Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker / security-tracker
Commits: 32db0663 by Carlos Henrique Lima Melara at 2026-02-23T23:59:32-03:00 CVE-2026-2913/vips: postponed for bullseye Upstream has declared the impact as neglible [1] "since this only affects custom seekable sources larger than 4 GiB (and the crash occurs in user code rather than libvips itself)", but the fix [2] seem rather trivial, so let's pick up in the future. [1] https://github.com/libvips/libvips/issues/4857#issuecomment-3878479322 [2] https://github.com/libvips/libvips/commit/a56feecbe9ed66521d9647ec9fbcd2546eccd7ee - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -231,6 +231,7 @@ CVE-2026-2913 (A vulnerability was determined in libvips up to 8.19.0. The affec - vips 8.18.0-2 (bug #1128785) [trixie] - vips <no-dsa> (Minor issue) [bookworm] - vips <no-dsa> (Minor issue) + [bullseye] - vips <postponed> (Minor issue, local access required, hard to trigger) NOTE: https://github.com/libvips/libvips/issues/4857 NOTE: Fixed by: https://github.com/libvips/libvips/commit/a56feecbe9ed66521d9647ec9fbcd2546eccd7ee CVE-2026-2912 (A vulnerability was found in code-projects Online Reviewer System 1.0. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32db0663eb1909f99c4a88a99ef28f9b326a805b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32db0663eb1909f99c4a88a99ef28f9b326a805b You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
