--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:vips
User: [email protected]
Usertags: pu
Hi RMs,
[ Reason ]
There are eight security fixes in VIPS that don't warrant a DSA. As
it's an image processing library and tools, it may work with untrusted
images from some sources. Thus I would like to update this via PU
procedure.
[ Impact ]
Users will be safe from various malicious images that can exploit
their system. At least one issue has a public exploit available.
[ Tests ]
Build and some basic testing. This update was done by Moritz
Mühlenhoff from the Security Team and I've double checked. He also did
successful Debusine checking with this update.
[ Risks ]
Very small, all changes are only additional validity checking and
using the correct variable types in some places.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issues are verified as fixed in unstable
Thanks,
Laszlo/GCS
diff -Nru vips-8.16.1/debian/changelog vips-8.16.1/debian/changelog
--- vips-8.16.1/debian/changelog 2025-03-15 16:12:33.000000000 +0100
+++ vips-8.16.1/debian/changelog 2026-04-06 14:18:12.000000000 +0200
@@ -1,3 +1,15 @@
+vips (8.16.1-1+deb13u1) trixie; urgency=medium
+
+ [ Moritz Mühlenhoff <[email protected]> ]
+ * CVE-2026-3283 CVE-2026-3284 (Closes: #1129310)
+ * CVE-2026-3282 (Closes: #1129311)
+ * CVE-2026-3281 (Closes: #1129312)
+ * CVE-2026-3147 (Closes: #1129314)
+ * CVE-2026-3145 CVE-2026-3146 (Closes: #1129315)
+ * CVE-2026-2913 (Closes: #1128785)
+
+ -- Laszlo Boszormenyi (GCS) <[email protected]> Mon, 06 Apr 2026 14:18:12 +0200
+
vips (8.16.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru vips-8.16.1/debian/patches/CVE-2026-2913.patch vips-8.16.1/debian/patches/CVE-2026-2913.patch
--- vips-8.16.1/debian/patches/CVE-2026-2913.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.16.1/debian/patches/CVE-2026-2913.patch 2026-04-06 00:24:53.000000000 +0200
@@ -0,0 +1,50 @@
+From a56feecbe9ed66521d9647ec9fbcd2546eccd7ee Mon Sep 17 00:00:00 2001
+From: Kleis Auke Wolthuizen <[email protected]>
+Date: Thu, 12 Feb 2026 10:38:55 +0100
+Subject: [PATCH] source: guard against length truncation (#4858)
+
+--- vips-8.16.1.orig/libvips/iofuncs/source.c
++++ vips-8.16.1/libvips/iofuncs/source.c
+@@ -912,6 +912,12 @@ vips_source_read_to_memory(VipsSource *s
+ g_assert(!source->header_bytes);
+ g_assert(source->length >= 0);
+
++ if (G_UNLIKELY(source->length > UINT_MAX)) {
++ vips_error(vips_connection_nick(VIPS_CONNECTION(source)),
++ "%s", _("length overflow"));
++ return -1;
++ }
++
+ if (vips_source_rewind(source))
+ return -1;
+
+@@ -919,7 +925,7 @@ vips_source_read_to_memory(VipsSource *s
+ * directly to it.
+ */
+ byte_array = g_byte_array_new();
+- g_byte_array_set_size(byte_array, source->length);
++ g_byte_array_set_size(byte_array, (guint) source->length);
+
+ read_position = 0;
+ q = byte_array->data;
+@@ -1302,13 +1308,19 @@ vips_source_sniff_at_most(VipsSource *so
+
+ VIPS_DEBUG_MSG("vips_source_sniff_at_most: %zd bytes\n", length);
+
++ if (G_UNLIKELY(length > UINT_MAX)) {
++ vips_error(vips_connection_nick(VIPS_CONNECTION(source)),
++ "%s", _("length overflow"));
++ return -1;
++ }
++
+ SANITY(source);
+
+ if (vips_source_test_features(source) ||
+ vips_source_rewind(source))
+ return -1;
+
+- g_byte_array_set_size(source->sniff, length);
++ g_byte_array_set_size(source->sniff, (guint) length);
+
+ read_position = 0;
+ q = source->sniff->data;
diff -Nru vips-8.16.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch vips-8.16.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch
--- vips-8.16.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.16.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch 2026-04-06 08:21:58.000000000 +0200
@@ -0,0 +1,28 @@
+From d4ce337c76bff1b278d7085c3c4f4725e3aa6ece Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <[email protected]>
+Date: Thu, 19 Feb 2026 12:31:43 +0000
+Subject: [PATCH] matrixload: guard against empty and very large inputs (#4888)
+
+--- vips-8.16.1.orig/libvips/foreign/matrixload.c
++++ vips-8.16.1/libvips/foreign/matrixload.c
+@@ -186,7 +186,10 @@ vips_foreign_load_matrix_header(VipsFore
+ if (vips_source_rewind(matrix->source))
+ return -1;
+
+- line = vips_sbuf_get_line_copy(matrix->sbuf);
++ if (!(line = vips_sbuf_get_line_copy(matrix->sbuf))) {
++ vips_error("mask2vips", "%s", _("invalid header"));
++ return -1;
++ }
+ result = parse_matrix_header(line, &width, &height, &scale, &offset);
+ g_free(line);
+ if (result)
+@@ -331,7 +334,7 @@ static gboolean
+ vips_foreign_load_matrix_file_is_a(const char *filename)
+ {
+ unsigned char line[80];
+- guint64 bytes;
++ gint64 bytes;
+ int width;
+ int height;
+ double scale;
diff -Nru vips-8.16.1/debian/patches/CVE-2026-3147.patch vips-8.16.1/debian/patches/CVE-2026-3147.patch
