Your message dated Sat, 16 May 2026 11:07:43 +0000
with message-id <[email protected]>
and subject line Released with 12.14
has caused the Debian Bug report #1132857,
regarding bookworm-pu: vips/8.14.1-3+deb12u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132857: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132857
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:vips
User: [email protected]
Usertags: pu
[ Reason ]
There are eight security fixes in VIPS that don't warrant a DSA. As
it's an image processing library and tools, it may work with untrusted
images from some sources. Thus I would like to update this via PU
procedure.
[ Impact ]
Users will be safe from various malicious images that can exploit
their system. At least one issue has a public exploit available.
[ Tests ]
Build and some basic testing. This update was made by me and double
checked by Moritz Mühlenhoff from the Security Team.
[ Risks ]
Very small, all changes are only additional validity checking and
using the correct variable types in some places.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issues are verified as fixed in unstable
Thanks,
Laszlo/GCS
diff -Nru vips-8.14.1/debian/changelog vips-8.14.1/debian/changelog
--- vips-8.14.1/debian/changelog 2025-04-30 20:53:34.000000000 +0200
+++ vips-8.14.1/debian/changelog 2026-04-06 07:36:49.000000000 +0200
@@ -1,3 +1,14 @@
+vips (8.14.1-3+deb12u3) bookworm; urgency=medium
+
+ * CVE-2026-3283 CVE-2026-3284 (Closes: #1129310)
+ * CVE-2026-3282 (Closes: #1129311)
+ * CVE-2026-3281 (Closes: #1129312)
+ * CVE-2026-3147 (Closes: #1129314)
+ * CVE-2026-3145 CVE-2026-3146 (Closes: #1129315)
+ * CVE-2026-2913 (Closes: #1128785)
+
+ -- Laszlo Boszormenyi (GCS) <[email protected]> Mon, 06 Apr 2026 07:36:49 +0200
+
vips (8.14.1-3+deb12u2) bookworm-security; urgency=high
* Non-maintainer upload.
diff -Nru vips-8.14.1/debian/patches/CVE-2026-2913.patch vips-8.14.1/debian/patches/CVE-2026-2913.patch
--- vips-8.14.1/debian/patches/CVE-2026-2913.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.14.1/debian/patches/CVE-2026-2913.patch 2026-04-06 02:13:53.000000000 +0200
@@ -0,0 +1,50 @@
+From a56feecbe9ed66521d9647ec9fbcd2546eccd7ee Mon Sep 17 00:00:00 2001
+From: Kleis Auke Wolthuizen <[email protected]>
+Date: Thu, 12 Feb 2026 10:38:55 +0100
+Subject: [PATCH] source: guard against length truncation (#4858)
+
+--- vips-8.14.1.orig/libvips/iofuncs/source.c
++++ vips-8.14.1/libvips/iofuncs/source.c
+@@ -929,6 +929,12 @@ vips_source_read_to_memory( VipsSource *
+ g_assert( !source->header_bytes );
+ g_assert( source->length >= 0 );
+
++ if (G_UNLIKELY(source->length > UINT_MAX)) {
++ vips_error(vips_connection_nick(VIPS_CONNECTION(source)),
++ "%s", _("length overflow"));
++ return -1;
++ }
++
+ if( vips_source_rewind( source ) )
+ return( -1 );
+
+@@ -936,7 +942,7 @@ vips_source_read_to_memory( VipsSource *
+ * directly to it.
