.4.1+dfsg-6) unstable; urgency=medium
 
   * Team upload.
diff -Nru openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch 
openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch
--- openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch    1970-01-01 
01:00:00.000000000 +0100
+++ openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch    2026-06-14 
19:52:39.000000000 +0200
@@ -0,0 +1,28 @@
+Applied-Upstream: 2be88bd782d9fff46de8e56a99baca523e7917b3
+Author: Benjamin Gilbert <bgilb...@cs.cmu.edu>
+Last-Update: 2026-06-14
+Description: ventana: fail if area has invalid tile count
+ Reported-by: Erik Lening <lening.e...@proton.me>
+ Signed-off-by: Benjamin Gilbert <bgilb...@cs.cmu.edu>
+ .
+ This Debian-specific patch lacks implementation of the test case due to
+ technical unability to represent the OS-2.bif.xdelta within a quilt
+ patch.
+Reviewed-By: Étienne Mollier <emoll...@debian.org>
+Bug-Debian: https://bugs.debian.org/1140003
+
+--- openslide.orig/src/openslide-vendor-ventana.c
++++ openslide/src/openslide-vendor-ventana.c
+@@ -524,6 +524,12 @@
+     // get tile counts
+     PARSE_INT_ATTRIBUTE_OR_FAIL(info, ATTR_NUM_COLS, area->tiles_across);
+     PARSE_INT_ATTRIBUTE_OR_FAIL(info, ATTR_NUM_ROWS, area->tiles_down);
++    if (area->tiles_across < 1 || area->tiles_down < 1) {
++      g_set_error(err, OPENSLIDE_ERROR, OPENSLIDE_ERROR_FAILED,
++                  "Area has invalid tile count %"PRId64"x%"PRId64,
++                  area->tiles_across, area->tiles_down);
++      goto FAIL;
++    }
+ 
+     // get position
+     // it seems these are always whole numbers, but they are sometimes
diff -Nru openslide-3.4.1+dfsg/debian/patches/series 
openslide-3.4.1+dfsg/debian/patches/series
--- openslide-3.4.1+dfsg/debian/patches/series  1970-01-01 01:00:00.000000000 
+0100
+++ openslide-3.4.1+dfsg/debian/patches/series  2026-06-14 19:52:39.000000000 
+0200
@@ -0,0 +1 @@
+CVE-2026-48977.patch

signature.asc
Description: PGP signature