Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:giflib User: [email protected] Usertags: pu
As part of the LTS team I've updated giflib for LTS and ELTS. This fixes two CVEs which are marked no-DSA. Related update for trixie-proposed-update, #1140102, was prepared by jmm. The difference for CVE-2026-26740 is that upstream has now a dedicated commit to fix this issue [1] and I am choosing this version over the maintainer fix. [1] https://sourceforge.net/p/giflib/code/ci/061605081115bbfd7019bafc119a13b6f17fcf25 Build and tests are fine in debusine. [2] [2] https://debusine.debian.net/debian/developers/work-request/893443/ I'm going to upload the changes after sending this mail. -- tobi [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable
diff -Nru giflib-5.2.1/debian/changelog giflib-5.2.1/debian/changelog --- giflib-5.2.1/debian/changelog 2022-06-12 18:32:15.000000000 +0200 +++ giflib-5.2.1/debian/changelog 2026-06-26 09:19:21.000000000 +0200 @@ -1,3 +1,13 @@ +giflib (5.2.1-2.5+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the LTS Team + * Enable CI for bookworm, adapt gbp.conf for bookworm. + * Backport fixes for: + - CVE-2026-23868 - double-free vulnerability (Closes: #1130495) + - CVE-2026-26740 - heap OOB write (Closes: #1131368) + + -- Tobias Frost <[email protected]> Fri, 26 Jun 2026 09:19:21 +0200 + giflib (5.2.1-2.5) unstable; urgency=medium * Non-maintainer upload diff -Nru giflib-5.2.1/debian/gbp.conf giflib-5.2.1/debian/gbp.conf --- giflib-5.2.1/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ giflib-5.2.1/debian/gbp.conf 2026-06-26 09:07:42.000000000 +0200 @@ -0,0 +1,7 @@ +[DEFAULT] +upstream-tag = upstream/%(version)s +debian-branch = debian/bookworm +pristine-tar=True + +[import-orig] +filter=[ '.gitignore', '.travis.yml', '.git*' ] diff -Nru giflib-5.2.1/debian/giflib-dbg.docs giflib-5.2.1/debian/giflib-dbg.docs --- giflib-5.2.1/debian/giflib-dbg.docs 1970-01-01 01:00:00.000000000 +0100 +++ giflib-5.2.1/debian/giflib-dbg.docs 2026-06-26 09:07:42.000000000 +0200 @@ -0,0 +1,2 @@ +NEWS +TODO diff -Nru giflib-5.2.1/debian/patches/CVE-2026-23868.patch giflib-5.2.1/debian/patches/CVE-2026-23868.patch --- giflib-5.2.1/debian/patches/CVE-2026-23868.patch 1970-01-01 01:00:00.000000000 +0100 +++ giflib-5.2.1/debian/patches/CVE-2026-23868.patch 2026-06-26 09:07:42.000000000 +0200 @@ -0,0 +1,25 @@ +Description: CVE-2026-23868 - double-free vulnerability +Origin: https://sourceforge.net/p/giflib/code/ci/f5b7267aed3665ef025c13823e454170d031c106 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130495 + +commit f5b7267aed3665ef025c13823e454170d031c106 +Author: Eric S. Raymond <[email protected]> +Date: Wed Mar 4 18:49:49 2026 -0500 + +--- a/gifalloc.c ++++ b/gifalloc.c +@@ -346,6 +346,14 @@ + * problems. + */ + ++ /* Null out aliased pointers before any allocations ++ * so that FreeLastSavedImage won't free CopyFrom's ++ * data if an allocation fails partway through. */ ++ sp->ImageDesc.ColorMap = NULL; ++ sp->RasterBits = NULL; ++ sp->ExtensionBlocks = NULL; ++ sp->ExtensionBlockCount = 0; ++ + /* first, the local color map */ + if (CopyFrom->ImageDesc.ColorMap != NULL) { + sp->ImageDesc.ColorMap = GifMakeMapObject( diff -Nru giflib-5.2.1/debian/patches/CVE-2026-26740.patch giflib-5.2.1/debian/patches/CVE-2026-26740.patch --- giflib-5.2.1/debian/patches/CVE-2026-26740.patch 1970-01-01 01:00:00.000000000 +0100 +++ giflib-5.2.1/debian/patches/CVE-2026-26740.patch 2026-06-26 09:07:42.000000000 +0200 @@ -0,0 +1,34 @@ +Description: CVE-2026-26740 -- heap OOB write in EGifGCBToSavedExtension +Origin: https://sourceforge.net/p/giflib/code/ci/061605081115bbfd7019bafc119a13b6f17fcf25 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131368 +Bug: https://sourceforge.net/p/giflib/bugs/199/ +Bug: https://sourceforge.net/p/giflib/bugs/201/ +commit 061605081115bbfd7019bafc119a13b6f17fcf25 +Author: Anthony Hurtado <[email protected]> +Date: Mon Jun 1 15:40:48 2026 -0500 + + Fix CVE-2026-26740: heap OOB write in EGifGCBToSavedExtension + + EGifGCBToSavedExtension calls EGifGCBToExtension which unconditionally + writes 4 bytes into ep->Bytes without checking ep->ByteCount. If the + extension block was allocated with fewer than 4 bytes, this results in + a heap buffer overflow. + + The read-side counterpart DGifExtensionToGCB already validates that + GifExtensionLength == 4 before reading. Add the symmetric check on + the write side: return GIF_ERROR when ep->ByteCount < 4. + + Signed-off-by: Anthony Hurtado <[email protected]> + +--- a/egif_lib.c ++++ b/egif_lib.c +@@ -687,6 +687,9 @@ + for (i = 0; i < GifFile->SavedImages[ImageIndex].ExtensionBlockCount; i++) { + ExtensionBlock *ep = &GifFile->SavedImages[ImageIndex].ExtensionBlocks[i]; + if (ep->Function == GRAPHICS_EXT_FUNC_CODE) { ++ if (ep->ByteCount < 4) { ++ return GIF_ERROR; ++ } + EGifGCBToExtension(GCB, ep->Bytes); + return GIF_OK; + } diff -Nru giflib-5.2.1/debian/patches/series giflib-5.2.1/debian/patches/series --- giflib-5.2.1/debian/patches/series 2022-06-12 18:30:10.000000000 +0200 +++ giflib-5.2.1/debian/patches/series 2026-06-26 09:07:42.000000000 +0200 @@ -7,3 +7,5 @@ giflib_quantize.patch dont-spoil-tests-with-stderr.patch giflib_quantize-header.patch +CVE-2026-23868.patch +CVE-2026-26740.patch diff -Nru giflib-5.2.1/debian/salsa-ci.yml giflib-5.2.1/debian/salsa-ci.yml --- giflib-5.2.1/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ giflib-5.2.1/debian/salsa-ci.yml 2026-06-26 09:07:42.000000000 +0200 @@ -0,0 +1,6 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bookworm'
signature.asc
Description: PGP signature
