Your message dated Sun, 02 Nov 2025 23:02:35 +0000
with message-id <[email protected]>
and subject line Bug#1112346: fixed in sail 0.9.8-1+deb13u1
has caused the Debian Bug report #1112346,
regarding sail: CVE-2025-32468 CVE-2025-35984 CVE-2025-46407 CVE-2025-50129
CVE-2025-52456 CVE-2025-52930 CVE-2025-53085 CVE-2025-53510
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1112346: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112346
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sail
Version: 0.9.8-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for sail.
CVE-2025-32468[0]:
| A memory corruption vulnerability exists in the BMPv3 Image Decoding
| functionality of the SAIL Image Decoding Library v0.9.8. When
| loading a specially crafted .bmp file, an integer overflow can be
| made to occur when calculating the stride for decoding. Afterwards,
| this will cause a heap-based buffer to overflow when decoding the
| image which can lead to remote code execution. An attacker will need
| to convince the library to read a file to trigger this
| vulnerability.
CVE-2025-35984[1]:
| A memory corruption vulnerability exists in the PCX Image Decoding
| functionality of the SAIL Image Decoding Library v0.9.8. When
| decoding the image data from a specially crafted .pcx file, a heap-
| based buffer overflow can occur which allows for remote code
| execution. An attacker will need to convince the library to read a
| file to trigger this vulnerability.
CVE-2025-46407[2]:
| A memory corruption vulnerability exists in the BMPv3 Palette
| Decoding functionality of the SAIL Image Decoding Library v0.9.8.
| When loading a specially crafted .bmp file, an integer overflow can
| be made to occur which will cause a heap-based buffer to overflow
| when reading the palette from the image. These conditions can allow
| for remote code execution. An attacker will need to convince the
| library to read a file to trigger this vulnerability.
CVE-2025-50129[3]:
| A memory corruption vulnerability exists in the PCX Image Decoding
| functionality of the SAIL Image Decoding Library v0.9.8. When
| decoding the image data from a specially crafted .tga file, a heap-
| based buffer overflow can occur which allows for remote code
| execution. An attacker will need to convince the library to read a
| file to trigger this vulnerability.
CVE-2025-52456[4]:
| A memory corruption vulnerability exists in the WebP Image Decoding
| functionality of the SAIL Image Decoding Library v0.9.8. When
| loading a specially crafted .webp animation an integer overflow can
| be made to occur when calculating the stride for decoding.
| Afterwards, this will cause a heap-based buffer to overflow when
| decoding the image which can lead to remote code execution. An
| attacker will need to convince the library to read a file to trigger
| this vulnerability.
CVE-2025-52930[5]:
| A memory corruption vulnerability exists in the BMPv3 RLE Decoding
| functionality of the SAIL Image Decoding Library v0.9.8. When
| decompressing the image data from a specially crafted .bmp file, a
| heap-based buffer overflow can occur which allows for remote code
| execution. An attacker will need to convince the library to read a
| file to trigger this vulnerability.
CVE-2025-53085[6]:
| A memory corruption vulnerability exists in the PSD RLE Decoding
| functionality of the SAIL Image Decoding Library v0.9.8. When
| decompressing the image data from a specially crafted .psd file, a
| heap-based buffer overflow can occur which allows for remote code
| execution. An attacker will need to convince the library to read a
| file to trigger this vulnerability.
CVE-2025-53510[7]:
| A memory corruption vulnerability exists in the PSD Image Decoding
| functionality of the SAIL Image Decoding Library v0.9.8. When
| loading a specially crafted .psd file, an integer overflow can be
| made to occur when calculating the stride for decoding. Afterwards,
| this will cause a heap-based buffer to overflow when decoding the
| image which can lead to remote code execution. An attacker will need
| to convince the library to read a file to trigger this
| vulnerability.