+ */
+ byte_array = g_byte_array_new();
+- g_byte_array_set_size( byte_array, source->length );
++ g_byte_array_set_size(byte_array, (guint) source->length);
+
+ read_position = 0;
+ q = byte_array->data;
+@@ -1320,13 +1326,19 @@ vips_source_sniff_at_most( VipsSource *s
+
+ VIPS_DEBUG_MSG( "vips_source_sniff_at_most: %zd bytes\n", length );
+
++ if (G_UNLIKELY(length > UINT_MAX)) {
++ vips_error(vips_connection_nick(VIPS_CONNECTION(source)),
++ "%s", _("length overflow"));
++ return -1;
++ }
++
+ SANITY( source );
+
+ if( vips_source_test_features( source ) ||
+ vips_source_rewind( source ) )
+ return( -1 );
+
+- g_byte_array_set_size( source->sniff, length );
++ g_byte_array_set_size(source->sniff, (guint) length);
+
+ read_position = 0;
+ q = source->sniff->data;
diff -Nru vips-8.14.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch vips-8.14.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch
--- vips-8.14.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.14.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch 2026-04-06 07:36:49.000000000 +0200
@@ -0,0 +1,28 @@
+From d4ce337c76bff1b278d7085c3c4f4725e3aa6ece Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <[email protected]>
+Date: Thu, 19 Feb 2026 12:31:43 +0000
+Subject: [PATCH] matrixload: guard against empty and very large inputs (#4888)
+
+--- vips-8.14.1.orig/libvips/foreign/matrixload.c
++++ vips-8.14.1/libvips/foreign/matrixload.c
+@@ -187,7 +187,10 @@ vips_foreign_load_matrix_header( VipsFor
+ if( vips_source_rewind( matrix->source ) )
+ return( -1 );
+
+- line = vips_sbuf_get_line_copy( matrix->sbuf );
++ if (!(line = vips_sbuf_get_line_copy(matrix->sbuf))) {
++ vips_error("mask2vips", "%s", _("invalid header"));
++ return -1;
++ }
+ result = parse_matrix_header( line, &width, &height, &scale, &offset );
+ g_free( line );
+ if( result )
+@@ -333,7 +336,7 @@ static gboolean
+ vips_foreign_load_matrix_file_is_a( const char *filename )
+ {
+ unsigned char line[80];
+- guint64 bytes;
++ gint64 bytes;
+ int width;
+ int height;
+ double scale;
diff -Nru vips-8.14.1/debian/patches/CVE-2026-3147.patch vips-8.14.1/debian/patches/CVE-2026-3147.patch
--- vips-8.14.1/debian/patches/CVE-2026-3147.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.14.1/debian/patches/CVE-2026-3147.patch 2026-04-06 01:48:31.000000000 +0200
@@ -0,0 +1,21 @@
+From b3ab458a25e0e261cbd1788474bbc763f7435780 Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <[email protected]>
+Date: Sat, 21 Feb 2026 19:00:31 +0000
+Subject: [PATCH] csvload: check whitespace and separator are ASCII (#4894)
+
+--- vips-8.14.1.orig/libvips/foreign/csvload.c
++++ vips-8.14.1/libvips/foreign/csvload.c
+@@ -122,6 +122,13 @@ vips_foreign_load_csv_build( VipsObject
+ int i;
+ const char *p;
+
++ if (!g_str_is_ascii(csv->whitespace) ||
++ !g_str_is_ascii(csv->separator)) {
++ vips_error("csvload", "%s",
++ _("whitespace and separator must be ASCII"));
++ return -1;
++ }
++
+ if( !(csv->sbuf = vips_sbuf_new_from_source( csv->source )) )
+ return( -1 );
+
diff -Nru vips-8.14.1/debian/patches/CVE-2026-3281.patch vips-8.14.1/debian/patches/CVE-2026-3281.patch
--- vips-8.14.1/debian/patches/CVE-2026-3281.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.14.1/debian/patches/CVE-2026-3281.patch 2026-04-06 01:48:31.000000000 +0200
@@ -0,0 +1,18 @@
+From fd28c5463697712cb0ab116a2c55e4f4d92c4088 Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <[email protected]>
+Date: Sun, 22 Feb 2026 09:39:05 +0000
+Subject: [PATCH] bandrank: check index is in range #4878 (#4895)
+
