Bug#1140003: openslide: CVE-2026-48977

Sun, 14 Jun 2026 11:07:17 -0700 

Control: found -1 3.4.1+dfsg-6
Control: fixed -1 3.4.1+dfsg-9

Hi Salvatore and the Security Team,

Thank you for the notification, the fix (hopefully correct this
time) should make it to Debian unstable soon, and then forky in
a couple of days.  I have proceeded to an urgency=high upload of
openslide 3.4.1+dfsg-9 this time.  I saw preparatory work for a
version 4.0.0 in Salsa, but that was unfinished work and I was
unsure of the blockers, so I favored a targeted fix for now.

trixie and bookworm are running the same 3.4.1 upstream version
(3.4.1+dfsg-7 and 3.4.1+dfsg-6 packaging iterations
respectively), so I have begun wrapping up an eventual security
upload for stable and oldstable.  You will find the debdiffs in
attachment.

I have problems testing the fix for myself.  The test suite in
the package currently does not trigger, in addition to issues
with inlining binaries in quilt patches.  This is how I tripped
on the carpet with the return NULL vs goto FAIL in the patch.
Otherwise, I assume this would have been caught by the test case
added along upstream commit 2be88bd.  :(  Thankfully, as you
might have witnessed, upstream has been very reactive to
pinpoint issues and provide proper corrections.  :)  I have
reviewed the way the function parse_level0_xml evolved between
3.4.1 and 4.0.0 and I agree that the correction was needed.

With these elements, should I go ahead with upload to
trixie-security and to bookworm-security?

Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <[email protected]>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/2, please excuse my verbosity
   `-

diff -Nru openslide-3.4.1+dfsg/debian/changelog 
openslide-3.4.1+dfsg/debian/changelog
--- openslide-3.4.1+dfsg/debian/changelog       2023-08-25 01:17:26.000000000 
+0200
+++ openslide-3.4.1+dfsg/debian/changelog       2026-06-14 19:17:44.000000000 
+0200
@@ -1,3 +1,12 @@
+openslide (3.4.1+dfsg-7+deb13u1) trixie-security; urgency=medium
+
+  * CVE-2026-48977.patch: new: fix CVE-2026-48977.
+    The change lacks attempt to apply the test case, because the binary
+    representation of a newly introduced test file is not possible in the
+    patch. (Closes: #1140003)
+
+ -- Étienne Mollier <[email protected]>  Sun, 14 Jun 2026 19:17:44 +0200
+
 openslide (3.4.1+dfsg-7) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch 
openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch
--- openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch    1970-01-01 
01:00:00.000000000 +0100
+++ openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch    2026-06-14 
19:15:49.000000000 +0200
@@ -0,0 +1,28 @@
+Applied-Upstream: 2be88bd782d9fff46de8e56a99baca523e7917b3
+Author: Benjamin Gilbert <[email protected]>
+Last-Update: 2026-06-14
+Description: ventana: fail if area has invalid tile count
+ Reported-by: Erik Lening <[email protected]>
+ Signed-off-by: Benjamin Gilbert <[email protected]>
+ .
+ This Debian-specific patch lacks implementation of the test case due to
+ technical unability to represent the OS-2.bif.xdelta within a quilt
+ patch.
+Reviewed-By: Étienne Mollier <[email protected]>
+Bug-Debian: https://bugs.debian.org/1140003
+
+--- openslide.orig/src/openslide-vendor-ventana.c
++++ openslide/src/openslide-vendor-ventana.c
+@@ -524,6 +524,12 @@
+     // get tile counts
+     PARSE_INT_ATTRIBUTE_OR_FAIL(info, ATTR_NUM_COLS, area->tiles_across);
+     PARSE_INT_ATTRIBUTE_OR_FAIL(info, ATTR_NUM_ROWS, area->tiles_down);
++    if (area->tiles_across < 1 || area->tiles_down < 1) {
++      g_set_error(err, OPENSLIDE_ERROR, OPENSLIDE_ERROR_FAILED,
++                  "Area has invalid tile count %"PRId64"x%"PRId64,
++                  area->tiles_across, area->tiles_down);
++      goto FAIL;
++    }
+ 
+     // get position
+     // it seems these are always whole numbers, but they are sometimes
diff -Nru openslide-3.4.1+dfsg/debian/patches/series 
openslide-3.4.1+dfsg/debian/patches/series
--- openslide-3.4.1+dfsg/debian/patches/series  1970-01-01 01:00:00.000000000 
+0100
+++ openslide-3.4.1+dfsg/debian/patches/series  2026-06-14 19:15:49.000000000 
+0200
@@ -0,0 +1 @@
+CVE-2026-48977.patch