They should be fixed in 0.9.9 TTBOMK, but please double-check.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-32468
https://www.cve.org/CVERecord?id=CVE-2025-32468
[1] https://security-tracker.debian.org/tracker/CVE-2025-35984
https://www.cve.org/CVERecord?id=CVE-2025-35984
[2] https://security-tracker.debian.org/tracker/CVE-2025-46407
https://www.cve.org/CVERecord?id=CVE-2025-46407
[3] https://security-tracker.debian.org/tracker/CVE-2025-50129
https://www.cve.org/CVERecord?id=CVE-2025-50129
[4] https://security-tracker.debian.org/tracker/CVE-2025-52456
https://www.cve.org/CVERecord?id=CVE-2025-52456
[5] https://security-tracker.debian.org/tracker/CVE-2025-52930
https://www.cve.org/CVERecord?id=CVE-2025-52930
[6] https://security-tracker.debian.org/tracker/CVE-2025-53085
https://www.cve.org/CVERecord?id=CVE-2025-53085
[7] https://security-tracker.debian.org/tracker/CVE-2025-53510
https://www.cve.org/CVERecord?id=CVE-2025-53510
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sail
Source-Version: 0.9.8-1+deb13u1
Done: Sudip Mukherjee <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sudip Mukherjee <[email protected]> (supplier of updated sail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 02 Nov 2025 21:13:55 +0000
Source: sail
Architecture: source
Version: 0.9.8-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Sudip Mukherjee <[email protected]>
Changed-By: Sudip Mukherjee <[email protected]>
Closes: 1112346
Changes:
sail (0.9.8-1+deb13u1) trixie; urgency=medium
.
* Add upstream patches to fix security vulnerabilities. (Closes: #1112346)
- CVE-2025-32468
- CVE-2025-35984
- CVE-2025-46407
- CVE-2025-50129
- CVE-2025-52456
- CVE-2025-52930
- CVE-2025-53085
- CVE-2025-53510
Checksums-Sha1:
6d6496a18427eee4bd9ecd303ceeb0808a4ad7dd 2461 sail_0.9.8-1+deb13u1.dsc
85a34296b7c495cc466b2fb0d3e58dd6be95b9dd 7748
sail_0.9.8-1+deb13u1.debian.tar.xz
3883492f5268dc758db3b320f2c893d4325373fd 12157
sail_0.9.8-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
aea6ff42e99c59546b369c3f57f5cbf434cb3b384eec53d4e14ab5b33e7adc1f 2461
sail_0.9.8-1+deb13u1.dsc
a64616d3be49ce5ec5ef8c213ba20bc167975c67fc50242bd863b0b80ce889e1 7748
sail_0.9.8-1+deb13u1.debian.tar.xz
3370663bcadfeaa042998ecc0fe9cc7e35642f233aa6e4a0df2d3b51ce77e17d 12157
sail_0.9.8-1+deb13u1_amd64.buildinfo
Files:
c16e35df2d8efad4579165db707c755a 2461 libs optional sail_0.9.8-1+deb13u1.dsc
d23d302fb938f109a72603ac2b2f0089 7748 libs optional
sail_0.9.8-1+deb13u1.debian.tar.xz
023216a090a35fdad9e5bae7130209cb 12157 libs optional
sail_0.9.8-1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuDQJkCg9jZvBlJrHR5mjUUbRKzUFAmkH0FMACgkQR5mjUUbR
KzXoSQ//U/apiOfAAP0V4dMgvQQCTpTDxyghbOKG+N2gc48TyV9jBuTpxHTTveUT
w1R+OnyvxCOoMp1FDkPclPZryy1NLU+xA9Pjx9xnM+akYMM1yb2MgoQ9hppo/CHU
N09iPrmk6A52Fx37QyPj0RKQtYP9zx5hXqVBwsQOkPJMlxhxu2EIyKX9R3xTOvKU
pRmD3J+d/El+2q3CUgGYIBy3Si2JH4XvU99RaowkYAfatl1XHfv+BA8ArM0f1MsI
9+wAtGkjyyPYFvour3/j300PaJrCpYBMO9T/3B37uyIAT9qgJ1H8hrw2wR+gX2Rn
trp+dGTMJZtjHNfHCqRTuNUl7OthAFnfn3QZcVUbJpGH+zeqtc97CfA+kZGa/U2U
bUCpcnvHsPryIBmS7t9zOhL3VrI2pUjpM0jLAbss9sGAY5eSrKDEYgv2XdrQ5Bay
wN1XYjmMVwEr8o28bNOfOA0sRCmhso1XBUdlZGQJf2ONLTfndsDk4a1YNdbDeEYq
4gI3Y6cwbvcZBJOGGvbuKR9FHlRAYWobqsyXU5y8h2RtFQx+zEny/3+hNGfPyLXg
28H4UFt45M6+JqtJ1VAtbA/N0Cmd7YdMDx/wcdWS61fy9bBHVanUhTENi20ie35A
oiCDuVvf3iUUyP4a2yUs806m/WWI9iNcb5g5/rFj6nCHm4movA4=
=vQi5
-----END PGP SIGNATURE-----
pgpjhqjxf0AKQ.pgp
Description: PGP signature
--- End Message ---
