Your message dated Sun, 10 May 2026 18:32:25 +0000
with message-id <[email protected]>
and subject line Bug#1134335: fixed in lcms2 2.14-2+deb12u1
has caused the Debian Bug report #1134335,
regarding lcms2: CVE-2026-41254
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134335: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134335
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: lcms2
Version: 2.17-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for lcms2.
CVE-2026-41254[0]:
| Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize
| in cmslut.c because the overflow check is performed after the
| multiplication.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41254
https://www.cve.org/CVERecord?id=CVE-2026-41254
[1] https://www.openwall.com/lists/oss-security/2026/04/17/16
[2] https://abhinavagarwal07.github.io/posts/lcms2-cubesize-overflow/
[3]
https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0
[4]
https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: lcms2
Source-Version: 2.14-2+deb12u1
Done: Moritz Mühlenhoff <[email protected]>
We believe that the bug you reported is fixed in the latest version of
lcms2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated lcms2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 30 Apr 2026 20:16:10 +0200
Source: lcms2
Architecture: source
Version: 2.14-2+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Thomas Weber <[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1134335
Changes:
lcms2 (2.14-2+deb12u1) bookworm-security; urgency=medium
.
* CVE-2026-41254 (Closes: #1134335)
Checksums-Sha1:
1148eab079bc1f8586cbc03c3a76c0f6b544c6eb 1976 lcms2_2.14-2+deb12u1.dsc
94350a2638fe58da736e8726048c859b46a69e6f 7406694 lcms2_2.14.orig.tar.gz
a119c2f5b0d9ec372b2f80a79684fe8874d31d58 12288
lcms2_2.14-2+deb12u1.debian.tar.xz
5bd51d86edc05c044c2c8bcd7c56d82ea829f9fa 7956
lcms2_2.14-2+deb12u1_amd64.buildinfo
Checksums-Sha256:
8328883a2b25ac3017bdacd1b1b1b60a3ae1f1e68a7e92d94b03060274cd10c5 1976
lcms2_2.14-2+deb12u1.dsc
28474ea6f6591c4d4cee972123587001a4e6e353412a41b3e9e82219818d5740 7406694
lcms2_2.14.orig.tar.gz
3b88006a5ccc15f3d4b2f28310875a8c4d789ac8342deaf4113ed5c2fd4a59e8 12288
lcms2_2.14-2+deb12u1.debian.tar.xz
d2e842c58ba18b60f033db8868b263ec40a1760afde85c742acac3dfbc82cbfa 7956
lcms2_2.14-2+deb12u1_amd64.buildinfo
Files:
faf09021fe682c348301e9b843750dcb 1976 libs optional lcms2_2.14-2+deb12u1.dsc
7f7baa3e605c961b9301135105ee9a34 7406694 libs optional lcms2_2.14.orig.tar.gz
9ae44c1be8cb6942f1cb7050359ee217 12288 libs optional
lcms2_2.14-2+deb12u1.debian.tar.xz
8e5772d2e0ef4e1ece082fc56ea51c21 7956 libs optional
lcms2_2.14-2+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmnznIIACgkQEMKTtsN8
Tja/ihAApxPi1dJzLG6PYUtAHyKXWPFXPE8xwVFiIMyyBJpAPpO/FP2VTFkmD0j4
rY1/1J8LNxd/IpvAYPrnTXIBIXWjcQvpUadRHNxq6qIjKw6MR3sqlQAdBs5QFiKb
Aj4mOnIJbkphXsqpiQHNN5WhuCZoo8FUqokRR+lM7mI+3Jj2MxfhXCxabZyJzCJS
05MSr4dke5vu5DbC3ghz4QK1X282pqVYRgIXF1w+WjXnJ3PM0OE7KP810pptwRgi
neDEcPON23r2/+KrY49+2JSHRVsYKPYcVykB4k+rvOhRv3QJKSXhYRdOYJ/taXHF
EcLrL0mZMK9AiEf8wyThb7BRDKi7OfWqkD2m4vHMCMPpR3kkV+O1jKxndBG5pK+i
ViMijiOftjq1lOoh0pWc6SEsOHujMvJ/sC3Pp0y1/5jTxymB/OQAdnE8LJsMtDbP
6dcujSVez6kFSE1BPUNgDRzUnAkDkHyxzQ65mePdgfa/hwl1+COrmCEifIYXqe5D
z4VUu9dPJ3tUA8nI8NBhgMukvOdl1YtIrY4RsLQHOWPHHcTSbtjXdzG3AiK8WBeP
xA1hY61GTxWIqBbieNh+52U09q623HgL3HCHZcixnCi/oWPdVHtX2taNYkK0PW1F
l7qEooYdNBcjqO0BtuDt+KWDO0W9dya2bsE7ahwBt8MfBEzjjvE=
=piJP
-----END PGP SIGNATURE-----
pgpMKS3j6kyPo.pgp
Description: PGP signature
--- End Message ---