diff -Nru openslide-3.4.1+dfsg/debian/changelog 
openslide-3.4.1+dfsg/debian/changelog
--- openslide-3.4.1+dfsg/debian/changelog       2022-05-23 23:13:35.000000000 
+0200
+++ openslide-3.4.1+dfsg/debian/changelog       2026-06-14 19:52:57.000000000 
+0200
@@ -1,3 +1,13 @@
+openslide (3.4.1+dfsg-6+deb12u1) bookworm-security; urgency=medium
+
+  * Team upload.
+  * CVE-2026-48977.patch: new: fix CVE-2026-48977.
+    The change lacks attempt to apply the test case, because the binary
+    representation of a newly introduced test file is not possible in the
+    patch. (Closes: #1140003)
+
+ -- Étienne Mollier <[email protected]>  Sun, 14 Jun 2026 19:52:57 +0200
+
 openslide (3.4.1+dfsg-6) unstable; urgency=medium
 
   * Team upload.
diff -Nru openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch 
openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch
--- openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch    1970-01-01 
01:00:00.000000000 +0100
+++ openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch    2026-06-14 
19:52:39.000000000 +0200
@@ -0,0 +1,28 @@
+Applied-Upstream: 2be88bd782d9fff46de8e56a99baca523e7917b3
+Author: Benjamin Gilbert <[email protected]>
+Last-Update: 2026-06-14
+Description: ventana: fail if area has invalid tile count
+ Reported-by: Erik Lening <[email protected]>
+ Signed-off-by: Benjamin Gilbert <[email protected]>
+ .
+ This Debian-specific patch lacks implementation of the test case due to
+ technical unability to represent the OS-2.bif.xdelta within a quilt
+ patch.
+Reviewed-By: Étienne Mollier <[email protected]>
+Bug-Debian: https://bugs.debian.org/1140003
+
+--- openslide.orig/src/openslide-vendor-ventana.c
++++ openslide/src/openslide-vendor-ventana.c
+@@ -524,6 +524,12 @@
+     // get tile counts
+     PARSE_INT_ATTRIBUTE_OR_FAIL(info, ATTR_NUM_COLS, area->tiles_across);
+     PARSE_INT_ATTRIBUTE_OR_FAIL(info, ATTR_NUM_ROWS, area->tiles_down);
++    if (area->tiles_across < 1 || area->tiles_down < 1) {
++      g_set_error(err, OPENSLIDE_ERROR, OPENSLIDE_ERROR_FAILED,
++                  "Area has invalid tile count %"PRId64"x%"PRId64,
++                  area->tiles_across, area->tiles_down);
++      goto FAIL;
++    }
+ 
+     // get position
+     // it seems these are always whole numbers, but they are sometimes
diff -Nru openslide-3.4.1+dfsg/debian/patches/series 
openslide-3.4.1+dfsg/debian/patches/series
--- openslide-3.4.1+dfsg/debian/patches/series  1970-01-01 01:00:00.000000000 
+0100
+++ openslide-3.4.1+dfsg/debian/patches/series  2026-06-14 19:52:39.000000000 
+0200
@@ -0,0 +1 @@
+CVE-2026-48977.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to