+--- vips-8.14.1.orig/libvips/conversion/bandrank.c
++++ vips-8.14.1/libvips/conversion/bandrank.c
+@@ -205,6 +205,10 @@ vips_bandrank_build( VipsObject *object
+
+ if( bandrank->index == -1 )
+ bandrank->index = bandary->n / 2;
++ else if (bandrank->index >= bandary->n) {
++ vips_error(class->nickname, _("index out of range"));
++ return -1;
++ }
+ }
+
+ if( VIPS_OBJECT_CLASS( vips_bandrank_parent_class )->build( object ) )
diff -Nru vips-8.14.1/debian/patches/CVE-2026-3282.patch vips-8.14.1/debian/patches/CVE-2026-3282.patch
--- vips-8.14.1/debian/patches/CVE-2026-3282.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.14.1/debian/patches/CVE-2026-3282.patch 2026-04-06 01:48:31.000000000 +0200
@@ -0,0 +1,18 @@
+From 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91 Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <[email protected]>
+Date: Thu, 19 Feb 2026 13:50:37 +0000
+Subject: [PATCH] unpremultiply: check alpha_band is in range #4881 (#4886)
+
+--- vips-8.14.1.orig/libvips/conversion/unpremultiply.c
++++ vips-8.14.1/libvips/conversion/unpremultiply.c
+@@ -284,6 +284,10 @@ vips_unpremultiply_build( VipsObject *ob
+ */
+ if( !vips_object_argument_isset( object, "alpha_band" ) )
+ unpremultiply->alpha_band = in->Bands - 1;
++ else if (unpremultiply->alpha_band >= in->Bands) {
++ vips_error(class->nickname, "%s", _("alpha_band out of range"));
++ return -1;
++ }
+
+ if( in->BandFmt == VIPS_FORMAT_DOUBLE )
+ conversion->out->BandFmt = VIPS_FORMAT_DOUBLE;
diff -Nru vips-8.14.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch vips-8.14.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch
--- vips-8.14.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.14.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch 2025-04-30 20:53:34.000000000 +0200
@@ -0,0 +1,28 @@
+From 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70 Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <[email protected]>
+Date: Thu, 19 Feb 2026 08:39:31 +0000
+Subject: [PATCH] extract: check bounds using unsigned arith #4879 #4880
+ (#4887)
+
+--- vips-8.14.1.orig/libvips/conversion/extract.c
++++ vips-8.14.1/libvips/conversion/extract.c
+@@ -143,8 +143,8 @@ vips_extract_area_build( VipsObject *obj
+ build( object ) )
+ return( -1 );
+
+- if( extract->left + extract->width > extract->in->Xsize ||
+- extract->top + extract->height > extract->in->Ysize ||
++ if ((guint64) extract->left + extract->width > extract->in->Xsize ||
++ (guint64) extract->top + extract->height > extract->in->Ysize ||
+ extract->left < 0 || extract->top < 0 ||
+ extract->width <= 0 || extract->height <= 0 ) {
+ vips_error( class->nickname, "%s", _( "bad extract area" ) );
+@@ -385,7 +385,7 @@ vips_extract_band_build( VipsObject *obj
+ bandary->in = &extract->in;
+ bandary->out_bands = extract->n;
+
+- if( extract->band + extract->n > bands ) {
++ if ((guint64) extract->band + extract->n > bands) {
+ vips_error( class->nickname,
+ "%s", _( "bad extract band" ) );
+ return( -1 );
diff -Nru vips-8.14.1/debian/patches/series vips-8.14.1/debian/patches/series
--- vips-8.14.1/debian/patches/series 2025-04-30 20:53:34.000000000 +0200
+++ vips-8.14.1/debian/patches/series 2026-04-06 07:36:49.000000000 +0200
@@ -3,3 +3,9 @@
CVE-2023-40032.patch
CVE-2025-29769/01-9ab6784f6.patch
CVE-2025-29769/02-8effeb912.patch
+CVE-2026-3283_CVE-2026-3284.patch
+CVE-2026-3282.patch
+CVE-2026-3281.patch
+CVE-2026-3147.patch
+CVE-2026-3145_CVE-2026-3146.patch
+CVE-2026-2913.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.14
This update has been released as part of Debian 12.14.
--- End Message ---