--- vips-8.16.1/debian/patches/CVE-2026-3147.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.16.1/debian/patches/CVE-2026-3147.patch 2026-04-06 00:24:53.000000000 +0200
@@ -0,0 +1,21 @@
+From b3ab458a25e0e261cbd1788474bbc763f7435780 Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <[email protected]>
+Date: Sat, 21 Feb 2026 19:00:31 +0000
+Subject: [PATCH] csvload: check whitespace and separator are ASCII (#4894)
+
+--- vips-8.16.1.orig/libvips/foreign/csvload.c
++++ vips-8.16.1/libvips/foreign/csvload.c
+@@ -121,6 +121,13 @@ vips_foreign_load_csv_build(VipsObject *
+ int i;
+ const char *p;
+
++ if (!g_str_is_ascii(csv->whitespace) ||
++ !g_str_is_ascii(csv->separator)) {
++ vips_error("csvload", "%s",
++ _("whitespace and separator must be ASCII"));
++ return -1;
++ }
++
+ if (!(csv->sbuf = vips_sbuf_new_from_source(csv->source)))
+ return -1;
+
diff -Nru vips-8.16.1/debian/patches/CVE-2026-3281.patch vips-8.16.1/debian/patches/CVE-2026-3281.patch
--- vips-8.16.1/debian/patches/CVE-2026-3281.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.16.1/debian/patches/CVE-2026-3281.patch 2026-04-06 00:24:53.000000000 +0200
@@ -0,0 +1,18 @@
+From fd28c5463697712cb0ab116a2c55e4f4d92c4088 Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <[email protected]>
+Date: Sun, 22 Feb 2026 09:39:05 +0000
+Subject: [PATCH] bandrank: check index is in range #4878 (#4895)
+
+--- vips-8.16.1.orig/libvips/conversion/bandrank.c
++++ vips-8.16.1/libvips/conversion/bandrank.c
+@@ -224,6 +224,10 @@ vips_bandrank_build(VipsObject *object)
+
+ if (bandrank->index == -1)
+ bandrank->index = bandary->n / 2;
++ else if (bandrank->index >= bandary->n) {
++ vips_error(class->nickname, _("index out of range"));
++ return -1;
++ }
+ }
+
+ if (VIPS_OBJECT_CLASS(vips_bandrank_parent_class)->build(object))
diff -Nru vips-8.16.1/debian/patches/CVE-2026-3282.patch vips-8.16.1/debian/patches/CVE-2026-3282.patch
--- vips-8.16.1/debian/patches/CVE-2026-3282.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.16.1/debian/patches/CVE-2026-3282.patch 2026-04-06 00:24:53.000000000 +0200
@@ -0,0 +1,18 @@
+From 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91 Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <[email protected]>
+Date: Thu, 19 Feb 2026 13:50:37 +0000
+Subject: [PATCH] unpremultiply: check alpha_band is in range #4881 (#4886)
+
+--- vips-8.16.1.orig/libvips/conversion/unpremultiply.c
++++ vips-8.16.1/libvips/conversion/unpremultiply.c
+@@ -287,6 +287,10 @@ vips_unpremultiply_build(VipsObject *obj
+ */
+ if (!vips_object_argument_isset(object, "alpha_band"))
+ unpremultiply->alpha_band = in->Bands - 1;
++ else if (unpremultiply->alpha_band >= in->Bands) {
++ vips_error(class->nickname, "%s", _("alpha_band out of range"));
++ return -1;
++ }
+
+ if (in->BandFmt == VIPS_FORMAT_DOUBLE)
+ conversion->out->BandFmt = VIPS_FORMAT_DOUBLE;
diff -Nru vips-8.16.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch vips-8.16.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch
--- vips-8.16.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.16.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch 2026-04-06 00:24:53.000000000 +0200
@@ -0,0 +1,28 @@
+From 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70 Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <[email protected]>
+Date: Thu, 19 Feb 2026 08:39:31 +0000
+Subject: [PATCH] extract: check bounds using unsigned arith #4879 #4880
+ (#4887)
+
+--- vips-8.16.1.orig/libvips/conversion/extract.c
++++ vips-8.16.1/libvips/conversion/extract.c
+@@ -143,8 +143,8 @@ vips_extract_area_build(VipsObject *obje
+ if (VIPS_OBJECT_CLASS(vips_extract_area_parent_class)->build(object))
+ return -1;
+
+- if (extract->left + extract->width > extract->in->Xsize ||
+- extract->top + extract->height > extract->in->Ysize ||
++ if ((guint64) extract->left + extract->width > extract->in->Xsize ||
++ (guint64) extract->top + extract->height > extract->in->Ysize ||
+ extract->left < 0 || extract->top < 0 ||
+ extract->width <= 0 || extract->height <= 0) {
+ vips_error(class->nickname, "%s", _("bad extract area"));
+@@ -393,7 +393,7 @@ vips_extract_band_build(VipsObject *obje
+ bandary->in = &extract->in;
+ bandary->out_bands = extract->n;
+
+- if (extract->band + extract->n > bands) {
++ if ((guint64) extract->band + extract->n > bands) {
+ vips_error(class->nickname,
+ "%s", _("bad extract band"));
+ return -1;
diff -Nru vips-8.16.1/debian/patches/series vips-8.16.1/debian/patches/series
--- vips-8.16.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.16.1/debian/patches/series 2026-04-06 08:22:03.000000000 +0200
@@ -0,0 +1,6 @@
+CVE-2026-3283_CVE-2026-3284.patch
+CVE-2026-3282.patch
+CVE-2026-3281.patch
+CVE-2026-3147.patch
+CVE-2026-3145_CVE-2026-3146.patch
+CVE-2026-2913.patch
--- End Message ---
